A California jury today returned a guilty verdict in the trial of Matthieu gatrel, a man from St. Charles, Ill., accused in 2018 of operating two online services that allowed paying customers to launch powerful Distributed Denial of Service (DDoS) attacks against Internet users and websites. Gatrel’s conviction comes about two weeks after his co-conspirator pleaded guilty to criminal charges relating to the management of the service.
Central District California prosecutors indicted 32-year-old Gatrel and his business partner Juan “Severon” Martinez of Pasadena, California, with the operation of two DDoS rental or “booter” services – shoot them down[.]organization and ampnode[.]com.
Although he admitted to FBI agents that he ran these bootstrapping services (and provided plenty of incriminating evidence in the process), Gatrel opted to take his case to court, defended the entire time. by public defenders. Faced with the prospect of a heavy sentence if found guilty at trial, Martinez pleaded guilty on August 26 to one count of unauthorized tampering with a protected computer.
Gatrel was convicted of all three counts of violating the Computer Fraud and Abuse Act, including conspiracy to commit unauthorized tampering with a protected computer, conspiracy to commit wire fraud and unauthorized tampering with a protected computer.
Investigators say Downthem has helped some 2,000 customers launch debilitating digital attacks on more than 200,000 targets, including numerous government, banking, academic and gaming websites.
Prosecutors alleged that in addition to running and marketing Downthem, the defendants sold huge lists of constantly updated internet addresses linked to devices that could be used by other startup services to make the much more powerful and effective attacks. In addition, other startup services have also drawn firepower and other resources from Ampnode.
Startup and stress services allow clients to choose from a variety of attack methods, but almost universally the most powerful of these methods involves what is known as a “reflective amplification attack”. In such attacks, perpetrators use unmanaged Domain Name Servers (DNS) or other devices on the web to create huge traffic floods.
Ideally, DNS servers provide services only to machines in a trusted domain, such as translating an Internet address from a series of numbers into a domain name, such as example.com. But DNS reflection attacks rely on consumer and business routers and other devices with DNS servers that are (poorly) configured to accept requests from anywhere on the web.
Attackers can send spoofed DNS queries to these DNS servers, crafting the request so that it appears to come from the target’s network. That way, when the DNS servers respond, they respond to the spoofed (target) address.
Bad guys can also amplify a thoughtful attack by creating DNS queries so that the responses are much more important than the queries. For example, an attacker could compose a DNS query of less than 100 bytes, resulting in a response 60 to 70 times larger. This “amplification” effect is particularly pronounced if the authors simultaneously query dozens of DNS servers with these spoofed requests.
The government accused Gatrel and Martinez of constantly searching the Internet for these misconfigured devices and then selling lists of Internet addresses linked to these devices to other startup service operators.
Gatrel’s conviction is scheduled for January 27, 2022. He faces a legal maximum sentence of 35 years in federal prison. However, given the outcome of lawsuits against other bootstrapping service operators, it seems unlikely that Gatrel will spend much time in jail.
The case against Gatrel and Martinez was initiated amid a widespread crackdown on bootstrapping services in December 2018, when the FBI teamed up with law enforcement partners overseas to seize 15 different bootstrap service domains.
Federal prosecutors and DDoS experts interviewed at the time said the operation had three main goals: to educate people that recruiting for DDoS attacks is illegal, to destabilize the burgeoning booter industry and, ultimately account, reduce the demand for booter services.
The jury is still out on whether any of these goals were achieved with a lasting effect.
The original complaint against Gatrel and Martinez is here (PDF).