Police in Israel are recommending that the state attorney’s office indict and prosecute two 18-year-olds suspected of operating vDOS, until recently the most popular attack service for knocking Web sites offline.
On Sept. 8, 2016, KrebsOnSecurity published a story about the hacking of vDOS, a service that attracted tens of thousands of paying customers and facilitated countless distributed denial-of-service (DDoS) attacks over the four year period it was in business. That story named two young Israelis — Yarden Bidani and Itay Huri — as the likely owners and operators of vDOS, and within hours of its publication the two were arrested by Israeli police, placed on house arrest for 10 days, and forbidden from using the Internet for a month.
After those restrictions came and went, some readers expressed surprise that there were no formal charges announced against either of the young men. This week, however, Israeli police sent letters to lawyers for both men stating that the official investigation was nearing completion and that they planned to urge government prosecutors to pursue criminal charges.
The police are preparing to recommend prosecutors charge the men with computer fraud and extortion, alleging they caused more than six million shekels worth of damage (approximately USD $1.65 million).
Bidani’s attorney Perach Aroch told KrebsOnSecurity that her client has not yet been officially charged with any crime. But she said once the investigation is complete the defense will have 30 days to review the evidence and to make arguments as to why the case should be dismissed.
“They have to give us 30 days to see all the evidence and to try to convince them why they should not take this case to court,” Aroch said. “After that, [the prosecutors will] decide if it should go to trial.”
The arrest of Bidani and Huri came after the police received information from the Federal Bureau of Investigation (FBI). But the United States apparently isn’t the only country weighing in on this case: According to a story published Sunday by Israeli news outlet TheMarker.com, the government of Sweden also is urging Israeli prosecutors to pursue formal charges.
It’s unclear exactly why the Swedish government is so interested in this case, but the vDOS service has been implicated in a series high-profile attacks that brought down some of the country’s largest news media Web sites last year.
Shortly after those attacks in March 2016, Somerville, Mass.-based security intelligence firm Recorded Future published an analysis linking the assaults against Swedish media sites to vDOS and to “applej4ck,” the hacker nickname allegedly used by Bidani.
In publicizing the news of vDOS’s hack last year, KrebsOnSecurity also published several months of attack logs from the vDOS service. However, those logs only dated back to May 2016.
Itay Huri’s lawyer declined to comment for this story, but TheMarker’s Amitai Ziv obtained a statement from Huri’s attorney, who accused Israeli police of applying pressure and terror through the media instead of looking for the truth.
Ziv said sources he’s spoken to believe the case will almost certainly go to trial.
“Professionals involved in the case said the likelihood of indictments in the affair is very high,” he wrote.
According to Bidani’s lawyer Aroch, the two former friends are now pointing the finger of blame at each other and are no longer speaking to one another.
“They each now accuse each other in things, so it’s a little bit of a problem,” Aroch said.
Aroch said both Bidani and Huri are free to travel and even leave the country, although both men have had their bank and PayPal accounts frozen.
Bidani and Huri allegedly started vDOS when they were 14 years old. By the time the service was shut down last September, it had attracted tens of thousands of customers who paid for attacks in PayPal (when vDOS’s PayPal accounts were shut down, the service briefly shifted to accepting payment via Bitcoin).
My Sept. 2016 investigation into the hacking of vDOS revealed that in just two of the four years the service was in operation, it brought in revenues of more than $600,000.
It’s unclear how many digital sieges were launched by vDOS, but it was likely several million. The aforementioned user logs stolen from vDOS and leaked to KrebsOnSecurity show that in just the span of less than three months last year the service was responsible for more than 150,000 attacks.
KrebsOnSecurity paid a heavy price for breaking the story on vDOS’s hacking and the subsequent arrest of its alleged proprietors. Less than two weeks after those stories were published in September 2016, this site came under one of the largest DDoS attacks the Internet has ever witnessed.
That series of attacks ultimately knocked this site offline for nearly four days. According to follow-up reporting published in January 2017, the attacks were paid for by a cybercriminal who was upset and/or inconvenienced by my exposé on vDOS.
Lawyers for Bidani and Huri have said their clients were merely operating a defensive “stresser” service sold to companies that wished to test whether their sites could withstand large cyberattacks. The owners of these stresser services have sought to hide behind wordy “terms of service” agreements which all customers must agree to, arguing that these agreements absolve them of any sort of liability for how their customers use the service.
