I run a service which was recently DDOS'd. It came immediately after a request from the police services in India to give them data on a specific user. They claimed it was terrorism related. We explained our policy on that (there is a procedure but it requires lengthy legal formalities in our jurisdiction). Within hours our service was taken down. It lasted about 12 hours. We never received any ransom request. We were left with 3 possibilities:
1. Indian police/government
2. Original user
3. Total coincidence
When it happens you just realize: this should not be possible. This is a game that hugely benefits the most powerful players whether they just don't bother solving the problem or actively play in it.
IMO. There is no way Indian Police is competent enough to DDOS your service.
They definitely are.
Beat cops definitely aren't, but most police forces in India are state level and a couple are federal, and will usually have a Task Force devoted to offensive and defensive security, and if not, will contract out to companies like Appin Security Group (who were able to force Reuters and SentinelOne to remove their report into how the private-public cyber model in India operated [0])
Also, after the 2008 Mumbai Attacks, the Indian Ministry of Home Affairs began working on coordinating and centralizing Metadata Analysis and Monitoring [1][2][3], because they unable to trace the VoIP calls used by LeT [4].
If it was actually National Security related, it would have went through a couple fusion centers that the Indian government formed [5][6]. If it was some local PD asking the platform, they probably wouldn't have the capabilities to DDOS
[0] - https://www.reuters.com/investigates/special-report/usa-hack...
[1] - https://en.m.wikipedia.org/wiki/Central_Monitoring_System
[2] - https://en.m.wikipedia.org/wiki/NATGRID
[3] - https://en.m.wikipedia.org/wiki/DRDO_NETRA
[4] - https://www.wired.com/2008/12/mumbai-and-voip/
[5] - https://en.m.wikipedia.org/wiki/National_Cyber_Coordination_...
[6] - https://en.m.wikipedia.org/wiki/Indian_Cyber_Crime_Coordinat...
So, Indian police is actually able to do quite the lot of pressure when terrorism is involved... but when Americans like Scammer Payback report giant scam callcenters with credible evidence, they take well over a year to raid it, and leak the first raid to the scammers beforehand? [1]
[1] https://www.youtube.com/watch?v=UdEELggaY5Q
Because terrorism related stuff falls under the Indian equivalent of Homeland Security, even if it's local PD triaging.
Raids that are not National Security related need coordination between the Federal Government and State Government in India. The scamming call centers are located in a state called West Bengal. West Bengal is ruled by a regional opposition party called the TMC. West Bengal removed it's consent for Federal Police in India to raid without the consent of West Bengal Police. This ended up in the Supreme Court for a couple years [0].
On top of that, the scamming call centers are closely tied to the ruling party machinery in that state, as you need to get a license from the state government to operate a call center, and these kinds of call centers will often be donating to local political parties to look the other way.
Watch Jamtara on Netflix. It's a good overview on the economics of scam calls in India.
[0] - https://www.deccanherald.com/india/cbi-independent-legal-ent...
Ah, so that is the reason why it's always West Bengal that's mentioned in SP and the other scambaiter videos? I had wondered about that before - I thought that it's mostly because he has infiltrated some local scammer coordination group on Whatsapp.
Many thanks for the context!
Np. India is a federal democracy like the US. The same kind of state-federal clashes that happen in the US happen in India.
Think of Indian democracy as being similar to American democracy in the 1890s-1930s, when local despots like Huey Long and populists like William Jennings Bryan roamed the planet.
Yep. In other states they either will get raided by the Federal Police (eg. CBI) or the economics of running a call center doesn't make sense.
To run a scamming call center you need a low cost English speaking population AND Political Backing. Most states in India will have 1, but not 2 (or at least, not for call centers).
Don't forget hacking activists computers and phones to plant files to convict them of terrorism. [0]
[0] https://www.wired.com/story/modified-elephant-stan-swamy-hac...
That's local/state level police.
That entire apparatus is rotten due to the incentive structure - if you as a cop don't listen to politicians, you'll get a last minute transfer to some village in the middle of nowhere with no running water
Government authorities purchasing shady cyberweapons is a well documented issue. It would a pleasant surprise if there was any government on Earth that didn't do such things out of respect for basic human rights.
https://hn.algolia.com/?q=nso
DDoS-for-hire services exist. They don't have to build their own.
It's not too hard to DDOS a website. Here's the 9th google result for booter service:
https://nightmarestresser.net/
How sure are you that the request came from the actual police in India, and not somebody else? I.e. someone who might get irrationally upset when you did not give them what you wanted?
"someone who might get irrationally upset when you did not give them what you wanted"
Like the police in India?
I would assume that the actual police have their own traditional methods of being irrationally vindictive, and would not normally restort to DDoS.
Indian police will have a lot of trouble beating you if you live in another country.
Google Hardeep Singh Nijjar.
Still a lot of trouble.
Their government might though..
Those traditional methods don't often work very well across borders like a DDoS does. The post at the top of the thread didn't state whether or not they were based in India too.
Yes we went through a bit of procedure to establish that. They have also been in touch with the authorities in our jurisdiction since.
In fact we were contacted by multiple police authorities from different regions.
Agreed, I've been through something like this before and it was not legit. They'd compromised a Bangladeshi police email account and used it to try to get data out of us.
IMO what is surprising about this is that the service didn't already have DDOS protection of some sort (or did it?) It's been a pretty standard practice to add that to any public-facing service for a decade or two now, hasn't it? Cloudflare is free/cheap for smaller services and there are many other options too.
I'd just assume that any service is going to get randomly DDOSed soon after launch, even without any sort of blackmail/targeted attack. Even if you can figure out who did it, there's pretty much no chance of chasing them down.
My takeaway from this wouldn't be "this shouldn't be possible" but "this has been commonplace for decades, and will keep happening, and we should prepare for the next one".
It doesn't really matter whether it's some corrupt local agency or some script kiddie... half the world's connected, on various shitty devices, and DDOSes are gonna keep happening.
Sourcehut is big enough that Cloudfare is neither cheap nor free, I think there was a discussion about this in another post.
Nor is it a good thing that Cloudfare has keys to half of the internet.
Wasn't talking about Sourcehut, but this comment's parent.
And there are alternatives to Cloudflare.
The point is just that DDOSes have been common for decades and they shouldn't be a surprise for anyone. They're an inherent part of the internet protocols we have and the freedom of routing. Saying "they shouldn't exist" is like saying bad actors shouldn't exist. Sure, that's a nice thought, but they do exist (and have existed long before Cloudflare) and we can't just pretend otherwise and believe that our service won't be affected. It's just a matter of time/luck.
Is sr.ht free?
We were recently DDOS'd, too. Every time it happens, I wonder, who benefits from it (or even cares about us)? Competitors? Someone's bored? A disgruntled customer? And we'll probably never know.
Cloudflare. And any other DDoS protection vendors.
Not saying they caused it but obviously they benefit the same way roof tile manufacturers benefit from hurricanes.
Cloudflare benefits so long you buy protection from them. It doesn't need to be you. So long as you think you need their services it doesn't matter if you actually do. They also have the ability to keep you running if your project explodes in popularity.
Yes my org was recent DDoSed too repeatedly. It was honestly inexplicable. We're still not sure why.
Which police service? Some Military and Internal Security forces have the name "Police", eg. CRPF, ITBP.
If it was one of these forces within the MHA, I wouldn't be surprised, because it falls under "National Security"