Imagine trying to enter a shop only to find a crowd blocking the door — not because they’re shopping, but because someone paid to keep everyone out. That’s essentially what a DDoS attack does to a website or server, except the crowd is made of hijacked computers and the bill is paid in cryptocurrency. The US FBI considers this practice illegal, whether you pull the trigger yourself or hire someone else to do it. Understanding how these attacks work, why they persist, and what law enforcement is doing about them matters more than ever as our daily lives increasingly depend on online services.

4 related posts

Legality: Illegal per FBI · Target: Websites and servers · Method: Flood with traffic · Record attack: 71M RPS · Analogy: Crowd blocking shop door

Quick snapshot

1Confirmed facts
  • DDoS attacks are a serious federal crime (US DOJ)
  • 71M RPS attack blocked in 2023 — largest on record (BleepingComputer)
  • Downthem linked to 200,000+ attack attempts (eWeek)
2What’s unclear
  • Exact current scale of booter service operations post-seizures
  • Specific convictions and prison sentences for charged defendants
  • Technical details on Cloudflare’s proprietary detection methods
3Key enforcement
  • FBI Operation PowerOFF: 48 domains seized, 6 charged in 2023 (ITPro)
  • 75+ total domains seized related to DDoS-for-hire services (US DOJ)
4What happens next
  • Continued global takedowns under Operation PowerOFF
  • Growing cloud-based attacks using misconfigured servers
  • Increasing legal exposure for both operators and users

The table below aggregates authoritative definitions and enforcement data from government agencies and major security firms.

Aspect Detail
Definition Source Cloudflare: disrupts normal traffic to web properties
Microsoft View Exhausts application resources through resource consumption
Cisco Description Simultaneous data requests overwhelming target systems
Wikipedia Analogy Crowd blocking a shop door to prevent legitimate customers
Legality FBI prohibits participation — launching or hiring is a crime
Premium Pricing $100/month for 10 attacks up to 30Gbps throughput
Cheap Service Risk $25/month service capable of outage for 10,000 ISP customers
DOJ Wave 1 15 domains seized on December 20, 2018
DOJ Wave 2 27 domains seized in 2023 global crackdown

What is a distributed denial-of-service (DDoS) attack?

A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target with a flood of simultaneous data requests. The word “distributed” is key: unlike a simpler DoS attack originating from a single source, a DDoS attack coordinates traffic from multiple sources — often thousands or tens of thousands of compromised computers forming a botnet. According to Cloudflare (content delivery and security provider), this flood of traffic makes the target unable to serve legitimate users.

DoS vs. DDoS difference

The distinction matters for both technical and legal reasons. A traditional denial-of-service (DoS) attack typically comes from one source — the attacker directly floods a target from their own machine. DDoS amplifies this by recruiting a network of hijacked devices, often called a botnet, to launch the assault simultaneously.

Cloudflare explains that this distributed approach makes DDoS attacks far more difficult to block, since the traffic originates from numerous IP addresses. The scale matters: in 2023, Cloudflare blocked a record-breaking 71 million requests per second (RPS) HTTP DDoS attack — the largest ever documented — using over 30,000 IPs from multiple cloud providers (BleepingComputer).

The scale problem

Cloudflare’s 71M RPS attack dwarfed the previous record of 46M RPS by roughly 35%, illustrating how attack sophistication continues to grow faster than most organizations can defend against it independently.

Is a DDoS attack illegal?

Yes — unambiguously. The FBI has been explicit: whether you launch a DDoS attack yourself or hire a DDoS-for-hire service (known in the trade as “booter” or “stresser” sites) to do it for you, both are federal crimes. “Whether you launch a DDoS attack or hire a DDoS service to do it for you, the FBI considers it a crime,” according to the US Department of Justice.

DDoS-for-hire operators often claim their services are meant only for legitimate stress-testing of networks. Federal prosecutors have rejected this as a pretext. “Running a service that attacks any website in exchange for anonymous money is not just reckless, but patently illegal—and will be prosecuted,” stated the DOJ (eWeek).

FBI stance on participation

The legal consequences are substantial. SecurityScorecard (cybersecurity rating platform) notes that DDoS penalties include fines, jail time, and criminal charges in the United States. Beyond individual users, law enforcement has pursued the booter service operators themselves.

In December 2018, the US Justice Department seized 15 DDoS-for-hire domains including downthem.org and quantumstress.net. Downthem alone was associated with over 200,000 attack attempts from October 2014 to November 2018 (eWeek). In 2023, the DOJ seized 27 more domains as part of a global crackdown, charging two defendants (US DOJ).

