"There's not much more than fine print between stress testing and DDoS-as-a-service".
The main difference, I believe, is who is ordering the service for whom.
Two Israeli men have been arrested for running a distributed-denial-of service-as-a-service site, after one seemingly claimed to attack the Pentagon. Itay Huri and Yarden Bidani, released on US$10,000 bonds, were arrested following a tip off from the FBI, local news site TheMarker reports. A Twitter account using Bidani's …
If that is true, then their DDoS of the FBI site is justified by invoice and they can easily name the contact and get their name cleared.
Unfortunately for them, if the FBI arrested them it would seem that they have a bit more explaining to do than that.
It could be argued that they, as an alleged "security service" company, should practice due diligence on the requests they receive.
Eg. Receiving a validated response from the listed WHOIS contact for the IP range
... or verifying the presence of a special text string on the website or in DNS supplied to the person requesting testing
If you saw that the WHOIS was a large corporation, if you were a real, legitimate security company, you'd be seeking legally binding and witnessed authorisation.
Indeed. Kind of like when a major, legitimate, ticketed event like a festival causes traffic chaos for those with no interest. Only it's less easy to reroute but hey, isn't the internet supposed to be resilient 'n all that? I suppose we'll need to stick to using those super expensive traffic generating systems on the edge but then who wants kit when you can have it as a service yesterday.
Their provider (who I will not name here) had servers with 1gbit and 10gbit connections and does not block spoofed IP packets coming from their network. So simple floods could be done using just the bandwidth of that server but making it look like it was a distributed attack by faking the IP in every packet.
The other attacks were amplification attacks, which sent out packets to public NTP, Chargen, DNS etc servers with a spoofed IP address of the victim, so they replied to the victim instead of the vdos server. A 10gbit server could potentially create 50gbit (much more given the right public servers) of traffic due to the replies and bandwidth of the public servers replying with more data than the initial request.
The method I believe was used to uncover this operation is pretty naughty too. The ISP/Hosting provider this site worked from had it's BGP routes hijacked by a DDoS protection and security company. BGP hijacking is a pretty scummy thing to do, even if it is easy to do.