Law enforcement officials both in the United States and abroad say stresser services enable illegal activity, and they’ve recently begun arresting both owners and users of these services.
In December 2016, federal investigators in the U.S. and Europe arrested nearly three-dozen people suspected of patronizing stresser services (also known as “booter” services). That crackdown was billed as part of an effort by authorities to weaken demand for these services, and to impress upon customers that hiring someone to launch cyberattacks on your behalf can land you in jail. In October 2016, the U.S. Justice Department charged two 19-year-old men alleged to have operated a stresser service affiliated with the hacking group known as the Lizard Squad.
I hope they get the justice they deserve, but I’m not familiar with Israeli hacking laws and punishment.
How would 2fa have prevented any of this?
are you sure you’re commenting on the right story, Mike?
Absolutely sure. I want an answer to this, please sir.
Then I don’t understand your question. This article has nothing to do with 2FA, and 2FA is not a defense against DDoS.
So your saying that there is not a single aspect of this situation that could have been prevented by 2fa?
Yes – that is exactly what he is saying.
A DDoS attack is simply flooding a server with requests until it fails to respond to legitimate ones. 2FA is defense against attacks targeting login credentials. Even a user not logged in to a site, say krebsonsecurity.com can still send a request to the server, and that will use up server resources. Asking how 2FA could have prevented this is like asking how additional TSA screening at airports could help prevent cancellations for overcapacity flights. Sure, the TSA screening might slow a few people down, and cause them to miss the flight, but the problem isn’t people bringing things onto the plane that they shouldn’t, the problem is too many people wanting to go on the flight to begin with.
2FA would help as much as a daily dose of multi-vitamins, a flu shot, and wearing a condom at all times.
Yes 2FA has got nothing to do with DDOS. Maybe one can use 2FA to start DDOS that’s all…
Yes, 2FA could have prevented this attack. If one were able to implement 2FA authentication services on the stressor services but not provide the hard/soft token(s) to the owners or customers, then they would not be able to conduct the attack. Happy now?
BTW, you do know that you can break that pill in half, right?
What would have prevented this whole thing from happening? I mean of course, aside from bad guys not being bad. What could have been done on any technical level that would have stopped it all? Is this all about the whole world coming together under Google’s wing?
For most sites. Nothing! That is exactly why DDoS are so dangerous. Similar to spam, its costs the spammers pennies to send millions of messages, but the computing on the other side of the network (like antispam filters and time people take to delete them in time invested) is huge.
DDoS attacks are no different. It takes little effort to create a botnet and launch a massive attack. Preventing this is basically impossible. Ok, not impossible but you need to invest a lot of money. Even a small DDoS solution can cost a couple of thousands per month. Google has millions (billions?) invested in their network and datacenter but it’s not free as beer for them to protect Brian either. It costs them bandwidth and computing resources in to detect and filter bad packets.
Most small companies, not to mention website owners have no protection what so ever. The Internet was great when anyone could launch an online business from home and guys like this killed that dream.
You see the problem here? The Internet can’t come up with a proper solution to the problem. It’s basically like this. You have a small hose of water and I bring a fire truck with a bigger hose. Guess who is going to win? Now you could bring 2 fires trucks and I could bring 5.
Attackers have always the biggest hose because they use infected computers systems from other people that are not aware their computers, phone, routers and internet connections are being used to attack someone on the Internet in another part of the planet.
It’s a nasty problem without an easy solution unless you change how the Internet works. I suspect tech companies are interested to solve the problem because innovation online is coming to a halt in the past years. It costs more money and is harder today thanks to all the security problems. Everyone is a loser with DDoS. You, me, companies, everyone.
Have you ever turned on your dining room lights and considered that as you sit down to eat at the table that at the same time ‘those very light bulbs’ giving you light are simultaneously taking down someones website?
How about your toothbrush as you clean your teeth in the morning?
How would you feel if you knew the game your child so inicently
I wish I knew what this meant.
plays is at the same time being conscripted into evil aggression against someones only means of making a living?
IoT is that shiny bling that everyone wants and very few understand. It’s what becomes so instrumental in pitting neighbor against neighbor and no one seems it. There is strength in numbers and there are certainly numbers. This thing really took off with the rise in IoT and that happened for a reason. They are simply so much easier to remotely control. A big part of the solution is a reduction in IoT, not an increase. This must be coupled with an increase in security awareness and a reduction in that “who cares?” attitude. You will find that it is that ‘ludite’ thinking of saying no to IoT becomes far more effective than any 2fa or update or patch.
