Akamai Diversity

The Akamai Blog

Teens Busted for Exploiting Lizard Squad Attack Tool

In January, we told you about Lizard Squad, an attack group that ruined Christmas for a lot of Sony Playstation and Xbox users by launching DDoSes against those gaming networks. The authorities have been chasing them down since then, and this month six teens were arrested for using Lizard Squad's signature Lizard Stresser DDoS attack tool.

Bloomberg Business News reported over the weekend that the arrests were made in Manchester, Huddersfield, Milton Keynes, Northampton and Stockport between last Tuesday and Friday. The suspects are 15-18-year-old boys. Security journalist Brian Krebs broke the news on Aug. 28. In his KrebsonSecurity post, Krebs wrote that paying customers use the Lizard Stresser tool to knock websites offline for up to eight hours each time.

The U.K.'s National Crime Agency (NCA) said in a statement, "Those arrested are suspected of maliciously deploying Lizard Stresser, having bought the tool using alternative payment services such as Bitcoin in a bid to remain anonymous. Organizations believed to have been targeted by the suspects include a leading national newspaper, a school, gaming companies and a number of online retailers."

Akamai focused on Lizard Squad in the Spotlight Attack section of its Q4 2014 State of the Internet Security Report. The report focused on one particular attack that targeted an Akamai customer in August 2014 and again in December. The multiple TCP flag DDoS attack was part of a DDoS attack campaign that generated high traffic volumes and high packet rates. Akamai scrubbed the malicious traffic, sending only clean traffic to the customer.

"Although this multiple TCP flag DDoS attack seemed to be executed like a SYN flood, there were some differences that suggest the use of a new attack tool. This particular attack appears to be a calling card of sorts for Lizard Squad," the report said at the time. "Each attack against this particular Akamai customer revealed the same use of multipleTCP flags in each packet. The initial campaign in August, although mixed with a UDP flood, contained similar characteristics while also containing some differences."