The FBI shares an excellent awareness of “Distributed-Denial-of-Service” (DDoS) attack services that can be hired as described below:

FBI OVERVIEW FOR DDoS FOR HIRE THREAT — DDoS attacks are costly to victims and render targeted Web sites slow or inaccessible. These attacks prevent people from accessing online accounts, disrupt business activities, and induce significant remediation costs on victim companies. They also can cause businesses impacted by DDoS attacks to lose customers. During October 2016, one of the largest DDoS attacks to date impacted more than 80 Web sites primarily in the United States and Europe, causing them to become inaccessible to the public. The attack used a booter service and was attributed to infected Internet of Things (IoT) devices like routers, digital video recorders, and Webcams/security cameras to execute the DDoS attack1. Open source reports estimate the DNS provider lost approximately eight percent of its customers following the attack.

WHAT ARE BOOTER AND STRESSER SERVICES?Booter and stresser services are a form of DDoS-for-hire— advertised in forum communications and available on Dark Web marketplaces— offering malicious actors the ability to anonymously attack any Internet-connected target. These services are obtained through a monetary transaction, usually in the form of online payment services and virtual currency. Criminal actors running booter and stresser services sell access to DDoS botnets, a network of malware-infected computers exploited to make a victim server or network resource unavailable by overloading the device with massive amounts of fake or illegitimate traffic.  Established booter and stresser services offer a convenient means for malicious actors to conduct DDoS attacks by allowing such actors to pay for an existing network of infected devices, rather than creating their own. Booter and stresser services may also obscure attribution of DDoS activity.

CONSEQUENCES OF PARTICIPATING IN THESE SCHEMES –The use of booter and stresser services to conduct a DDoS attack is punishable under the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in any one or a combination of the following consequences:

1. Seizure of computers and other electronic devices
2. Arrest and criminal prosecution
3. Significant prison sentence
4. Penalty or fine

HOW AND WHAT TO REPORT — The FBI requests DDoS victims contact their local FBI field office and/or file a complaint with the Internet Crime Complaint Center (IC3), regardless of dollar loss or timing of incident.