A security company wants you to DDoS its servers

A security company wants you to DDoS its servers

Summary: "There is no such thing as bad publicity except your own obituary" - Brendan Behan. Ypigsfly, a company describing itself as a group of seasoned veterans of the Internet network infrastructure business, has just launched Killthisbox.

TOPICS: Security

"There is no such thing as bad publicity except your own obituary" - Brendan Behan. Ypigsfly, a company describing itselfDDoS Challenge as a group of seasoned veterans of the Internet network infrastructure business, has just launched Killthisbox.com, a DDoS challenge enticing you to knock down the site for 15 minutes in exchange for a fifty dollar gift certificate from the well known geeky outlet ThinkGeek.

Are the folks behind this challenge really trying to test their new DDoS protection system, or is this a case of a guerrilla marketing approach aiming to promote the DDoS mitigation services of the company by creating controversy?

Considering the non-technical description of the contest, as well as the lack of a detailed explanation of what constitutes "knocking them off the Internet", I think it's a marketing campaign that would inevitably attract negative publicity. Perhaps with a reason, taking into consideration the fact that the challenge stimulates others to build DDoS capacity or learn how to by providing a rather modest reward.

Moreover, none of the eventual participants would be able to imitate a realistic DDoS attack on target.killthisbox.com and knock it offline, unless of course they are real botnet masters who I doubt would waste their botnet's bandwidth in order to participate in the challenge. And even if the company's objective is to gather realistic data on the DDoS threatscape, having end users trying to DDoS you wouldn't provide the company with a realistic picture, and will also put the end users into the position of attackers abusing their network's resources - if detected and approached by their ISP. These are the rules of the DDoS challenge :

"1. Register a day and time of your attack along with your Handle and unique password 2. Try and knock this site off the Internet for 15 minutes, anyway you can 3. If you can, email us with your handle and unique password, name and address and we will send you your prize 4. No we are not trying to find out who you are and send the Authorities to your house, we are just testing a DDOS defense system"

Going through the real-time attack stats, you'll see end users doing nothing else but getting themselves in trouble, at least so far. I wonder is their upsteam provider Peer 1 Network Inc even aware of the competition, and what's their Network Operations Center take on it?

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What a Joke

    I totally agree - Anyone with the capacity to perform DDoS is not gonna give a crap about a $50 gift certificate to think geek.
  • Legal Implications

    From the perspective of US law, it sounds as though they might be solicting others to break the law. As I understand it, it is a violation of a number of laws for someone to act as they are requesting.

    In order to protect the actors, this company should specifically engage in a contractual relatinship with them. The company needs to find a way that is acceptable with law enforcement to provide some sort of waiver for those who are complying with the company's request.

    Even if the company says that they are not going after the actors, that is no assuarance - especially in an election year - that prosecutors will not try to go after the actors. After all, prosecutors who seek political office need slam-dunk cases to pad their resumes.

    Personally, I would think that an attorney might consider filing a complaint against this company. They comapny is certainly inducing potentially unlawful behavior, and behavior which is harmful to society. Imagine someone working on this project and learning how to hack someone else's websites. Then the person goes and applies that knowledge to hurting other people's or organizations' websites.

    I hope the company does more to absolve the actors and protect the public from these shenanigans.
    • Why are they inciting breaking the law?

      They are asking for this, specifically, so it's authorized access.

      The only way the others are breaking the law is if the computers used in the attack are being use in an unauthorized manner. I can see authorized ways to do this (post a link on /., digg, fark simultaneously for example)
  • "You have just won the lottery..."

    Remember the 20/20 story where a "sting" operation sent letters to fugitives with open warrants they hadn't been able to capture?

    It told them they had "won" and gave them an address and a time to come claim their prize.

    They got a "prize", alright - BUSTED!