You can blow away any website in the world if you try hard. Throw enough traffic at a server on the internet — friendly or otherwise — and it will buckle. For most, these attacks are a headache, but here's one man who makes a sport (and money) out of swarming his enemies online.
Julius goes by a few names, and there's no way for me to know which, if any, are even remotely real. He'd be stupid to use a real name, because he speaks openly — proudly — about how much and how often he breaks the law. Julius talks about breaking the law like you talk about texting your roommate, as if crippling his internet enemies with a distributed denial-of-service (DDoS) attack were a banana peel on the floor. But it's not. Julius is able to wreck computers with a few clicks, at will, from the comfort of his home or office, where over IM he tells me he's employed "programming with a rather large company" in Finland. When he's not at his desk as a white-collar employee who IMs without affectation or much personality at all, he says he's helped hack the likes of Imageshack and Symantec — glistening, prominent whales of the web.
But not every day is a day for whale hunting — with typical Scandinavian austerity (if he really is Finnish), most of Julius' time as a hacker is spent tiptoeing through the net, not stomping. Julius is constantly hunting. Quietly, methodically, he scours the internet for weak, vulnerable computers — computers he can enlist for his zombie army, programmed to attack a target.
There is strategy to the quiet campaigning. Avoid computers in Asia. Poor countries have slow internet connections, so they make bad weapons. Premium DDoS ammo comes from wealthy first-world nations like Germany, the US and Julius' native Finland — preferably computers attached to a corporate network, where bandwidth is ample and negligence is thick.
Seek software flaws, operating system holes, websites without passwords; Julius uses automated programs to trawl the internet looking for a way inside, constantly poking. The slightest human errors or minute security oversights means a fresh crop of zombies at his disposal. Julius casually refers to this process of twisting doorknobs as "auditing".
Once audited and subsumed, this horde of compromised systems is what's called a botnet: thousands upon thousands of computers scattered around the world, used by regular people every day, oblivious to the fact that their desktops have been weaponised. This is basically the Showtime Rotisserie of internet terrorism.
Click to expand.
And what a weapon it is. Julius types in any IP address, and his botnet — which he claims contains around 400,000 computers — comes to life. Like something from Hackers meets Fantasia, the swarm coalesces. Each computer, all at once, fires a stream of meaningless information at the target, masquerading as the same sort of bits that'd knock on a server's door to announce your innocuous arrival — like the computer was just stopping by to read an article or watch a video. But there's nothing innocuous about it. These simultaneous connections, as many of them as possible, will overload any servers that aren't equipped to absorb a traffic deluge. Julius says the process, from click to crash, takes around 15 minutes. And he makes it look so easy, you might be tempted to take it up yourself:
- Write your target in a text file
- Update that text file to a website that all of your bots are pre-programmed to check in with
- The next time the bots check in, they'll receive their new orders from that text file
- The salvo begins
- The target slows down or goes down
What if your target is using an anti-DDoS service like CloudFlare? "Hit it with more bots," says the Finn. This is a numbers game. And besides, "Pretty much all of those services are absolute bullshit."
Julius demoed another botnet technique for me, which is based almost entirely around IRC rooms — chat technology that's a quarter of a century old. I was watching dummy bots, not actual hijacked computers (think firing blanks), but the software that bossed them around was completely real, and worked perfectly. Through simple IMs Julian was able to directly command strangers' computers that monitor every word he speaks on IRC, idling until they're pushed to action. That the IRC display was simulated made it no less mesmerizing and overwhelming: he asked them to rally, and they swarmed into the chat room. He asked them to attack, and they fired.
With a keystroke, Julius compelled thousands of bots to swarm into our little internet shooting range at once. Thousands poured in, conducting a simulated attack — moving so quickly I couldn't read their names — until my computer crashed. Even an illustrative drill was enough to incapacitate me as a spectator — the mere volume of information about an imaginary attack was enough to derail me, a spectator. Imagine if I'd been on the receiving end of the data volley.
There's no satisfying answer as to why anyone would mess up someone's connection, someone's network, or someone's day as a hobby — go into enough chat rooms, and you realise this is as much the domain of psychopathology as IT. Julius isn't employed by any clandestine Cyber Warfare Bureau. He's not trying to breach the Pentagon or Pyongyang. He mostly just does it for love of the game:
It sounds like the same vague rationale for a grand chunk of what any given hacker does: for attention, for a reaction, for his own amusement. For no reason at all, really, other than the satisfaction of being able to do it. "I just do that stuff to piss of [sic] people," Julius tells me. But that's not totally true — there's good money to be made in the business of hijacking the computers of strangers.
Once Julius has access to a computer, almost everything on it is his for the taking: bank logins, social media passwords, your email inbox. There exist, beneath the confetti of lulz, more discreet and decidedly more sinister circles that buy this access to commit financial fraud. After a recent harvest of 40,000 computers, Julius was able to flip them to anonymous buyers on private web forums. Total profit: almost $US4,000 American. No Bitcoin crypto-cash: "It's easier to trust 'real money,'" says Julius. Not bad given that most of the legwork was done by automatic software that doesn't need legs — constantly seeking, constantly seeping, a continuous money mill of stolen and re-stolen access. Fruits without labour. Julius need only keep up with the latest security holes in the software we all use, and punch them before they're fixed.
Very lucky for Julius, who claims that after a decade of this fraudulent wholesaling, he could retire today and never work another day in his life. Bummer for you, if you're on an unpatched computer and just had your credit card number sold to some Russian fellow with bad intentions.