Watching the news about Russia’s invasion of Ukraine, it’s hard not to feel frustrated. If only there were some way to help! But what’s this? A website that promises you can participate in an online takedown of Russian websites, all from the comfort of your own desk, or couch? You may be inspired to strike a cyber-blow for freedom, but taking part in a DIY distributed denial of service (DDoS) attack is not the most effective—or legal—way to do that, as we’ll explain.
How It Works
The site in question states that it was “made with love in Norway.” It has a highly descriptive domain name that I won’t spell out entirely here. OK, the name is f*ck dash r*ssia dot com. (No, there’s no international agreement against domain names that contain obscene words.)
The colorfully named website makes a simple promise: “On this site we’re targeting crucial infrastructure in Russia to prevent Putin from spreading more lies. Click the ‘start’ button and keep the tab open. It will send a constant flow of 100 attacks per second against Russia.” A banner at the top suggests you may want to use a VPN, because Russia is blocking traffic from other countries.
If 100 attacks per second aren’t enough for you, there’s an option to crank up the volume. You can choose Nuke ‘em (500 per second), Release the Kraken (1,000 per second), or Unleash Hell (5,000 per second). Remember, these attacks are coming from your computer, so choosing a super high rate is likely to slow down your machine.
Scrolling down the page you’ll find a list of sites subject to attack. If you dare to click the button, you’ll see the results of your DIY attacks. For reasons I’ll describe below, I don’t advise clicking the button, but I did turn it on briefly, just to see. It appears that most of the sites listed have some kind of protection that results in an error message, “Failed, host denied!” I did see a fair number reporting successful attacks, though. The sites are color coded, so you can quickly get an overview of the effect you’ve had.
It Might Not Work
I had a bad feeling about using this scattershot approach. To really figure out what’s appropriate, I checked in with my circle of security experts. “I don’t know of this particular site,” said Mikko Hypponen, chief research officer at Finnish security giant F-Secure, “but I’ve seen similar before. An attack like this is very easy to filter with services like Cloudflare or Akamai.” As others have observed, Russian government sites contract with Kasperky Business for this type of protection.
Graham Cluley, international speaker on security, podcaster, and long-time industry expert, points out that you really don’t know anything about the site in question. “You don’t know if the website is logging information about you when you click the button, information which might later be used against you,” Cluley noted. “You don’t know who has created the website and if they are being honest in their claims,” he continued. “They might have added other targets that you wouldn’t feel comfortable launching a DDoS attack against. For instance, online services that provide medical information.”
Cluley also pointed out that even though this click-to-DDoS site targets specific domains, “it is quite possible that other innocent websites and internet services will also be disrupted.”
This kind of attack is nothing new to Bogdan Botezatu, Director of Threat Research and Reporting for Bitdefender. “We have seen such services spawning at different domains as hacktivist groups get mobilized,” said Botezatu. “We are monitoring this.”
Botezatu felt that the attack could be effective, saying that when you press the button, it “spawns some Low Orbit Ion Cannon instances behind the browser which would attempt to crash the victim hosts. With hundreds of thousands of people signing up for the cause, it would be increasingly difficult for victims to block IP ranges. It’s all in the number of people concomitantly running the attack.” I should note that the site in question does not claim to have hundreds of thousands of people signing up.
You Could Get in Trouble
If you vent your anger about Russia’s empire-building by throwing a brick through the window of a Sberbank office, you’ll get in trouble. That sort of self-expression isn’t legal. Online vigilantism can also get you into trouble. “Participating in a distributed denial-of-service attack is illegal in many countries,” noted Cluley. That “many” includes the US, where the Computer Fraud and Abuse Act criminalizes DDoS attacks.
Botezatu agreed, saying “voluntary attacks against random targets is a crime and can, at best, get you disconnected and put in time-out by your own internet service provider.”
F-Secure’s Hypponen figured there’s not much danger, however. “It’s unlikely the participants would really get in trouble,” he said, “although technically they are probably breaking the law when clicking the button and willingly participating in an attack.”
Recommended by Our Editors
Depending on where you live, participating in the DDoS attack could be a crime, then. Getting caught could mean a fine, or perhaps worse in this work-from-home world, having your internet connectivity severed. Do you feel lucky?
Attack ‘Em or Call ‘Em?
While casting about for other DDoS-for-hire sites targeting Russia, I found something quite different at the website Pozvoni Rosii (Call Russia). With the motto “40 million phone calls to end the war,” this site will connect you with a random private phone number somewhere in Russia, so you can talk about the war with an ordinary Russian. It’s quite a different approach from trying to overload Russian internet domains, and safer, too.
“I think that’s a clever idea,” said Hypponen. “It’s hard for the Russian government to filter, and might make a difference to the Russian people who get the call.” Cluley was a bit less enthusiastic. “I don’t see that that puts the caller at any risk,” he said, “but it must be pretty irritating to receive the calls! A bit like sending a spam email about the war I guess, but rather more disruptive to the person at the other end.”
Before you grab the phone, you’d better brush up on your Russian. You’ll need to be fluent enough to hold a conversation, and calm enough to handle your recipient slamming down the phone. As for me, I can painstakingly read Russian, but I’m not fluent at all, so I didn’t try it.
What Can You Do to Help?
“In a nutshell, it seems unwise for people to become internet ‘guns for hire,’” concluded Cluley. “If you really want to help, lobby your government to do more to assist the people in Ukraine and support the legitimate charities and volunteers who are working hard to make lives more bearable for those who have lost their homes through no fault of their own.”
There are a lot of ways you can help victims and displaced people in Ukraine, from buying games to helping recognize and counter disinformation about the Russia-Ukraine situation. We at PCMag are doing our best to keep track of the war, both physical and cyber, at least on the technical side, and to point out charities and other organizations supporting victims.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