Mike, if you tie your shoe purple, spring can nup your coffee and the world. Iot Electric intra net innernet and doublemint won’t shake the filament. but 2fa can ddos red pens all hour.
This made me lol. Or as Mike would say “This child knew iniceint neighbors wars IoT.
On any technical level? Time travel. Go back in time, lobotomize the the yutes at an earlier age and viola! They’ll never create their service, so the attack could never happen.
You’re making this too easy.
Technically…..one could leverage an anti-dos service that will scrub/drop this type of attack traffic. Not cheap.
The pirating days of these kids are over … at least until they get out. Nice takedown!
Script Kiddies will never learn
I don’t think 2fa had anything to do with anything here. The users were found to be operating an illegal service. Not sure how their authentication mechanisms would make a difference. Unless that is, are you asking if the people named here would be better protected if they employed 2fa? But Brian’s analysis doesn’t enumerate that detail. The users were proven to be owners of the paypal accounts and the domains and have been detained as a result.
As someone who works in the DDoS protection industry its good we are starting to find these people hiding behind services. But I suspect people will wisen up soon and start hiding in trickier ways. Not much we can do about that, but as more customers work with cloud based DDoS providers and as we start prosecuting more people associated with these DDoS services, the less likely well see DDoS as a primary method of attack.
Alright, so the only real answer to this is in a combination of cloud services and law enforcement.
If that is to be the solution, then there is nothing I can personally do with my computers, home network, or anything else………..except adopt the cloud.
What I’m seeing here is that all of our biggest problems are NOT fixed with updates, patches, and 2fa.
That is not exactly true. A lot of malware attacks take advantage of missing patches, and 2FA will help to keep you more secure when signing into and using services online. DDos is criminal behavior that has nothing to do with patching or authentication. If someone calls your phone number repeatedly in order to disrupt real calls, that is a denial of service attack – same deal with what these kids were doing. For the average home network cloud services to protect from DDos would be prohibitively expensive. In all honestly there is no silver bullet.
That’s not entirely correct. Patching and security practices would go a long way toward preventing the vast majority of IOT devices on the net from being readily hijacked into botnets that are then used to power a lot of DDoS infrastructures.
None of that is needed if the equipment is not used. IoT is not needed. It is better to NOT USE. It is better to remove Flash and Java rather that update.
There simply is no justifiable reason to go through the extreme lengths that so many people go to when it is easier and safer to just not use these things.
My point is that 2fa is not what people think it is. it is not that silver bullet and really does not go all that far to be worth dealing with. 2fa is a joke when compared to the big-picture. It cannot protect you where you need protection. Most updates are the same way.
I don’t blame Krebs for what the Lizard Squad did.
I’m saying that this problem is not getting fixed and it is primarily because too many people have their heads buried in the sand. This site is not staying online for an update. It’s online due to Google software. It’s not staying online for a keyfob football. It’s online for a special service that Google provides that is usually paid for.
I’m saying that there is too much focus on the wrong thing and not enough on the right thing.
Mike, would you mind giving us a quick, bullet-point run down of how a DDOS attack functions? That would let us see what you understand or misunderstand so that we can see where you’re getting this nebulous connection between 2FA and DDOS.
I remember security “professionals” back from the late 90s and early 2000’s…a lot of them thought that the best way to secure an environment was to say “no” all the time. Guess what? They got dis-invited from meetings, and excluded from things…because businesses need to sell products and services. Simply being told that they can’t do what they want to do isn’t a real solution. At the end of the day, the guys who took this “no” approach just annoyed everyone else (hint hint) and pretty much got their entire profession excluded from life-cycle management because they were a pain in the ass. Worst of all, they made it harder for the people who knew what they were doing, as well.
Point in case: the huge DDOS that took down Krebsonsecurity.com is not fiction. It happened, using real IoT devices that exist today and are already in the field. So even if you could convince the whole world to stop buying IoT technology (and you can’t), guess what…it’s too late.
So what are the solutions?
DDoS mitigation is one thing that can be done at the receiving end of the attack. And as networking technology improves, it will likely become even more robust. But more importantly, what needs to happen is for IoT devices to start being built with proper security engineering. This requires inclusion of security professionals in the product lifecycle, starting at an early point. It requires application of some basic design concepts that provide security, and it requires some degree of testing to validate that those concepts were correctly applied.
