Bewildered by all the different suppliers? This forum reviewed the major cloud-based DDoS platforms, coming up with these favorites.
Notice the slide’s title refers to Booters; the industry calls for-hire DDoS attacks booters when they have an online customer interface. The slide also refers to stressers [sic]. That’s an attempt to align with legitimate businesses that stress-test websites on how well they handle large volumes of incoming traffic.
I first became aware of booters when my friend and security blogger, Brian Krebs, reported in this post that someone initiated a Booter DDoS attack against his blog site. After reading Brian’s post, I realized DDoS attacks were no longer just in the realm of experienced and knowledgeable hackers. For a nominal fee, anyone can easily wreak havoc on someone else’s Internet experience.
- The attack infrastructure
- Details on service subscribers
- Information on the targets
In an interesting departure from typical DDoS operations, Mohammad and Damon noticed Booter developers prefer to rent servers instead of compromising individual PCs: “Compared to clients, servers utilized for this purpose could be much more effective as they typically have much higher computational and bandwidth capacities, making them more capable of starving bandwidth or other resources of a targeted system.”
Next, Mohammad and Damon were able to piece together twBooter’s two main components: the attack infrastructure and the user interface (shown below).
[T]wBooter employs a broad range of different techniques for performing DDoS attacks. This includes generic attack types such as SYN ﬂood, UDP ﬂood, and ampliﬁcation attacks; HTTP-based attacks including HTTP POST/GET/HEAD and RUDY (R-U-Dead-Yet); and application-speciﬁc attacks, such as slowloris, that targets Apache web servers with a speciﬁc misconﬁguration.
The gentlemen mentioned the above DDoS techniques accounted for more than 90 percent of the twBooter attacks. To determine the effectiveness of twBooter, Mohammad and Damon subscribed to twBooter, and set about attacking their own server. First up, the UDP attack: “The UDP ﬂood used a DNS reﬂection and ampliﬁcation attack to generate 827 MBit/sec of DNS query response trafﬁc directed at our server by sending out large numbers of forged DNS request queries that included our server’s IP address as the IP source address.”
Next, the SYN attack: “For the SYN ﬂood, we observed 93,750 TCP SYN requests per second with randomly spoofed IP addresses and port numbers directed at our server in an attempt to utilize all of its memory by forcing it to allocate memory for a huge number of half-open TCP connections.”
The following slide provides details.
Something else I found interesting, even though twBooter did not make the Top 10 (maybe the data leak had something to do with it), Mohammad and Damon determined twBooter earned its owners in excess of 7,000 dollars a month. That amount resulted from customers launching over 48,000 DDoS attacks against 11,000 separate victims.
Oddly enough, booters started out filling a niche, one that allowed online gamers to momentarily knock opponents out of the game, gaining themselves a distinct, albeit unfair, advantage. Other enterprising underworld individuals decided to repurpose booters into powerful DDoS platforms for hire — simple, yet effective.
Information is my field...Writing is my passion...Coupling the two is my mission.