Most individuals who function DDoS-for-hire companies try to cover their true identities and site. Proprietors of those so-called “booter” or “stresser” providers — designed to knock web sites and customers offline — have lengthy operated in a legally murky space of cybercrime legislation. But till not too long ago, their largest concern wasn’t avoiding seize or shutdown by the feds: It was minimizing harassment from sad prospects or victims, and insulating themselves towards incessant assaults from competing DDoS-for-hire providers.
And then there are booter retailer operators like John Dobbs, a 32-year-old pc science graduate pupil dwelling in Honolulu, Hawaii. For at the least a decade till late final 12 months, Dobbs brazenly operated IPStresser[.]com, a well-liked and highly effective attack-for-hire service that he registered with the state of Hawaii utilizing his actual identify and tackle. Likewise, the area was registered in Dobbs’s identify and hometown in Pennsylvania.
Dobbs, in an undated photograph from his Github profile. Image: john-dobbs.github.io
The solely work expertise Dobbs listed on his resume was as a contract developer from 2013 to the current day. Dobbs’s resume doesn’t identify his booter service, however in it he brags about sustaining web sites with half 1,000,000 web page views every day, and “designing server deployments for performance, high-availability and security.”
In December 2022, the U.S. Department of Justice seized Dobbs’s IPStresser web site and charged him with one rely of aiding and abetting pc intrusions. Prosecutors say his service attracted greater than two million registered customers, and was answerable for launching a staggering 30 million distinct DDoS assaults.
The authorities seized four-dozen booter domains, and criminally charged Dobbs and 5 different U.S. males for allegedly working stresser providers. This was the Justice Department’s second such mass takedown focusing on DDoS-for-hire providers and their accused operators. In 2018, the feds seized 15 stresser websites, and levied cybercrime fees towards three males for his or her operation of booter providers.
Dobbs’s booter service, IPStresser, in June 2020. Image: archive.org.
Many accused stresser web site operators have pleaded responsible over time after being hit with federal legal fees. But the federal government’s core declare — that working a booter web site is a violation of U.S. pc crime legal guidelines — wasn’t correctly examined within the courts till September 2021.
That was when a jury handed down a responsible verdict towards Matthew Gatrel, a then 32-year-old St. Charles, Ill. man charged within the authorities’s first 2018 mass booter bust-up. Despite admitting to FBI brokers that he ran two booter providers (and turning over loads of incriminating proof within the course of), Gatrel opted to take his case to trial, defended all the time by court-appointed attorneys.
Prosecutors mentioned Gatrel’s booter providers — downthem[.]org and ampnode[.]com — helped some 2,000 paying prospects launch debilitating digital assaults on greater than 20,000 targets, together with many authorities, banking, college and gaming web sites.
Gatrel was convicted on all three fees of violating the Computer Fraud and Abuse Act, together with conspiracy to commit unauthorized impairment of a protected pc, conspiracy to commit wire fraud, and unauthorized impairment of a protected pc. He was sentenced to 2 years in jail.
Now, it seems Dobbs can be planning to take his possibilities with a jury. On Jan. 4, Dobbs entered a plea of not responsible. Neither Dobbs nor his court-appointed legal professional responded to requests for remark.
But because it occurs, Dobbs himself supplied some perspective on his considering in an e mail change with KrebsOnSecurity again in 2020. I’d reached out to Dobbs as a result of it was apparent he didn’t thoughts if individuals knew he operated one of many world’s hottest DDoS-for-hire websites, and I used to be genuinely curious why he was so unafraid of getting raided by the feds.
“Yes, I am the owner of the domain you listed, however you are not authorized to post an article containing said domain name, my name or this email address without my prior written permission,” Dobbs replied to my preliminary outreach on March 10, 2020 utilizing his e mail tackle from the University of Hawaii at Manoa.
A couple of hours later, I obtained extra strident directions from Dobbs, this time through his official e mail tackle at ipstresser[.]com.
“I will state again for absolute clarity, you are not authorized to post an article containing ipstresser.com, my name, my GitHub profile and/or my hawaii.edu email address,” Dobbs wrote, as if taking dictation from a lawyer who doesn’t perceive how the media works.
When pressed for particulars on his enterprise, Dobbs replied that the variety of IPStresser prospects was “privileged information,” and mentioned he didn’t even promote the service. When requested whether or not he was involved that a lot of his opponents have been by then serving jail time for working related booter providers, Dobbs maintained that the best way he’d arrange the enterprise insulated him from any legal responsibility.
“I have been aware of the recent law enforcement actions against other operators of stress testing services,” Dobbs defined. “I cannot speak to the actions of these other services, but we take proactive measures to prevent misuse of our service and we work with law enforcement agencies regarding any reported abuse of our service.”
