Hacked - DDOS For Hire
Episode Date: January 28, 2020Welcome Back! Jordan Bloemen & Scott Francis Winder discuss Distributed Denial of Service (DDOS) attacks. If you like the show and want to make sure we can keep making it, please subscribe and if you ...can visit https://www.patreon.com/hackedpodcast and show us some love. Also - don't forget to check out our great sponsors: Linode: Get 20% by going to www.linode.com/hacked or use the promo code: hacked2020 at www.linode.com Thinkst Canary: Check them out at https://canary.tools Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
So we probably owe you an explanation.
But before we get to that, here's a story.
It's November 3rd, 2016, and you're sitting in a cafe in Monrovia, capital of Liberia.
It's around the last time an episode of Hacked One Up.
If you're a Liberian and you're online, you're probably using one of two networks, Lone Star or Selcom.
Statistically, you're on Lone Star.
So November 3rd, in Monrovia, when it's still worn,
but the winter rains have turned the market to mud
as you sit in a plastic chair at the edge of that restaurant
and you look down at your smartphone
and you got no signal what the heck is going on
and as you look up from your phone at the wash of umbrellas
and taxis and corgated tin roofs
you pretty quickly figure out that you're not the only one
or what network you are connected to
what device you are using the internet has gone off
for everyone
all at once the river of data
has stopped flowing to an entire country.
The whole thing for Nvoinjama to Harper is offline.
And if we want to understand why,
we need to hop on a plane and take the breezy 13-hour flight to China.
Not because the corporate is Chinese,
were tied to the Chinese government,
or even living in China.
Because on that rainy afternoon in November,
moments before all of Liberia's internet flickered out of operation,
all at once,
thousands upon thousands cheaply made secure,
cameras and Wi-Fi routers and internet things accessories all over China turned in
iri unison towards the country of Liberia shut it all down like plugging in a million
blenders and turning them on at the same time and the breaker blows on the entire neighborhood
except the neighborhood is the internet of a country with 5 million people living in it
this is called a DDoS attack and if you know what that is you might rightly be wondering why
two years after it happened, three years since we've posted an episode. This is what we're talking about.
You see, DDoS attacks are actually pretty common. We are talking about it because this attack,
this blow to the national infrastructure of a country that brought down a core utility,
was cheap. Not just because it came from within Liberia's own borders, not because last year
they finally charged the guy who did it.
But because an act of internationally coordinated corporate sabotage
cost the person responsible less than the price of a used car.
This is DDoS for hire on this very special episode of HACT.
It's been a while.
Has been a while.
It's been a little while.
It's been a minute.
So what happened?
Where'd we go?
We haven't gone anywhere, actually.
We've been right here in the same room.
Wow, we've moved 60 linear feet from.
where the old recording studio used to be
to the new recording studio.
That took three years.
It took us a long time.
So we stopped making episodes because
we were focusing on trying to get a show made.
And we didn't get a show made.
It didn't get made.
But we did make a documentary.
We did.
It's nothing to do with computer technology and Infosec.
No.
But we got demotivated.
And we got remotivated.
And we went and did a bunch of other stuff.
And I got to just jump in and say that
I really appreciate all of the fan mail.
It really makes us remember that people actually liked this show
and it was a worthwhile investment of our time.
Yeah, those messages, every single time we get one,
it would be the first thing we would talk about
when we came into work, we worked together.
And we didn't always reply,
but we always kept thinking about hacked.
We never forgot you.
So here's what we're going to do.
Moving forward, we're going to be putting out one episode
on the last Tuesday of every month.
And we're also going to be launching a Patreon.
You can find us there at patreon.com slash hacked podcast.
Our first goal on that Patreon is going to be to double that production schedule to two episodes per month.
We're doing all of that stuff, Patreon and ads, because the reality is that we have bills to pay and jobs that tend to pull us away from doing this show at the quality level that we want to do it at.
And we want to do it right.
So if you're still listening, all this time later, thank you.
And we hope you'll stick around just a little bit longer.
On with the episode.
Tonight, the financial and banking industry is on high alert, as a massive cyber attack remains underway.
