Crime for dummies: how DDoS attacks can be a weapon for anyone

Earlier this year, 23-year-old Randall Charles Tucker gained himself a fair bit of internet infamy for a barrage of DDoS attacks. Known by his self-given nickname the Bitcoin Baron, since pleading guilty to felony computer crimes Tucker has been called ham-fisted, a no-skilled hacker, and the internet’s most inept criminal, to name a few choice descriptors.

Regardless of how many insults can be slung in his direction and regardless of the reasons those insults are being slung, the Bitcoin Baron still managed to do a tremendous amount of damage while on his harebrained rampage. Therein lies one of the most major problems with DDoS attacks.

A carefully chosen weapon

There’s nothing dumb about the Baron’s cyber weapon of choice. A distributed denial of service or DDoS attack is one that aims to keep the users of a website or online service from being able to use it, generally by causing downtime with an influx of malicious traffic or illegitimate requests. It’s a simple concept, but the consequences are complex, involving everything from lost revenue, user frustration and the long-term degradation of user loyalty to software and hardware damage.

Thanks to their effectiveness, DDoS attacks often make the news, and even if they don’t they tend to get a ton of attention on social media. This is one of the things that makes these attacks so appealing to people like the Bitcoin Baron. They also tend to like that launching these attacks can be so easy.

A sloppily executed plan

In the end, the Bitcoin Baron was accused of countless distributed denial of service attacks. He reportedly took aim at children’s hospitals, news outlets, banks, web hosting services, other hacking groups, and municipal governments. To accomplish these attacks, this hacker wannabe used automated scripts and plug and play tools that essentially did the work for him. He didn’t have his own botnet or his own code or his own, really, anything.

This didn’t stop him from attempting to position himself amongst the hacktivists, frequently bragging on his Twitter timeline and in forums about past and future attacks. He hacked into the San Marcos Police Department website to demand that an officer who had beaten and injured a student during an illegal arrest be put in jail…an officer that had been fired and jailed for said incident two years earlier. He launched a DDoS campaign against a video news portal in an effort to get one of his own hacking call to arm videos posted, and when it was posted it garnered little attention. He attempted to extort 100 Bitcoin from the tornado-ravaged city of Moore, Oklahoma and received absolutely nothing for his troubles. He never made any effort to cover his tracks or hide his identity. He boasted that he was becoming quite famous on the net.

All in all, Randall Charles Tucker is little more than a script kiddie facing 20 months in jail as a result of his plea bargain, most likely deserving of the doofusy reputation he’s earned. However, ask the city of Madison, Wisconsin what they think of this doofus and his distributed denial of service attacks.

Nothing special

In the attack for which he was ultimately charged, the Bitcoin Baron was able to launch a six-day DDoS attack against the government websites and services of Madison, knocking out the city’s main website, disrupting email communications, disrupting the 911 emergency call center, and causing the communication systems of the fire and police departments to fail. Far from stupid, this was scary – a cyberattack that had the potential to impact human lives or even result in death as a result of delayed first response.

Internet users of all levels of technical knowledge are now perfectly capable of launching attacks like these. Whether it’s a script kiddie like the Bitcoin Baron purchasing a DDoS toolkit or a complete technological know-nothing logging in to a DDoS for hire service, businesses and services all over the internet are routinely being tormented by ham-fisted, no-skilled hackers and you know what? Those inept criminals are winning while businesses and services literally pay the price.

With professional attackers and professional punchlines alike able to do serious, sustained damage with DDoS, there is no choice but to get professional mitigation to deal with these attacks. Think cloud-based, impressive processing power, and a time to mitigation that comes in under ten seconds. Anything less and a business might find itself with the unwelcome distinction of having been hit by the internet’s second or third most inept criminal. They’re out there, and they’re probably using DDoS attacks.