“DDoS attacks are serious crimes that can cause real harm, as shown by the wide range of sectors allegedly victimized in this case.”

— Assistant Attorney General Benczkowski, US DOJ via eWeek

The pattern is clear: the FBI is targeting not just users who hire booter services, but the operators who profit from them. In 2023, US authorities seized 48 DDoS-for-hire services and charged six individuals as part of Operation PowerOFF (ITPro).

How do I know if I am under a DDoS attack?

Detecting a DDoS attack requires knowing what normal traffic looks like for your site or service. Cloudflare (infrastructure security provider) notes several indicators that may suggest an ongoing attack.

Signs of DDoS

  • Sudden spike in traffic from a single IP address or IP range
  • Disproportionate number of requests to a single page or endpoint
  • Site becomes slow or completely unavailable
  • Strange traffic patterns — requests from unusual geographic locations or device types
  • Server resource exhaustion even when analytics don’t match expected visitor levels

Cloudflare indicators

If your infrastructure uses Cloudflare’s DDoS protection, the dashboard provides real-time monitoring. Unusual spikes in requests per second, especially if they exceed historical baselines by a large margin, warrant immediate investigation. Cloudflare’s systems automatically detect and mitigate many attacks, but users should monitor for patterns that suggest an ongoing assault.

The most sophisticated attacks, like the 71 million RPS record, can be stopped without service interruption — but only with enterprise-grade mitigation. For smaller organizations, the warning signs often manifest as sudden website slowdown or complete outage during otherwise normal traffic periods.

Detection timing matters

Cloudflare reports that some attacks last only 80 seconds (as with their 5.6 Tbps 2024 mitigation), while others persist for hours or days. Early detection limits damage.

How long do DDoS attacks usually last?

Duration varies widely based on the attacker’s resources, the target’s defenses, and whether law enforcement or mitigation services get involved. There’s no fixed timeframe — some attacks are quick hit-and-run operations, while others are sustained campaigns.

Typical lengths

Industry data suggests most DDoS attacks last less than an hour. However, well-resourced attackers can sustain attacks for days or even weeks. The record-setting 5.6 Tbps attack that Cloudflare mitigated in 2024 lasted only 80 seconds — short but devastatingly powerful (SecurityScorecard).

Booter service pricing often reflects this variation. Premium accounts costing $100/month might offer attacks up to 30Gbps, while cheaper $25/month services can still cause outages affecting 10,000 ISP customers — suggesting these lower-tier attacks can be effective enough to cause significant disruption (eWeek).

What this means: organizations without dedicated DDoS protection face extended exposure. The difference between an attack lasting 10 minutes and 48 hours often comes down to whether you have automatic mitigation in place.

What is the most famous DDoS attack?

Several high-profile incidents stand out in cybersecurity history, demonstrating both the scale of these attacks and their impact on critical infrastructure.

Notable cases

The 2016 Dyn DNS attack remains one of the most significant, disrupting major websites including Twitter, Netflix, and Reddit across the eastern United States. Attackers used compromised IoT devices — particularly compromised webcams and digital cameras — to create one of the largest botnets ever assembled for a DDoS attack.

In the law enforcement arena, Operation PowerOFF has systematically targeted booter services. Downthem and Quantum Stresser represent two of the largest seized services: Downthem alone facilitated over 200,000 attack attempts from 2014 to 2018, while Quantum Stresser was linked to over 50,000 DDoS attacks in 2018 alone (eWeek).

“In this coordinated law enforcement effort, the FBI seized and disabled powerful computer attack platforms that offered DDoS-for-hire services.”

— Rebecca Day, Special Agent in Charge, FBI Anchorage, US DOJ

The pattern from these cases shows how booter services have professionalized over time, with pricing tiers, customer support, and volume discounts — making attack tools accessible to anyone with cryptocurrency and a grudge. The catch is that the FBI is actively tracking these platforms and their users.

How to stop a DDoS attack: practical steps

Stopping an active DDoS attack requires a combination of immediate response and longer-term protection. Here’s a practical approach:

Step 1: Confirm the attack

Check your server metrics and traffic analytics. If traffic spikes don’t correlate with legitimate sources — sudden geographic anomalies, unusual device patterns, or requests targeting non-popular endpoints — you may be under attack. Your hosting provider or CDN dashboard often shows this data most clearly.

