I realize wages are low in many parts of the world and this might represent a significant amount of money, but anyone with access to the resources and possessing the technological know how, to pull this off maybe could make that in a legitimate way.
I have no idea, but maybe state actors are involved. Maybe it is a low level warning of what "could" be done. Probably not... but maybe. $300 doesn't seem like it would be worth the trouble and risk but maybe it is.
B. You don't need many machines to create DDoS attacks because of reflection/amplification.
C. You can rent machines without having to use a botnet.
B. A government interested in network security would inform managers of reflection- and amplification-vulnerable systems (such as misconfigured DNS resolvers), as well as design and release open, verifiable, trustable specifications for filtering hardware and packet matching algorithms to block DDoS attacks at the same points they currently tap network traffic.
C. Rented machines can be shut down far more easily than a botnet.
The same thing keeping government from regulating the Internet is the same thing keeping government from simultaneously fixing every flaw in every router, switch, and TCP/IP stack.
Stockpiling has nothing to do with it by itself, as they are stockpiling individual numbers of bugs in an entire frothing sea of bugs. NSA didn't even know about Heartbleed, and that's one that could have enormously aided NSA in doing what they do.
If we were talking a handful of bugs, your argument would make sense. But we're talking about tens of thousands.
This.
Last year worked at a huge, multinational,privately held company. After being at my job less than two days, I found out they store all of their server passwords in plaintext, on the server, together, in one file.
It took me about an hour to compose myself. It was like having a dream where you come to work and you suddenly realize you left your pants at home.
However now, a botmaster is able to generate thousands of C&C centers's from hacked boxes, via hidden TOR or I2P nodes, or shared hosting, as well as hundreds of thousands of varying infected malware almost instantly. The only thing that requires effort from the botmaster now is spreading and constantly updating their slaves so they can keep them in control longer.
The actual implementation is the easy part of it.
Does anyone know what that might be? There are quite a few people on HN who have zero sympathy for DDoS victims who don't pony up for Cloudflare etc., but I'm curious about situations when that isn't going to help or other attack vectors that will get you regardless.
https://support.cloudflare.com/hc/en-us/articles/200168536-W...
If that is in the same DC as the rest of your equipment [or worse, the same server] it might be still possible to figure things out and DDoS you.
The underlying hosting is just as vulnerable w/ or w/o Cloudflare.
Last week someone spinning up their own botnet threw like 1Gbps at a side project of mine via UDP at the mail server.
Basically, I'd rather there is _some_ company that can shut down these exiting known bad actors than avoid it on the off chance that it becomes a bad actor down the road. Better to use the time that buys us to look for better ways to deal with DDOS, both policy and tech based, as other comments suggest.
Not a perfect idea at this point though, it'd require considerable organization to get this done, certainly better than throwing away Bitcoin or waiting for it to become criminalized. IMHO
It makes you think if Bitcoin is turning into a giant example of "be careful what you wish for".
We have exchange after exchange get hacked and legit Bitcoin users losing their money, and now Bitcoin enables extortion schemes that couldn't work so effortlessly before.
Where is this going?
I suppose if I had to throw a potentially disruptive idea out there, you could create a database of 'blacklisted addresses.' Let's say when Bitlocker came out, you entered that address into a database and it was verified as being associated with this scam, well it is trivial to track those coins between addresses and every address it enters is blacklisted until it enters a mixer or exchange, at which point you have a potentially complicit corporation that you could actually target with the subpoena or other legal action for discovery of IPs, login, etc.
And on the contrary they can do the exchange in, say, Nigeria. So Bitcoin's weakest link is also the law enforcement weakest link, because no one has authority over the entire world, and there are plenty of spots where you can do the exchange without trace.
Not far's my guess. If BTC gets too popular as a tool for extortion and money laundering, then the authorities in developed countries are going to start carefully monitoring people who sell large quantities of BTC for sovereign currency or commodities. It would just be another part of their general efforts to combat organized crime. That would make major speculators feel less welcome. If major speculators decide to take their ball and go play somewhere else, the price of BTC will probably tank. That'll discourage everyone else. At which point BTC becomes a terrible medium for money laundering because nobody wants to buy them. I also suspect that the relative anonymity of any one transaction is closely related to overall transaction volume in the BTC economy.