But it also requires that people who take your approach shut the hell up, so that you stop ruining things for the guys who know how to help. We need a seat at the table, and right now we’ve got one. Please settle down, read up on more than just 2FA, and figure out how to be helpful. If little Timmy really wants a network-connected toothbrush, he’s going to get one; that’s how a free market economy works. What we need to do is help make that toothbrush secure. Truthfully, it’s not all that hard to do, compared to the challenges of securing a three-tier ecommerce application, an ERP system, or an industrial control system. If you can’t help secure the inevitable connected toothbrush, then you have no business trying to dictate a larger solution and you’re only making things worse, not better.
Mike, would you mind giving us a quick, bullet-point run down of how a DDOS attack functions? That would let us see what you understand or misunderstand so that we can see where you’re getting this nebulous connection between 2FA and DDOS.
Do you really think I expected to be told 2fa would stop DDOS? lol
The thing is….to read most of what gets put in articles and in responses, one would think 2fa is the savior of the universe.
I know 2fa is a joke. I already know this. There is nothing about 2fa that stops anything (but maybe the good guys…it’s alot like gun control laws in that way).
Going where Krebs went…..to Google seems to work fairly well. I’m not seeing anything else that comes close. That’s fine. No argument.
Mike, are you okay? You seem to have blended a number of concepts in your head and are not making any kind of sense.
Are you not seeing that DDOS is a movement created by an army of machines that mainly consist of IoT devices? Are you not seeing that most people become so blinded by the bling of IoT while operating on an apathetic level of ignorance when it comes to technology that any suggestion sounding ‘techy’ enough is blindly followed?
Just get the latest update and you will be ok!
Setup 2fa and you will be ok!
Just change your password and you will be ok!
Leave it upto your ISP and you will be ok!
Give it to Apple, MS, Sony, and Facebook and you will be ok!
Just use chip and avoid the mag strip and you will be ok!
Freeze your credit and you will be ok!
Forget that I’m the one saying this for just a minute. Are you really not seeing a pattern here?
mike for cyber czar!!
Mike – “The price of freedom is eternal vigilance.” Things never stay “ok”. Things change.
Good advertisement for MikeDOS.
Mike is seriously making me laugh out loud…
Mike has been the highlight of this discussion session, no doubt!
He’s in the right place to learn though, and with a little more reading and a little less commenting he may catch what we’re saying and walk away with a better understanding. Education really is the root of our current issues after all 🙂
But listening and learning instead of spouting off to stir the pot is not the way trolls behave.
Effort should also be put into charging those paying for these services.
Any names we should know about? What other activities are they involved with?
Thanks for your great reporting!
You dreaming ?? u cant see the name if tgey use bitcoins.
and btw… im sure its very confidental information.
customers like this always like silence.
I think those customers who order ddos they like privacy.
so we woun’t hear about them.
Except you forgot the bit that about that one booter site having years of it’s history leaked. Easy enough to figure out who the customers were in that case!
And just like the US government does, they will get a plea deal if they work for the Israeli government to use their skills to catch bad guys and other cyber activities.
Yes. under google wing.
Facebook.google.paypal.amazon..they all same
They are kind of unlucky to have been found out just as they turned 18.
Tho I wouldn’t put it past the FBI and Sweden’s goverments to have waited specifically for this moment to call them out on it.
@Mike’s question shouldn’t be dismissed.
DDOS attacks typically depend on the attacker having control of a botnet: a very large number of internet-connected computers/devices. That control is obtained in the first place by exploiting vulnerabilities in these devices. Those exploits very often relate to authentication (eg: insecure default passwords on IoT devices). If use of 2FA was ubiquitous, with a high majority of devices using it for authentication, there would be far less “ammunition” for these attackers.
In theory, use of 2FA could have limited the power of these attacks, but only if it was widespread and in use in a large majority of devices.
a) there may be no practical way to use 2FA on many IoT devices, and so they remain vulnerable to authentication exploit, and
b) there are other ways to exploit devices, that are not related to authentication, where using 2FA would not help, and
c) there are so many devices out there already (that cannot be patched) that it probably doesn’t matter (to the attackers) what is done to secure future generations of devices – they have plenty enough ammo for now.
And so the problem remains a problem.
