In August, DraftKings' website, www.draftkings.com, was the victim of a Distributed Denial of Service (DDoS) attack. DraftKings is an online platform for individuals to compete in daily fantasy sports contests. The attack shut down the website’s operations for 26 minutes. Although a relatively short period of time, DraftKings suffered financial harm and is unhappy. So much so, that on August 30, DraftKings filed a lawsuit in Massachusetts against John Does. Why John Does? Because like most hacks, DraftKings doesn’t know who perpetrated the cyber attack
What is a DDoS Attack
A DDoS attack uses multiple computer systems to attack a target such as a server, website or other network resource and cause a denial of service for legitimate users of the targeted resource. The arsenal for the attack is usually a flood of incoming messages, connection requests or malformed packets to the target system that forces the system to slow down or even crash. Simply put, the target system in overwhelmed with data and legitimate users cannot access the system.
The overflow of data comes from other computers or network devices. Essentially, someone takes control of thousands of network devices, and directs those devices to send data to the target system. A computer or network device under the control of an intruder is known as a zombie or bot. The attacker may create what is called a command-and-control server to command the network of bots, called a botnet. The person in control of the botnet is called the botmaster (I couldn’t make this stuff up). Once the botnet is assembled, the attacker can use the traffic generated by the compromised devices to flood a target domain or knock it offline, or prevent legitimate users from accessing the target domain resulting in a successful DDoS attack.
DDoS attacks are a major concern where it is projected that the Internet of Things (IoT) will create billions of possible nodes with sparse security that can be transformed into Bots.
According to the Complaint, on August 7, 2018, at approximately midnight, the website was targeted by a DDoS attack. DraftKings neutralized this initial attack.
Around twelve hours after the first attack, DraftKings was under another DDoS attack. For a short period, DraftKings was unsuccessful in thwarting the second attack. DraftKings was able to stop the attack within 26 minutes, but during that time DraftKings suffered financial harm.
DraftKings discovered that the hackers used dozens of IP addresses to conduct the attack. The IP addresses were located in several parts of the US and overseas. The foreign countries included Romania, Canada, Algeria, Poland, Palestine, Egypt, Saudi Arabia, Venezuela, Tunisia, and Morocco.
The American Registry of Internet Numbers (ARIN) manages the distribution of Internet number resources such as IP addresses for the US, Canada, and many Caribbean and North American Islands. Based on ARIN’s published directory of registrants of IP Addresses, DraftKings determined that 75% of the U.S. IP addresses were registered to ColoCrossing, a co-location and cloud services provider in New York. The other IP addresses were registered to Google LLC, T-Mobile, Verizon Wireless, and NetActuate.
DraftKings requested that ColoCrossing provide information regarding the IP addresses. ColoCrossing informed DraftKings that the IP addresses were leased or operated by HighProxies.com. DraftKings requested the IP addresses and subnet information for HighProxies.com with no success.
According to the Complaint, DraftKings has been unable to identify the true source of the DDoS attack because it has not received any helpful information from ColoCrossing or HighProxies.com. As such, DraftKings was forced to bring the lawsuit to identify the attacker and prosecute claims against them.
Computer Fraud and Abuse Act
DraftKings is seeking recovery under the Computer Fraud and Abuse Act, 18 USC sec 1030 (CFAA). Under the CFAA, whoever knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; or intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss is subject to imprisonment and fines.
Protected computer is defined as a computer which is used in, or affecting, interstate or foreign commerce or communication.
The CFAA provides a private right of action by stating that “[a]ny person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief."
In a valiant attempt, DraftKings has alleged that the unknown attackers violated the CFAA, and are likely to continue the unlawful behavior if not identified and stopped.
What Does DraftKings Really Expect?
The attackers are probably foreign citizens who are outside the Court's jurisdiction. This may implicate international law and extradition treaties. For an attack that only lasted 26 minutes, it seems that DraftKings is expending a lot of resources, such as attorneys' fees and litigation costs, for a lawsuit that may result in an empty judgment because the attackers will never be brought to justice. Unless, DraftKings has another motive, such as determining if the attack was conducted by competitors (cue the dramatic music), or to have a "personal" conversation with these individuals.