What have been these proactive measures? In a 2015 interview with ZDNet France, Dobbs asserted that he was immune from legal responsibility as a result of his shoppers all needed to submit a digital signature testifying that they wouldn’t use the positioning for unlawful functions.
“Our terms of use are a legal document that protects us, among other things, from certain legal consequences,” Dobbs instructed ZDNet. “Most other sites are satisfied with a simple checkbox, but we ask for a digital signature in order to imply real consent from our customers.”
Dobbs instructed KrebsOnSecurity his service didn’t generate a lot of a revenue, however moderately that he was motivated by “filling a legitimate need.”
“My reason for offering the service is to provide the ability to test network security measures before someone with malicious intent attacks said network and causes downtime,” he mentioned. “Sure, some people see only the negatives, but there is a long list of companies I have worked with over the years who would say my service is a godsend and has helped them prevent tens of thousands of dollars in downtime resulting from a malicious attack.”
“I do not believe that providing such a service is illegal, assuming proper due diligence to prevent malicious use of the service, as is the case for IPstresser[.]com,” Dobbs continued. “Someone using such a service to conduct unauthorized testing is illegal in many countries, however, the legal liability is that of the user, not of the service provider.”
Dobbs’s profile on GitHub consists of extra of his concepts about his work, together with a curious piece on “software engineering ethics.” In his January 2020 treatise “My Software Engineering Journey,” Dobbs laments that nothing in his formal training ready him for the truth that an excessive amount of his work could be so tedious and repetitive (this tracks carefully with a 2020 piece right here known as Career Choice Tip: Cybercrime is Mostly Boring).
“One area of software engineering that I think should be covered more in university classes is maintenance,” Dobbs wrote. “Projects are often worked on for at most a few months, and students do not experience the maintenance aspect of software engineering until they reach the workplace. Let’s face it, ongoing maintenance of a project is boring; there is nothing like the euphoria of completing a project you have been working on for months and releasing it to the world, but I would say that half of my professional career has been related to maintenance.”
Allison Nixon is chief analysis officer on the New York-based cybersecurity agency Unit 221B. Nixon is a part of a small group of researchers who’ve been carefully monitoring the DDoS-for-hire trade for years, and she or he mentioned Dobbs’s declare that what he’s doing is authorized is sensible on condition that it took years for the federal government to acknowledge the scale of the issue.
“These guys are arguing that their services are legal because for a long time nothing happened to them,” Nixon mentioned. “It’s difficult to argue something is illegal if no one has ever been arrested for it before.”
Nixon says the federal government’s battle towards the booter providers — and by extension different sorts of cybercrimes — is hampered by a authorized system that usually takes years to cycle via cybercrime instances.
“With cybercrime, the cycle between the crime and investigation and arrest can often take a year or more, and that’s for a really fast case,” Nixon mentioned. “If someone robbed a store, we’d expect a police response within a few minutes. If someone robs a bank’s website, there might be some indication of police activity within a year.”
Nixon praised the 2022 and 2018 booter takedown operations as “huge steps forward,” however added that “there need to be more of them, and faster.”
“This time lag is part of the reason it’s so difficult to shut down the pipeline of new talent going into cybercrime,” she mentioned. “They think what they’re doing is legal because nothing has happened, and because of the amount of time it takes to shut these things down. And it’s really a big problem, where we see a lot of people becoming criminals on the basis that what they’re doing isn’t really illegal because the cops won’t do anything.”
In December 2020, Dobbs filed an utility with the state of Hawaii to withdraw IP Stresser Inc. from its roster of lively corporations. But in line with prosecutors, Dobbs would proceed to function his DDoS-for-hire web site till at the least November 2022.
Two months after our 2020 e mail interview, Dobbs would earn his second bachelor’s diploma (in pc science; his resume says he earned a bachelor’s in civil engineering from Drexel University in 2013). The federal fees towards Dobbs got here simply as he was making ready to enter his closing semester towards a grasp’s diploma in pc science on the University of Hawaii.
Nixon says she has a message for anybody concerned in working a DDoS-for-hire service.
“Unless you are verifying that the target owns the infrastructure you’re targeting, there is no legal way to operate a DDoS-for-hire service,” she mentioned. “There is no Terms of Service you could put on the site that would somehow make it legal.”
And her message to the purchasers of these booter providers? It’s a compelling one to ponder, notably now that investigators within the United States, U.Ok. and elsewhere have began going after booter service prospects.
“When a booter service claims they don’t share logs, they’re lying because logs are legal leverage for when the booter service operator gets arrested,” Nixon mentioned. “And when they do, you’re going to be the first people they throw under the bus.”