So, can anyone, perhaps Brian, help me with this. How exactly are the owners of these stresser services being arrested? I can understand how the customers of the services may be in trouble, if they’re using the service maliciously and launching DDoS attacks against victims, but if the owners are not launching the attacks, their terms of service indicate they should in no way do this, why are the owners being arrested and charged?
Forgive me for linking this, please edit it if you must, for example a website such as IPStresser DOT com, reviewing their terms of service and website, it has a really well written terms of service and well designed website, how would the owners be liable for someone simply conducting misuse of their service?
I’m very curious to hear more about this answer, it’s in theory the same idea as buying a gun from a gun shop and after that guy goes and murders someone, the gun shop owner being responsible.
Thanks, and great article yet again Brian.
I commented this on another article here. Stresser services or load application load testing and load balancer testing are not illegal on its own nature. It is how you provide the service that makes them illegal or not. It’s very simple. Your terms of services are not above the law. You can’t create a TOS that says you are not responsible if we murder your dog.
Every single service that provides a real load testing service does a proper verification test and verify if you have control of the server or website you are testing. This is how it works. Even Google requires you to verify your site in their console to change how they crawl your site. Anything that can impact your site, (like sending floods of fake visitors) requires the owner permissions first. Doing this is very simple. Not only that, but those are real companies with contact information, you can check who they are, where they are and they use their own servers in the cloud to send traffic and only after they have your permission.
Now, let’s see the difference between the illegal ones. The website completely hides all contact information because they know they are doing something illegal. They even hide where they are hosted and they take all the measures possible to stay anonymous. (they are criminals after all and don’t want to be identified). They use obscure payment systems because again, they are not real companies, pay any government taxes and they use others people bank accounts or stolen PayPal accounts to receive money.
They do not make any verification what so ever if the site/server you are sending traffic is yours or you are the authorized administrator. That is the whole idea of their illegal service. They lie and pretend to be a stresser service but they know it’s not used for that but to attack other people. They make absolutely sure not to ask anyone anything. And let’s add here that they don’t use their own computer systems to generate the traffic either. They infected other computer systems from other people and are using them without authorization (hacking).
Let me resume it. It’s like stealing cars, sending them to another country and them opening a supposed car rental company with the stolen cars. Then rent them to people to smuggle drugs down the border and looking the other side.
A real stresser service is still responsible if a customer of their makes an attack to someone on the Internet, it’s their system and service after all. They can’t claim they are not responsible, just like a hosting company has to shut down a malware site or a spammer in their network when they are notified. This is why they make sure to verify what you are doing. The differences between a legal and illegal service are day and night and only a moron could not see the difference.
Their attorneys have no case here to defend them based on how they were operating their racketeering business. They did absolutely everything in the shadows and with criminal intentions and criminal behavior in every step of the process. It was not an innocent mistake. They are aware so they are blaming each other now.
If this goes to trial there is no way in hell they can win.
Finally some great news. Israel is a country with much innovation in technology, and the government cannot be irresponsible when it comes to prosecuting digital crimes. Many tech companies came from Israel, so the logic for them in order to maintain their reputation as a country, is taking cybercrimes seriously. Let’s not forget that DDoS attacks are the equivalent to nukes on the Internet. What I do find sad is they took so long and it seems only after other law enforcement agencies from foreign countries where behind them. Justice should work on its own if they have enough evidence. I think that based on what we have read here and the data that the FBI and other agencies have the evidence is unyielding.
Why is the Swedish government so interest? You can bet more than one company was affected. Let’s not forget Brian that attacks cause actual financial impacts to online companies. The damage can be measured, and the effects are very genuine and tangible in the offline world. You should know better as this blog, and your books are putting money on your table each month, and you suffered the impact of being knocked offline before.
I hope the justice in Israel does its job and they use them as a lesson for new kids that think it is cool to mount an online racketeering business.
I completely understand and can see the differences between “real” and “sort’ve real” load testing. I see stresser services which have an abuse contact e-mail address to report abuse from their service. This would work the same way as a hosting company, you cannot expect the hosting company to review every single file being hosted on their servers, so they rely on abuse reports, even if the stresser services don’t verify ownership of a network, what is to say they have too many customers to do this and solely rely on the honor systems. Some stresser services even have telephone numbers listed, I don’t know if they’re valid or even go anywhere, but it’s worth to note they even list a telephone number, which I presume can be used to report abuse.
I am just failing to see why the owners of these services are being charged, I just want to know which law(s) they violate by offering a stresser service, with an applicable terms of service which exempts them for liability of misuse of their service.
