EVERYTHING about Booters (and CloudFlare)

Thu Jul 28 16:27:52 UTC 2016

They don't discriminate, anyone can be a customer
https://www.youtube.com/watch?v=T4GfoSZ_sDc

great quote from the reporter "why do you need a court order to do the
right thing?"

On Thu, Jul 28, 2016 at 12:20 PM, Phil Rosenthal <pr at isprime.com> wrote:

> Keep in mind also, the victims of these DDoS attacks do not know which
> "booter" service was paid to attack them. The packets do not have "Stress
> test provided by vBooter" in them. The attack packets do not come from the
> booter's or Cloudflare's IP addresses, they come from secondary victims --
> compromised servers, PC's infected with malware, and abused DNS/NTP [and a
> few other protocols] reflectors.
>
> It is impossible for a victim to submit a complaint to Cloudflare stating
> "I was attacked by someone paying vBooter", because they do not know which
> of the numerous "booter" services was responsible.
>
> -Phil
> > On Jul 28, 2016, at 12:12 PM, Naslund, Steve <SNaslund at medline.com>
> wrote:
> >
> > Miles is right.  Their thinly veiled "stress tester" thing is not going
> to be much of a defense.  They must not have very good legal counsel.  Here
> is the issue.  Stress testing is perfectly legal as long as I am:
> >
> >       a) Stress testing my own stuff
> >       b) Stress testing your stuff WITH YOUR CONSENT
> >
> > Selling a product or service that is unsafe can lead to serious civil
> consequences.  For example, I sell you roach killer and don't warn you that
> it will also kill every other living thing in your home, I am going to get
> sued and lose badly.
> >
> > Let's say I am running a demolition company that offers to knock down
> any house for a price.  Don't you think I have a responsibility to verify
> that you own the house you just asked me to knock down?   (by the way, this
> has happened in the real world -wrong address on paperwork- and the
> demolition company was held liable) Obviously I have that responsibility
> and obviously the same rules would apply to any service that can
> potentially damage someone's property.
> >
> > Steven Naslund
> > Chicago IL
> >
> >> Let's see:
> >>
> >> Vbooter (on their home page) claims:
> >> "#1 FREE WEBBASED SERVER STRESSER"
> >> "Using vBooter you can take down home internet connections, websites
> and game servers such us Minecraft, XBOX Live, PSN and many more."
> >> "You don't have to pay anything in order to use this stresser! In
> addition there are NO limits if you are a free user."
> >
> >> So they're advertising a free service that explicitly offers DDoS
> capabilities.
> >
> >> Now - with the caveat that I'm not a lawyer, and I'm talking from a US
> perspective only - as a sometimes hosting provider who pays attention to
> our legal liabilities, and >who's had one of our boxes compromised and used
> to vector a DDoS against a gaming site....
> >
> >> 1.  DDoS is clearly illegal under multiple statutes - most notably the
> Computer Fraud and Abuse Act - see
> https://www.justice.gov/sites/default/files/criminal-
> >ccips/legacy/2015/01/14/ccmanual.pdf
> >> - for a Justice Dept. memo on "Prosecuting Computer Crimes."  When
> coupled with threats, requests for payoffs, etc. - it expands into lots of
> other crimes (e.g., >extortion).  And that's before one starts attacking
> Government-owned computer systems.
> >>
> >> 2. One might infer that, while "stress testing" is a legitimate and
> useful service - under specific circumstances, vBooter's tools might also
> fall under laws regarding >being an accomplice to a criminal act, aiding &
> abetting, "burglar's tools," etc., and more generally "creating a public
> nuisance."
> >>
> >> 3. There are also various (mostly state) laws against the sale of
> burglar's tools (e.g., sale of a lockpick to someone who's not a
> professional locksmith).  I expect some >of those laws might apply.
> >>
> >> 4. All of those certainly could be applied to vBooter.org.  Whether
> Cloudflare is liable for anything would seem to depend on whether
> Cloudflare is complicit in the use >of vBooter's use for criminal purposes,
> or promoting it's use therefore.  Hosting would certainly fall into that
> category - and while, I have no direct knowledge that >Cloudflare hosts
> vBooter, they do provide nameservice, and their web server's IP address is
> in a network block registered to Cloudflare - that would seem to establish
> >complicity.  Now if Cloudflare were to actively suggest that folks use
> vBooter to test systems, as a way to boost sales for Cloudflare - that
> would certainly be an >interesting test case for RICO (akin to McAfee
> encouraging folks to write and release viruses).
> >>
> >> As to whether "Nothing is going to happen" - I expect something WILL
> happen, when somebody big, with a good legal department, gets hit by a
> really damaging DDoS attack, >and starts looking for some deep pockets to
> sue.  Or, if somebody attacks the wrong Government computer and the FBI, or
> DoD, or DHS get ticked off.
> >>
> >> It will make for very good theater - at least for anyone not directly
> in the cross-hairs.
> >>
> >> Miles Fidelman
> >
>
>