Keep in mind also, the victims of these DDoS attacks do not know which "booter" service was paid to attack them. The packets do not have "Stress test provided by vBooter" in them. The attack packets do not come from the booter's or Cloudflare's IP addresses, they come from secondary victims -- compromised servers, PC's infected with malware, and abused DNS/NTP [and a few other protocols] reflectors. It is impossible for a victim to submit a complaint to Cloudflare stating "I was attacked by someone paying vBooter", because they do not know which of the numerous "booter" services was responsible. -Phil
On Jul 28, 2016, at 12:12 PM, Naslund, Steve <SNaslund@medline.com> wrote:
Miles is right. Their thinly veiled "stress tester" thing is not going to be much of a defense. They must not have very good legal counsel. Here is the issue. Stress testing is perfectly legal as long as I am:
a) Stress testing my own stuff b) Stress testing your stuff WITH YOUR CONSENT
Selling a product or service that is unsafe can lead to serious civil consequences. For example, I sell you roach killer and don't warn you that it will also kill every other living thing in your home, I am going to get sued and lose badly.
Let's say I am running a demolition company that offers to knock down any house for a price. Don't you think I have a responsibility to verify that you own the house you just asked me to knock down? (by the way, this has happened in the real world -wrong address on paperwork- and the demolition company was held liable) Obviously I have that responsibility and obviously the same rules would apply to any service that can potentially damage someone's property.
Steven Naslund Chicago IL
Let's see:
Vbooter (on their home page) claims: "#1 FREE WEBBASED SERVER STRESSER" "Using vBooter you can take down home internet connections, websites and game servers such us Minecraft, XBOX Live, PSN and many more." "You don't have to pay anything in order to use this stresser! In addition there are NO limits if you are a free user."
So they're advertising a free service that explicitly offers DDoS capabilities.
Now - with the caveat that I'm not a lawyer, and I'm talking from a US perspective only - as a sometimes hosting provider who pays attention to our legal liabilities, and >who's had one of our boxes compromised and used to vector a DDoS against a gaming site....
1. DDoS is clearly illegal under multiple statutes - most notably the Computer Fraud and Abuse Act - see https://www.justice.gov/sites/default/files/criminal->ccips/legacy/2015/01/14/ccmanual.pdf - for a Justice Dept. memo on "Prosecuting Computer Crimes." When coupled with threats, requests for payoffs, etc. - it expands into lots of other crimes (e.g., >extortion). And that's before one starts attacking Government-owned computer systems.
2. One might infer that, while "stress testing" is a legitimate and useful service - under specific circumstances, vBooter's tools might also fall under laws regarding >being an accomplice to a criminal act, aiding & abetting, "burglar's tools," etc., and more generally "creating a public nuisance."
3. There are also various (mostly state) laws against the sale of burglar's tools (e.g., sale of a lockpick to someone who's not a professional locksmith). I expect some >of those laws might apply.
4. All of those certainly could be applied to vBooter.org. Whether Cloudflare is liable for anything would seem to depend on whether Cloudflare is complicit in the use >of vBooter's use for criminal purposes, or promoting it's use therefore. Hosting would certainly fall into that category - and while, I have no direct knowledge that >Cloudflare hosts vBooter, they do provide nameservice, and their web server's IP address is in a network block registered to Cloudflare - that would seem to establish >complicity. Now if Cloudflare were to actively suggest that folks use vBooter to test systems, as a way to boost sales for Cloudflare - that would certainly be an >interesting test case for RICO (akin to McAfee encouraging folks to write and release viruses).
As to whether "Nothing is going to happen" - I expect something WILL happen, when somebody big, with a good legal department, gets hit by a really damaging DDoS attack, >and starts looking for some deep pockets to sue. Or, if somebody attacks the wrong Government computer and the FBI, or DoD, or DHS get ticked off.
It will make for very good theater - at least for anyone not directly in the cross-hairs.
Miles Fidelman