Cyber warfare, the most extensive attack on American banks ever.
There is an elevated level of threat.
The threat is now high.
Sources tell ABC News it's a denial of service attack, where hackers from the Middle East have secretly commandeered thousands of computers worldwide.
Those computers or zombies have overwhelmed bank websites with a barrage of election.
That was ABC Nightly News coverage of a 2012 DDoS attack.
Scott, as a reminder, what is a DDoS attack?
Well, a DDoS attack means distributed denial of service.
So really what it means is you're denying something service, which is typically access to the internet.
And the first D is for distributed.
So it means that it's coming from many sources, the attacks coming from lots of origin points.
You said you're denying something access to.
the internet. What exactly is it that you're blocking?
Well, you're not really blocking anything as much as you are like knocking something off.
So if you imagine you're playing video games, you know, you're playing a first-person shooter
against a friend of yours. And you want to make them worse at the game. If you can choke their
internet connection out or punt them straight off the server, they lose. So like that would be
a primitive use case. You know, and way back in the day,
when the internet
was dial-up, or, you know,
the bandwidth that each internet connection
had was so minor, you could very
easily do this. Two or three
internet connections could knock one off,
no problem. So that's the denial.
What's the service?
So the service is typically internet access.
And in regards of this show
in this conversation, the service would be
typically internet connectivity.
So like imagine
your Amazon.com,
you know, the internet's a very important
thing to you. All of your traffic, consumers, and customers come through the internet. So if we can
take that away from you, we literally take millions of dollars probably per second out of your pocket.
Think about the last time you heard a breach story on this show. It always starts the same way.
Someone somewhere saw something too late. An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up
for a world where attackers are already using AI.
They created the Aurora Super Intelligence Platform,
a fully agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs,
this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions
and keep everything trustworthy,
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry of
every week and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent-led-by-design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like, go to arcticwolf.com slash hacked.
Ever feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their head.
Organizations around the world saw headlines they never expected,
and cybersecurity teams were tested like never before.
But here's the thing.
These incidents aren't just news headlines.
They're learning opportunities.
And that's why Arctic Wolf is hosting a live webinar on February 5th,
diving into the most impactful breaches of 2025.
Their field CTO and security leaders are going to unpack not just what happened,
but why these attacks succeeded,
and most importantly, what businesses can do to fortify their defenses for it's too late.
You're going to walk away with real insights in how threat actors are evolving,
how defenders are responding,
and what strategies can help you stay ahead of the next big breach.
It's not fearmongering.
It's practical, actionable, intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
That first deed distributed, take me a bit further down that whole rabbit hole.
Essentially, the attack comes from multiple origin points.
So instead of it just coming from me, so imagine back in the day, you know,
I'm annoyed with you and I want to take you off the internet.
You have one internet connection, and say I have a huge internet connection.
I can generate enough traffic out of my internet connection
to actually push you off the internet.
where today the internet connections are so vast and big.
You can have three, four, six hundred megabyte per second
or megabit per second fiber internet in your house now.
It's really hard to come up with enough data to knock that off.
And that only gets bigger and bigger.
So imagine, as I said with Amazon,
if you're trying to knock Amazon off the internet,
they have so much data, so much pipe to the internet
that to create so much traffic that it actually
impacts their network equipment, impacts their servers, impacts,
you know, any of the infrastructure that runs their site,
you'd have to create terabytes per second.
How do you go about creating that much data to take something offline?
Yeah, so kind of in the current form, you know,
there's kind of been an evolution to this.
And what happened was, is it started with malware.
So you get a little malware on someone's computer,
and all of a sudden you have control over their computer.
and what you can do is actually turn their computer into a device that you can use to then attack somebody.
So if you imagine back in the day when you and I were playing a first-person shooter on dial-up,
if I had two computers attacking you, you'd get knocked off the internet.
You know, even if they were also on dial-up,
because they'd be able to send so much traffic twice the amount that your internet connectivity pipe had allowances for to you
while you're trying to play this game,
and it would essentially just suppress the amount of data
that the game could use
to the point that the game couldn't stay connected.
So now, to create enough data to really cause trouble,
you need to have lots of computers.
