You can blow away any website in the world if you try hard. Throw enough traffic at a server on the internet—friendly or otherwise—and it'll buckle. For most these attacks are a headache, but here's one man who makes a sport (and money) out of swarming his enemies online.
Julius goes by a few names, and there's no way for me to know which, if any, are even remotely real. He'd be stupid to use a real name, because he speaks openly—proudly—about how much and how often he breaks the law. Julius talks about breaking the law like you talk about texting your roommate, as if crippling his internet enemies with a distributed denial-of-service (DDoS) attack were a banana peel on the floor. But it's not. Julius is able to wreck computers with a few clicks, at will, from the comfort of his home or office, where over IM he tells me he's employed "programming with a rather large company" in Finland. When he's not at his desk as a white-collar employee who IMs without affectation or much personality at all, he says he's helped hack the likes of Imageshack and Symantec—glistening, prominent whales of the web.
But not every day is a day for whale hunting—with typical Scandinavian austerity (if he really is Finnish), most of Julius' time as a hacker is spent tiptoeing through the net, not stomping. Julius is constantly hunting. Quietly, methodically, he scours the internet for weak, vulnerable computers—computers he can enlist for his zombie army, programmed to attack a target.
There is strategy to the quiet campaigning. Avoid computers in Asia. Poor countries have slow internet connections, so they make bad weapons. Premium DDoS ammo comes from wealthy first-world nations like Germany, the US, and Julius' native Finland—preferably computers attached to a corporate network, where bandwidth is ample and negligence is thick.
Seek software flaws, operating system holes, websites without passwords; Julius uses automated programs to trawl the internet looking for a way inside, constantly poking. The slightest human errors or minute security oversights means a fresh crop of zombies at his disposal. Julius casually refers to this process of twisting doorknobs as "auditing."
Once audited and subsumed, this horde of compromised systems is what's called a botnet: thousands upon thousands of computers scattered around the world, used by regular people every day, oblivious to the fact that their desktops have been weaponized. This is basically the Showtime Rotisserie of internet terrorism.
(Click to expand)
And what a weapon it is. Julius types in any IP address, and his botnet—which he claims contains around 400,000 computers—comes to life. Like something from Hackers meets Fantasia, the swarm coalesces. Each computer, all at once, fires a stream of meaningless information at the target, masquerading as the same sort of bits that'd knock on a server's door to announce your innocuous arrival—like the computer was just stopping by to read an article or watch a video. But there's nothing innocuous about it. These simultaneous connections, as many of them as possible, will overload any servers that aren't equipped to absorb a traffic deluge. Julius says the process, from click to crash, takes around 15 minutes. And he makes it look so easy, you might be tempted to take it up yourself:
- Write your target in a text file
- Update that text file to a website that all of your bots are pre-programmed to check in with
- The next time the bots check in, they'll receive their new orders from that text file
- The salvo begins
- The target slows down or goes down
What if your target is using an anti-DDoS service like CloudFlare? "Hit it with more bots," says the Finn. This is a numbers game. And besides, "Pretty much all of those services are absolute bullshit."