There’s a pattern I see repeatedly when talking to website owners who’ve been taken offline by a DDoS attack: they treat the incident as a technical problem. They call their hosting support, wait for the attack to subside, and move on. Nobody files a report. Nobody preserves evidence. The attacker faces zero consequences.<\/p>\n
That cycle needs to stop.<\/p>\n
What most people outside the United States don’t fully appreciate \u2014 and what matters enormously if you operate a website with American users or infrastructure \u2014 is that launching a DDoS attack against a U.S.-based system is a federal crime<\/strong>. Not a gray area. Not an administrative infraction. A federal crime, prosecuted by the same system that handles bank fraud and organized criminal networks.<\/p>\n The Computer Fraud and Abuse Act (CFAA)<\/strong>, codified at 18 U.S.C. \u00a7 1030, is the primary federal statute governing computer crimes in the United States. Under this law, intentionally causing damage to a protected computer \u2014 which includes any server connected to the internet in the U.S. \u2014 constitutes a federal offense. DDoS attacks fall squarely within that definition.<\/p>\n The penalties are serious. Depending on the severity and prior record, a conviction can carry up to 10 years in federal prison. For attacks targeting critical infrastructure \u2014 hospitals, financial systems, government services \u2014 sentencing can be significantly higher.<\/p>\n Critically: the CFAA doesn’t require the attacker to be physically located in the United States. If the attack affected a U.S. system<\/strong>, federal jurisdiction can apply. The Department of Justice has successfully prosecuted individuals located abroad for cybercrimes committed remotely against American targets. This isn’t legal theory \u2014 it’s established case law.<\/p>\n In a formal public statement, the FBI declared it is intensifying efforts to combat illegal DDoS attacks<\/strong>. The document \u2014 available on the FBI’s own website \u2014 is unambiguous: the Bureau is actively investigating botnet operators, DDoS-for-hire services (commonly called “booters” and “stressers”), and anyone who uses or sells that infrastructure.<\/p>\n In the same statement, the FBI directs victims to file a complaint with the IC3 \u2014 Internet Crime Complaint Center<\/strong> at ic3.gov, regardless of the financial loss amount or when the incident occurred. That last part matters: the IC3 accepts reports of past attacks, not just ongoing ones. Every complaint feeds the federal database and helps build cases against criminal networks that have operated for years without accountability.<\/p>\n If your website was hit by a DDoS attack and you have users or infrastructure in the United States: you have the right to file a formal complaint with the FBI. You should use it.<\/p>\n Most victims don’t file reports for three reasons: they assume the damage was too minor for the government to care about, they believe identifying the attacker is impossible, or they simply don’t know a federal reporting channel exists.<\/p>\n All three assumptions are wrong.<\/p>\n The FBI has no minimum damage threshold for opening a cybercrime investigation. The attribution capabilities available to federal agencies \u2014 subpoenas to hosting providers, international law enforcement cooperation, botnet infrastructure analysis \u2014 operate at a scale far beyond what any private company can do independently. And the IC3 exists precisely to receive this category of complaint.<\/p>\n What’s missing in most cases is documentation. Server logs. Timestamps. Traffic data captured during the attack window. Without preserved evidence, even the best federal investigator has very little to work with.<\/p>\n First and most important: don’t delete anything.<\/strong><\/p>\n Your server logs during an attack are forensic evidence. If those files were cleared or overwritten before being captured, you’ve lost your primary investigative asset.<\/p>\n The correct sequence is:<\/p>\n Most hosting solutions treat DDoS as something to be absorbed \u2014 they apply generic rate limits, block obvious IP ranges, and wait for the attacker to give up. Against unsophisticated scripts, that sometimes works. Against well-executed Layer 7 attacks, it doesn’t.<\/p>\n Application-layer attacks are categorically different because the traffic looks legitimate. A properly configured bot sends correct HTTP headers, realistic user-agents, plausible session behavior. A simple rate limiter can’t distinguish that traffic from a real user. The server processes each request, executes database queries, generates responses \u2014 and collapses not from raw volume, but from resource exhaustion.<\/p>\n Mitigating Layer 7 requires real-time behavioral analysis: access patterns, per-endpoint request distribution, cross-IP correlation, anomaly detection across session sequences. It’s a traffic intelligence problem, not a firewall rule problem.<\/p>\n That’s the specific problem Mirai Guard is built to solve \u2014 not as a feature checkbox in a larger platform, but as the singular focus. Every protection configuration is handled by people who understand application-layer attacks in depth, calibrated to each site’s actual traffic profile, and actively monitored. When an attack begins, the response isn’t generic \u2014 it’s technically contextual.<\/p>\n There’s an angle that rarely comes up in technical discussions about DDoS that deserves explicit attention: the cybersecurity industry’s role in combating these crimes isn’t just technical \u2014 it’s institutional.<\/p>\n The FBI cannot investigate what isn’t reported. Federal authorities have no visibility into attacks affecting websites outside the U.S. unless victims use available reporting channels. Every complaint that doesn’t get filed is a gap in the map that federal investigators spend years building to identify criminal infrastructure.<\/p>\n Organizations operating in this space \u2014 that see attack traffic at a level of technical detail most victims never access \u2014 carry a responsibility that extends beyond protecting their own clients. Documenting, educating victims, and when authorized, contributing technical evidence to federal investigations, is part of the work.<\/p>\n That’s how we understand our role at Mirai Guard. The technical defense and the institutional responsibility aren’t separate things. They’re the same thing.<\/p>\n If your website was targeted by a DDoS attack, file your complaint at ic3.gov<\/a>. If your site is under attack now or you want to ensure you’re protected before an incident occurs, contact Mirai Guard<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" There’s a pattern I see repeatedly when talking to website owners who’ve been taken offline by a DDoS attack: they treat the incident as a technical problem. They call their hosting support, wait for the attack to subside, and move on. Nobody files a report. Nobody preserves evidence. The attacker faces zero consequences. That cycle […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[85],"tags":[],"class_list":["post-195","post","type-post","status-publish","format-standard","hentry","category-attacks"],"views":2,"_links":{"self":[{"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/posts\/195","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/comments?post=195"}],"version-history":[{"count":1,"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/posts\/195\/revisions"}],"predecessor-version":[{"id":196,"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/posts\/195\/revisions\/196"}],"wp:attachment":[{"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/media?parent=195"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/categories?post=195"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/miraiguard.com\/learn\/wp-json\/wp\/v2\/tags?post=195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nWhat Federal Law Actually Says<\/h2>\n
\nThe FBI Is Not Treating This Lightly<\/h2>\n
\nWhy Victims Don’t Report \u2014 and Why That’s a Problem<\/h2>\n
\nWhat To Do When Your Site Is Under Attack<\/h2>\n
\n
\nThe Difference Between Absorbing an Attack and Being Prepared for One<\/h2>\n
\nThe Institutional Dimension<\/h2>\n
\n