Four Years Jail For Bredolab Botnet Author 47
angry tapir writes "The creator of the Bredolab malware has received a four-year prison sentence in Armenia for using his botnet to launch DDoS attacks that damaged multiple computer systems owned by private individuals and organizations. G. Avanesov was sentenced by the Court of First Instance of Armenia's Arabkir and Kanaker-Zeytun administrative districts for offenses under Part 3 of the Article 253 of the country's Criminal Code — intentionally causing damage to a computer system with severe consequences."
Re:What were the consequences (Score:5, Insightful)
Let me give you a more valid window glass analogy. If you had invested in better glass, the kids rock would not have smashed your window.
Plus we're talking about DDoS here. That is not trivial to protect against. Your jab at Microsoft is silly.
Re:What were the consequences (Score:5, Insightful)
How would you "secure" a system against a DDoS? The only solution is to throw money at the problem. Yes, you can mitigate to some degree, but the numbers get very big very fast regardless.
Quick google turns up "DDoS attack size broke 100 Gbps for first time" from Feb 2011. The only way to prevent 100 Gbps of traffic from drowning your site is to have *significantly* more than 100 Gbps of bandwidth available to you, or to hire someone who does. And even then, someone must pay for that bandwidth.
Another hurdle to overcome is if someone is attacking your application layer, you have to throw CPU cycles (and possibly RAM) at the problem to solve it. If you assume a typical HTTP request of 1k, handling or filtering 100M (or even 1M @ 1Gbps) http requests per second is going to require some hefty hardware. A quick google gives the number 3k requests per second for a typical apache server serving blank pages. You would need 300 web servers to handle 1M requests, and 30,000 to handle 100M requests. Numbers are just ballpark figures, and may be off by an order of magnitude or two, but you get the idea.
In short, protecting against a DDoS is hardly professional neglect. It's a financial decision. Even if you hire someone else to handle it for you, someone eventually pays the price.