There’s a pattern I see repeatedly when talking to website owners who’ve been taken offline by a DDoS attack: they treat the incident as a technical problem. They call their hosting support, wait for the attack to subside, and move on. Nobody files a report. Nobody preserves evidence. The attacker faces zero consequences.

That cycle needs to stop.

What most people outside the United States don’t fully appreciate — and what matters enormously if you operate a website with American users or infrastructure — is that launching a DDoS attack against a U.S.-based system is a federal crime. Not a gray area. Not an administrative infraction. A federal crime, prosecuted by the same system that handles bank fraud and organized criminal networks.

What Federal Law Actually Says

The Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. § 1030, is the primary federal statute governing computer crimes in the United States. Under this law, intentionally causing damage to a protected computer — which includes any server connected to the internet in the U.S. — constitutes a federal offense. DDoS attacks fall squarely within that definition.

The penalties are serious. Depending on the severity and prior record, a conviction can carry up to 10 years in federal prison. For attacks targeting critical infrastructure — hospitals, financial systems, government services — sentencing can be significantly higher.

Critically: the CFAA doesn’t require the attacker to be physically located in the United States. If the attack affected a U.S. system, federal jurisdiction can apply. The Department of Justice has successfully prosecuted individuals located abroad for cybercrimes committed remotely against American targets. This isn’t legal theory — it’s established case law.

The FBI Is Not Treating This Lightly

In a formal public statement, the FBI declared it is intensifying efforts to combat illegal DDoS attacks. The document — available on the FBI’s own website — is unambiguous: the Bureau is actively investigating botnet operators, DDoS-for-hire services (commonly called “booters” and “stressers”), and anyone who uses or sells that infrastructure.

In the same statement, the FBI directs victims to file a complaint with the IC3 — Internet Crime Complaint Center at ic3.gov, regardless of the financial loss amount or when the incident occurred. That last part matters: the IC3 accepts reports of past attacks, not just ongoing ones. Every complaint feeds the federal database and helps build cases against criminal networks that have operated for years without accountability.

If your website was hit by a DDoS attack and you have users or infrastructure in the United States: you have the right to file a formal complaint with the FBI. You should use it.

Why Victims Don’t Report — and Why That’s a Problem

Most victims don’t file reports for three reasons: they assume the damage was too minor for the government to care about, they believe identifying the attacker is impossible, or they simply don’t know a federal reporting channel exists.

All three assumptions are wrong.

The FBI has no minimum damage threshold for opening a cybercrime investigation. The attribution capabilities available to federal agencies — subpoenas to hosting providers, international law enforcement cooperation, botnet infrastructure analysis — operate at a scale far beyond what any private company can do independently. And the IC3 exists precisely to receive this category of complaint.

What’s missing in most cases is documentation. Server logs. Timestamps. Traffic data captured during the attack window. Without preserved evidence, even the best federal investigator has very little to work with.

What To Do When Your Site Is Under Attack

First and most important: don’t delete anything.

Your server logs during an attack are forensic evidence. If those files were cleared or overwritten before being captured, you’ve lost your primary investigative asset.

The correct sequence is:

  1. Document everything in real time. Request volume, source IP ranges, attack type (GET flood, POST flood, Slowloris, etc.), precise timestamps from the moment the attack begins.
  2. Archive server logs to an external location. Many servers automatically rotate or overwrite logs after a set period — export before that happens.
  3. Record the impact. Screenshots from your monitoring dashboard, availability metrics, revenue loss estimates if applicable.
  4. File a complaint at IC3.gov. It takes under 15 minutes. The form is straightforward and doesn’t require legal expertise to complete.
  5. Contact your local FBI field office if the attack is large-scale or targets critical services. The full directory is available at fbi.gov/contact-us/field-offices.

The Difference Between Absorbing an Attack and Being Prepared for One

Most hosting solutions treat DDoS as something to be absorbed — they apply generic rate limits, block obvious IP ranges, and wait for the attacker to give up. Against unsophisticated scripts, that sometimes works. Against well-executed Layer 7 attacks, it doesn’t.

Application-layer attacks are categorically different because the traffic looks legitimate. A properly configured bot sends correct HTTP headers, realistic user-agents, plausible session behavior. A simple rate limiter can’t distinguish that traffic from a real user. The server processes each request, executes database queries, generates responses — and collapses not from raw volume, but from resource exhaustion.

Mitigating Layer 7 requires real-time behavioral analysis: access patterns, per-endpoint request distribution, cross-IP correlation, anomaly detection across session sequences. It’s a traffic intelligence problem, not a firewall rule problem.

That’s the specific problem Mirai Guard is built to solve — not as a feature checkbox in a larger platform, but as the singular focus. Every protection configuration is handled by people who understand application-layer attacks in depth, calibrated to each site’s actual traffic profile, and actively monitored. When an attack begins, the response isn’t generic — it’s technically contextual.

The Institutional Dimension

There’s an angle that rarely comes up in technical discussions about DDoS that deserves explicit attention: the cybersecurity industry’s role in combating these crimes isn’t just technical — it’s institutional.

The FBI cannot investigate what isn’t reported. Federal authorities have no visibility into attacks affecting websites outside the U.S. unless victims use available reporting channels. Every complaint that doesn’t get filed is a gap in the map that federal investigators spend years building to identify criminal infrastructure.

Organizations operating in this space — that see attack traffic at a level of technical detail most victims never access — carry a responsibility that extends beyond protecting their own clients. Documenting, educating victims, and when authorized, contributing technical evidence to federal investigations, is part of the work.

That’s how we understand our role at Mirai Guard. The technical defense and the institutional responsibility aren’t separate things. They’re the same thing.

If your website was targeted by a DDoS attack, file your complaint at ic3.gov. If your site is under attack now or you want to ensure you’re protected before an incident occurs, contact Mirai Guard.