European law enforcement agencies say they've arrested the administrators of a website that allowed users to pay to knock selected websites offline.
The site Webstresser.org let paying customers — for as little as 15 euros a month, according to the European law enforcement agency Europol — launch distributed denial of service (DDoS) attacks to shut down websites or Internet users.
Authorities arrested the alleged administrators in the U.K., Croatia, Canada and Serbia on Tuesday, Europol said in a statement. Dutch police and the U.K.'s National Crime Agency led the investigation, dubbed "Operation Power Off." At least 10 people were arrested, the Dutch National Police said on Reddit Wednesday.
Webstresser visitors located in the U.S. saw a notice: "THIS SITE HAS BEEN SEIZED." Europol said Webstresser's servers were "seized" in the U.S., Germany and the Netherlands.
Law enforcement alleges the site had 136,000 registered users and was responsible for 4 million attacks as of this month.
"The damage of these attacks is substantial. Victims are out of business for a period of time, and spend money on mitigation and on (other) security measures," the Dutch police said.
Webstresser provided what was a called a "booter" or "stresser" service — what security researcher Brian Krebs calls "virtual hired muscle that anyone can rent to knock nearly any website or Internet user offline." A DDoS attack works by overwhelming an online service with fake traffic from various sources.
"It used to be that in order to launch a DDoS attack, one had to be pretty well versed in internet technology," Europol said. "That is no longer the case. With webstresser.org, any registered user could pay a nominal fee using online payment systems or cryptocurrencies to rent out the use of stressers and booters."
One of the most widely felt DDoS attacks occurred on Oct. 21, 2016, when an attack caused disruptions to Twitter, Amazon, Spotify and Airbnb for much of the day.
"Attacks-for-hire" are leading to an increase in the frequency of attacks, experts say.
These types of attacks make $13 million in revenue each year, the security company Bromium's CEO Gregory Webb told the website Threatpost. An average DDoS attack costs a business between $200 and $1,000 each day, he told the site.
Many booter services advertise themselves as legitimate testing services for customers to test their own website's ability to withstand an attack. "Many booter service operators apparently believe (or at least hide behind) a wordy 'terms of service' agreement that all customers must acknowledge, under the assumption that somehow this absolves them of any sort of liability for how their customers use the service," Krebs writes.
Europol calls Webstresser the "biggest" marketplace for selling DDoS attacks. But according to Krebs, "there are dozens of other booter services in operation, with new ones coming online almost every month."