So then, you know, in the evolution,
the botnets would take over,
and it was hundreds or thousands
or tens of thousands of computers that all had malware on them,
that they could just send an IP address out to them,
and they would all attack at the same time.
So it's actually gone a little bit further now
where they've started writing botnets
that take over Internet of Things devices.
So imagine like the most obvious example
and the best use of this is surveillance cameras.
These Wi-Fi surveillance cameras,
your nest kind of equivalence.
And what they do is cameras generate so much information
that if you can literally just retarget the pipe of that data to somewhere else,
it just streams tons of data to a random IP address,
which is enough to crash most IP addresses if you have enough of these Internet of Things devices.
So I want to take down a really, really big target.
And I know that in order to do that, I need this really, really big army of essentially traffic.
And I can get that traffic from individual users.
I can get that traffic from an Internet of Things connected device that's, you know,
to send all of this signal. It's like a smart fridge, I guess. I don't know what data that produces,
but it's going to send all of this data. The larger point is, like, I want to take down this big
fish. How do I go about creating that giant army of, say, Internet of Things devices?
Well, the Internet of Things devices probably were all default configuration, you know, generic
username and passwords. I think the largest IoT botnet was using the software.
called Marai, and it literally just had a huge file that it went through with
usernames and password defaults for all these devices.
So it would just find these devices on the internet and then log into them.
That sounds like a surprisingly easy thing.
Yeah, not that hard.
It wouldn't be that hard to get a giant rogue army of Internet of Things devices to take down,
well, probably couldn't take down Amazon, but to take down a pretty big target.
Yeah, like I think some notable targets.
I know the U.S. government's been attacked a bunch of times.
they've hit lots of things.
So yeah, smart fridges against the world.
Okay, so I have this, I build this machine.
I build this thing that lets me take down these targets.
First off, why would a person want to do that?
Well, I think, so there's an interesting story here,
if I'm correct and recalling this,
but the guy who, one of the developers who made Marai,
the Internet of Things botnet software or malware,
built it for fun.
and literally only used it to defer his calculus final in college.
So, like, he built this huge botnet of things out of probably sheer interest
to know that he could do it.
But then when he, the only times he ever used it weren't really for the most malicious things.
They were just kind of more for, you know, life things.
Like, I'm not ready for my calc final, so I'm going to shut it down.
Shut down the internet at the university.
So that's a pretty baller.
I guess with all that power comes great responsibility.
Okay, so aside from like the dude who invented it, using it to get out of a calc final,
why else would someone try and knock someone off the internet?
It's a great question.
You know, denial of service attacks, especially DDoS attacks,
are often used as cover when you're actually doing other hacks.
So that's one reason, because it creates such a headache for the IT department
that they stop looking at all these things
and they're focused on this one huge problem.
Two is just strictly to be a nuisance.
Like, I'm opposed to, you know, this law,
I'm going to take down this government website.
Three, you know, maybe it's...
Maybe you're an activist or a quote-unquote hacktivist
and you want to take down, you know,
some pipeline organization.
If you're a climate change, you know, kind of warrior
You know, there's tons of reasons why you do it.
But I think, you know, given the subject of the show,
is that you just do it for money.
Is that a new thing?
New-ish.
I don't think there's always been an undercurrent economy online
for hacking tools and hacking stuff and credit card lists
and things like that.
But I can't remember the first time I'd heard about DDoS attacks for hire.
probably was 2013, 14.
I think it was some Israeli guys.
You know, I'd have to go back in my history book, but, but yeah.
So how does the money come into it?
So this is a service that's been provided.
Like, people aren't dedossing for money.
They are dedossing for money, but that's not a reason why you do a DDoS attack.
The reason why you do the DDoS attack is because you want something to be denied service, like a country,
and then you pay somebody to do that.
So the guys who own the botnets and run the booters were doing that for money,
but the people who were paying them probably were definitely not doing them for money.
They were doing them to be nuisances for malfeasance, to cover things for economic reasons, etc, etc.
Yeah, so it's a service like anything else.
