Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev

A security company wants you to DDoS its servers

By Dancho Danchev | June 18, 2008, 6:06pm PDT

Summary: “There is no such thing as bad publicity except your own obituary” - Brendan Behan. Ypigsfly, a company describing itself as a group of seasoned veterans of the Internet network infrastructure business, has just launched Killthisbox.com, a DDoS challenge enticing you to knock down the site for 15 minutes in exchange for a fifty dollar [...]

“There is no such thing as bad publicity except your own obituary” - Brendan Behan. Ypigsfly, a company describing itself as a group of seasoned veterans of the Internet network infrastructure business, has just launched Killthisbox.com, a DDoS challenge enticing you to knock down the site for 15 minutes in exchange for a fifty dollar gift certificate from the well known geeky outlet ThinkGeek.

Are the folks behind this challenge really trying to test their new DDoS protection system, or is this a case of a guerrilla marketing approach aiming to promote the DDoS mitigation services of the company by creating controversy?

Considering the non-technical description of the contest, as well as the lack of a detailed explanation of what constitutes “knocking them off the Internet”, I think it’s a marketing campaign that would inevitably attract negative publicity. Perhaps with a reason, taking into consideration the fact that the challenge stimulates others to build DDoS capacity or learn how to by providing a rather modest reward.

Moreover, none of the eventual participants would be able to imitate a realistic DDoS attack on target.killthisbox.com and knock it offline, unless of course they are real botnet masters who I doubt would waste their botnet’s bandwidth in order to participate in the challenge. And even if the company’s objective is to gather realistic data on the DDoS threatscape, having end users trying to DDoS you wouldn’t provide the company with a realistic picture, and will also put the end users into the position of attackers abusing their network’s resources - if detected and approached by their ISP. These are the rules of the DDoS challenge :

“1. Register a day and time of your attack along with your Handle and unique password
2. Try and knock this site off the Internet for 15 minutes, anyway you can
3. If you can, email us with your handle and unique password, name and address and we will send you your prize
4. No we are not trying to find out who you are and send the Authorities to your house, we are just testing a DDOS defense system”

Going through the real-time attack stats, you’ll see end users doing nothing else but getting themselves in trouble, at least so far. I wonder is their upsteam provider Peer 1 Network Inc even aware of the competition, and what’s their Network Operations Center take on it?

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Code execution vulnerability found in Firefox 3.0

China detains web site defacer spreading earthquake rumors

Topics

Killthisbox, DDoS, Botnet, Ypigsfly, Peer 1, Public Relations, Marketing, Guerrilla marketing, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Full Bio
Disclosure
Contact

Vendor HotSpot

The 360° Conversation around Cloud Computing

TECH VISUALIZER brings the social conversation to life... powered by Brocade

Learn More »

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

Ask a Question Start a Discussion

Comments

Add Your Opinion

Join the conversation!

Follow via:: RSS; Email Alert

Just In

"You have just won the lottery..."

oldbaritone 19th Jun 2008

Remember the 20/20 story where a "sting" operation sent letters to fugitives with open warrants they hadn't been able to capture?

It told them they had "won" and gave them an address and a time to come claim their prize.

They got a "prize", alright - BUSTED!

View in thread

Please Select
Please Select

0 Votes

+ -

What a Joke

till6r 19th Jun 2008

I totally agree - Anyone with the capacity to perform DDoS is not gonna give a crap about a $50 gift certificate to think geek.

Reply
Flag

0 Votes

+ -

Legal Implications

srobtjones@... Updated - 19th Jun 2008

From the perspective of US law, it sounds as though they might be solicting others to break the law. As I understand it, it is a violation of a number of laws for someone to act as they are requesting.

In order to protect the actors, this company should specifically engage in a contractual relatinship with them. The company needs to find a way that is acceptable with law enforcement to provide some sort of waiver for those who are complying with the company's request.

Even if the company says that they are not going after the actors, that is no assuarance - especially in an election year - that prosecutors will not try to go after the actors. After all, prosecutors who seek political office need slam-dunk cases to pad their resumes.

Personally, I would think that an attorney might consider filing a complaint against this company. They comapny is certainly inducing potentially unlawful behavior, and behavior which is harmful to society. Imagine someone working on this project and learning how to hack someone else's websites. Then the person goes and applies that knowledge to hurting other people's or organizations' websites.

I hope the company does more to absolve the actors and protect the public from these shenanigans.

Reply
Flag

0 Votes

+ -

Why are they inciting breaking the law?

rpmyers1 19th Jun 2008

They are asking for this, specifically, so it's authorized access.

The only way the others are breaking the law is if the computers used in the attack are being use in an unauthorized manner. I can see authorized ways to do this (post a link on /., digg, fark simultaneously for example)