“which exempts them for liability of misuse of their service”
That’s just it – it doesn’t. Adding a disclaimer while offering resources for criminal enterprise doesn’t absolve the merchant from blame – look at all the people selling card skimmers, and ATM and POS parts, with disclaimers on their sites that these are offered for ‘security research purposes only’… yeah, right. Any prosecutor will instantly counter that the accused *reasonably knew* that what they were offering would be used for illegal purposes.
DOS attacks are really common these days and pretty devastating…
I wonder if there’s a real fix to it.
The only real fix is ISP egress filtering. When ISP’s refuse to pass spoofed outbound traffic, then DDOS attacks will be dead. It won’t matter how many hacked IoT devices there are, they will be caged if they can’t spew garbage data to the rest of the world.
The entire DDOS ecosystem depends on spoofing the source IP address so that the garbage traffic is not filterable.
DDoS cannot be stopped once they have targeted you. You can only weather the storm. If they send you 30MB traffic then accommodate them and increase your capacity to 60MB. It is a game of who has more resources. Just imagine a ping flood (IRC days) with tsunami proportion.
Mirai in the picture using simple devices, this site has weathered the storm but it took a while to get back up. Better contact your ISP or Web host how they can help you our during an attack. DDoS is just part of a bigger attack, this only gets your resources busy trying to remove your attention on their main target.
Just accommodate the 400 Gb ddos attacks by upgrading to a 1 Tb line… right.
I see profit from this.
@Mike I can’t believe I just fitted new seat-belts to my car and there are still DDOS attacks! I always said seat-belts were useless!
I have been under the constant attack of DDoS and it seems to not stop no matter what i try to do about it.
Tory, we got hit on a DR site firewall for 2 weeks. All we could do is wait it out. But it had no effect on production.
If this is your Home connection getting attacked, you could turn off your router for a few hours and hope you get a new IP from your host. You can also call them and ask for a new IP.
If this is your businesses, and the above is not an option, you may want to get another service provider as an alternate connection until it stops (they point their botnet at another victim). if this is your website, you may be SOL, until it’s over.
The theory they are charged with, using the gun analogy, is you loaned the gun that was used in the crime.
Accessory to the fact.
The bit about iot devices, usually they do not have to be on your service to “be on the air” , they are open broadcasting when they are activated. Plug in the device, it is trying to find home. And another person may have an open channel with another device, it will piggyback. Remember they can broadcast up to 600 foot, unofficially some have been measured up to a thousand feet. How many people live within a thousand foot of you? Are they as secure or as trained as you in security provisions? So why should your light bulb be on the air?
Understandable how that can be wrong and get you charged. But there’s no loaning of anything here, they sell a service that can completely be used for law abiding purposes, such as selling a hand gun, and then can be used maliciously, such as committing a crime with the purchased item. In the stresser case, they sell a service that can simply launch DDoS attacks with the control of how long they want, which port, and which amplification they wish to test against. That seems pretty fair to me as a SaaS, I still haven’t gotten an answer on which law they violate (in the United States), if they’re not causing damages to any systems, unauthorized access to a computer.
I still want to know which law(s) they’re in violation of. If a stresser service has a well written terms and conditions of their product, they surely cannot be held liable for any abuse, especially if they’re very openly against it.
Still looking for information on it.
the forum is as informative as the site , thanks for you guys for the info download
Mike should be CISO
i hope usa and the whole world become police state !!
it will end all crimes !! And rfied chip under skin.
At the end its all no matter.anymore.
usa dollar will fall down soon and war will
starting off now. Russia will buy war equipment
with usa dollars. Soon the war starting
There are actually a few legitimate stress testing services.
However, most if not all of these require you to be able to put a file on the web server authenticating that you have file (write) access.
These services typically start with 0 (zero) concurrent users and go up to like 100 or 1000 users with like 1-10 connections each. Those services are actually quite useful, as they report how many errors your server responds with for each “level”, and also how long it takes to respond, etc. so you can optimize your configuration and handle larger loads of users. (When you have a really busy website, or expect a lot of sudden traffic at random, not like DDoS but actual traffic, then it’s quite useful.)
Of course, a “stresser” service probably starts at like 100,000 concurrent connections which will probably knock most smaller web servers with e.g. MySQL offline, so those aren’t exactly useful for legitimate purposes.
“six million shekels” heh…