If you're in, like the story at the top of the show,
if you want to do a little bit of corporate sabotage,
this is a really, really good way of doing it,
and it only takes one person.
It's like a way smaller conspiracy than doing physical damage.
you just hire one hacker,
they can do all this damage from sitting behind a laptop.
Yeah, right.
Most of these things are controlled
from a master console or a master control unit,
and they communicate out through this distributed network,
and they pass instructions to these bots
that then execute those instructions at the same time.
So, yeah, so it's probably not hard to run one of these.
And by that, I mean, it's probably quite easy.
So say you're a big fish.
You're like a target and you go, on a long enough timeline, someone's going to send this army of smart refrigerators after me.
What can you do to protect yourself?
Yeah, so content distribution networks, there's anti-DDoS services now, cloud flare, I think is a big one.
You essentially pay people to redirect your traffic into you.
So they put up essentially a huge net
And you have to get through the net
To get to the real servers and the real infrastructure
But the net is specifically built
To tune out and protect you from these kind of attacks
So I think that's kind of the de facto standard at this point
So how does this escalate
We had this swarm and now we have this net to catch it
Where does it go from here?
I think it's just going to be an escalation in data traffic
So as the internet pipes get bigger
I don't think denial of service attacks and therefore DDoS attacks are going anywhere.
I think that they're just going to have to get smarter
in how they prepare, create, launch, and execute them
because I think that they present a lot of value to someone who wants one,
whether it's just to be a nuisance or whether it's to have economic gain from it.
You know, we're starting to see that.
Like I think recently, mid-last year,
there was kind of a new style of attack scene with the,
like a standard service that runs on Unix computers called Memcash.
You literally drop an object into a server, no passwords or authentication.
It's just kind of a service.
You connect to it, you give it an object of some form, a file,
and then you assign it a key value,
and then another computer can connect to it and say,
hey, I want that key value, send it to me,
and it'll send the file to that computer.
So these were kind of built to help out.
application servers and, you know, kind of the whole Web 2.0 world build.
But the problem is that some of these servers that are all supposed to be behind firewalls
aren't behind firewalls.
So when you get 50,000 servers sending 10 megabyte files 10,000 times a second at a web address,
all of a sudden you're pushing, you know, instead of pushing a couple hundred gigabytes
a second at an IP address, imagine the text.
imagine the tax and load on the computer infrastructure
and the network infrastructure for that.
Now all of a sudden you're sending terabyte, a terabyte and a half.
So you're sending so much data.
So I think that's going to be the natural escalation.
It's just more throughput, faster, harder.
It's funny.
The entire time we've been talking about this,
I'm thinking of the recipients of these attacks.
I'm just picturing a website.
We kind of just said Amazon off the top,
which is funny because it would be the last,
it would be probably the hardest thing to take.
take down with one of these things.
Oh, Google's probably harder, but yeah.
Yeah.
I don't know, Bezos, he's scrappy.
I'm thinking websites.
Could this go further?
Could this be used to take down?
I mean, we talked about taking down a utility
in the form of the internet.
Like, what theoretically could this look like
with a sufficiently ambitious DDoS attack?
Well, I think you nailed it with the intro is,
you know, if you had a, like,
if you had 50, 100,000 servers on huge
internet connections capable of sending constant multi-threaded data streams like just so much data
you got to think and like remember that like the internet is just a composition of cables
and switches and routers and if you take down the right one everything after it goes down so when
you take down the switch or the router that's at the doorstep of china you could take down
China. Granted China is going to have
hundreds of different inpoints, but like
imagine like the Cook Islands.
Like let's go somewhere super remote.
There's probably not
that much, there's probably
a fiber line in and out of that country.
And if you
take it down, if you take the switch
that that fiber line connects to you down,
overheat it, burn it, just crash it,
the whole country gets turned off.
Like that's not an
impossible thing.
which is what that guy did.
Correct.
I think the line was for less than the price of a used car.
Now, he did it kind of by accident.
Do you think, and this is just pure speculation,
that there's probably one country somewhere that's sitting there with a button
that if they pressed it, they could turn off another country intentionally?
Oh, 100%.
Yeah.
Yeah, 100%.
Cool.