Step 2: Enable rate limiting

If your web server or CDN supports rate limiting rules, activate them immediately. This restricts how many requests a single IP or IP range can make within a time window. Many CDN providers offer this as a standard feature.

Step 3: Engage your CDN or DDoS protection service

If you use Cloudflare, Akamai, AWS Shield, or similar services, they’re your first line of defense. These services absorb and filter malicious traffic before it reaches your origin servers. Cloudflare automatically detects and mitigates many attacks without requiring manual intervention.

Step 4: Contact your ISP or hosting provider

If the attack overwhelms your CDN or originates from a volumetric flood, your upstream provider may need to implement blackhole routing or null routing for targeted IP addresses. This won’t keep your site online, but it prevents the attack from consuming your entire network.

Step 5: Document and report

Save logs showing the attack traffic patterns. Report to the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov. The more data law enforcement has, the better they can trace attacks to their source. Operation PowerOFF seizures relied partly on victim reports and traffic analysis.

Legal warning

If you’re experiencing a DDoS attack, you’re the victim — not the perpetrator. However, be cautious about counter-attacking (which could make you the aggressor) and ensure your own systems can’t be used as reflectors. The FBI treats both launching attacks and running booter services as crimes.

The implication: proactive protection costs far less than reactive recovery, both financially and legally.

Upsides

  • DDoS attacks are now unambiguously illegal under FBI enforcement
  • Law enforcement has seized 75+ booter domains and continues operations
  • Major cloud providers (Cloudflare, Akamai, AWS) offer effective automatic mitigation
  • Attack durations are often short — quick detection limits damage

Downsides

  • Cloud-based botnets make attacks easier and cheaper than ever
  • Small businesses without CDN protection remain vulnerable
  • Premium booter services at $100/month can still overwhelm many targets
  • Conviction details and sentences for charged defendants remain unclear

The clearest trend from law enforcement data: booter services have professionalized rapidly, with tiered pricing, customer support, and volume discounts. This accessibility means the barrier to launching a disruptive attack has lowered dramatically. Cloudflare’s role is paradoxical: they block attacks for legitimate sites while facing accusations of hosting booter services that compete with their protection business.

Related reading: Google Chrome Emergency Update · Newspaper – Ancient Origins, Types and Digital Challenges

Additional sources

news.ycombinator.com, news.ycombinator.com

Don't miss these

Frequently asked questions

What describes a DoS attack?

A denial-of-service (DoS) attack is any attempt to make a computer, server, or network resource unavailable to its intended users by temporarily or indefinitely disrupting services. This is typically accomplished by flooding the target with superfluous requests or exploiting vulnerabilities that crash the system.

What is a denial-of-service (DoS) attack?

A denial-of-service attack overwhelms a target system with requests, preventing legitimate users from accessing it. When the attack originates from multiple sources simultaneously, it’s called a distributed denial-of-service (DDoS) attack.

How serious is a DDoS attack?

Very serious. The FBI treats launching or hiring DDoS attacks as federal crimes carrying potential fines and jail time. Beyond legal consequences, DDoS attacks disrupt hospitals, financial institutions, gaming platforms, and government services — causing real-world harm beyond mere inconvenience.

What is the purpose of a DDoS attack?

Motivations vary: extortion (demanding payment to stop attacks), competition (harming rivals’ online presence), hacktivism (making a political statement), or simply malice. Booters often market themselves for “stress testing,” but the FBI rejects this justification when the “tests” target real websites.

DoS and DDoS attack example

The 2018 seizures of Downthem and Quantum Stresser offer concrete examples. Downthem facilitated over 200,000 attacks across four years; Quantum Stresser was responsible for 50,000+ attacks in 2018 alone. Both services offered tiered pricing from $25/month basic plans to $100/month premium accounts.

How to fix a DDoS attack

The primary fix is mitigation: using a CDN with DDoS protection (Cloudflare, Akamai, AWS Shield), implementing rate limiting at the network edge, and reporting to authorities. For active attacks, engaging your protection service immediately is critical — most enterprise DDoS services filter malicious traffic automatically before it reaches your servers.

For website operators, the choice is increasingly clear: invest in proactive DDoS protection now, or risk becoming a statistic in the next Operation PowerOFF seizure — whether as a target or, worse, as an unwitting participant in someone else’s attack. The FBI’s message is unambiguous: both launching attacks and running booter services face prosecution, and law enforcement continues to expand its international campaign against DDoS-for-hire infrastructure.