Security

What’s better than creating your own DDoS? Renting one

Thanks to the cloud, anyone can now initiate a DDoS attack. Find out how booter services work.

ddosattack1.jpg
Interested in denying someone access to the Internet? Ten dollars provides a very nice DDoS (Distributed Denial of Service) platform, featuring one 60-second long attack that can be used as often as needed for an entire month. For those wanting more, 169 dollars provides the ultimate DDoS, three two-hour long attacks, also rentable by the month.

Bewildered by all the different suppliers? This forum reviewed the major cloud-based DDoS platforms, coming up with these favorites.

top10Booters 2.jpg

Notice the slide’s title refers to Booters; the industry calls for-hire DDoS attacks booters when they have an online customer interface. The slide also refers to stressers [sic]. That’s an attempt to align with legitimate businesses that stress-test websites on how well they handle large volumes of incoming traffic.

I first became aware of booters when my friend and security blogger, Brian Krebs, reported in this post that someone initiated a Booter DDoS attack against his blog site. After reading Brian’s post, I realized DDoS attacks were no longer just in the realm of experienced and knowledgeable hackers. For a nominal fee, anyone can easily wreak havoc on someone else’s Internet experience.

Karami.Booters 3.jpg
Wanting to learn more, I did some digging: coming across an interesting paper by Mohammad Karami (top picture) and Damon McCoy of George Mason University, "Understanding the Emerging Threat of DDoS-As-a-Service."

Mccoy.Booters 4.jpg
Mohammad and Damon start out by mentioning that researchers know little about the operation, effectiveness, and economics of Booters. A fortunate event changed that. It seems the operations database for one specific Booter — twBooter — became public, allowing Mohammad and Damon to gain significant insight into the inner workings, including:

  • The attack infrastructure
  • Details on service subscribers
  • Information on the targets

In an interesting departure from typical DDoS operations, Mohammad and Damon noticed Booter developers prefer to rent servers instead of compromising individual PCs: “Compared to clients, servers utilized for this purpose could be much more effective as they typically have much higher computational and bandwidth capacities, making them more capable of starving bandwidth or other resources of a targeted system.”

Next, Mohammad and Damon were able to piece together twBooter’s two main components: the attack infrastructure and the user interface (shown below).

twBooters 5.jpg
The user interface slide has a window showing the different available attack techniques. Using the database, Mohammad and Damon isolated the most popular attacks:

[T]wBooter employs a broad range of different techniques for performing DDoS attacks. This includes generic attack types such as SYN flood, UDP flood, and amplification attacks; HTTP-based attacks including HTTP POST/GET/HEAD and RUDY (R-U-Dead-Yet); and application-specific attacks, such as slowloris, that targets Apache web servers with a specific misconfiguration.

The gentlemen mentioned the above DDoS techniques accounted for more than 90 percent of the twBooter attacks. To determine the effectiveness of twBooter, Mohammad and Damon subscribed to twBooter, and set about attacking their own server. First up, the UDP attack: “The UDP flood used a DNS reflection and amplification attack to generate 827 MBit/sec of DNS query response traffic directed at our server by sending out large numbers of forged DNS request queries that included our server’s IP address as the IP source address.”

Next, the SYN attack: “For the SYN flood, we observed 93,750 TCP SYN requests per second with randomly spoofed IP addresses and port numbers directed at our server in an attempt to utilize all of its memory by forcing it to allocate memory for a huge number of half-open TCP connections.”

The following slide provides details.

table.Booters 6.jpg
To recap, twBooter exemplifies the new trend in DDoS platforms: a reasonably-priced, user-friendly DDoS platform fully capable of bringing down websites, even those with significant bandwidth accommodations.

Something else I found interesting, even though twBooter did not make the Top 10 (maybe the data leak had something to do with it), Mohammad and Damon determined twBooter earned its owners in excess of 7,000 dollars a month. That amount resulted from customers launching over 48,000 DDoS attacks against 11,000 separate victims.

Final thoughts

Oddly enough, booters started out filling a niche, one that allowed online gamers to momentarily knock opponents out of the game, gaining themselves a distinct, albeit unfair, advantage. Other enterprising underworld individuals decided to repurpose booters into powerful DDoS platforms for hire — simple, yet effective.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

8 comments
D-FER
D-FER

Great article.  Note that Slowloris is effective only against Apache. Make sure to use mod_reqtimeout and mod_antiloris to defend against it.  This is very likely to help with RUDY as well.  Both are low and slow DoS attacks.

deepsand
deepsand

I'd presumed that such services were available, but never had the urge to go looking for what's available.

Any info. on how long any of those cited have been around?

TechDRepublic
TechDRepublic

I'm wondering who gets the blame for a site going down?  The DDoS company or the user who paid for their services?

HAL 9000
HAL 9000 moderator

Interesting now just how often are these attacks going to happen because someone is mildly peeved off with someone else?


Col

Michael Kassner
Michael Kassner

@D-FER 

Thank you for the comment and the suggestion. Most booters are "low and slow" because of using servers instead of compromised PCs. But, continued success could mean renting more servers.

Michael Kassner
Michael Kassner

@deepsand 

It wasn't long after online gaming got serious that the gamers figured out this would work. Next step why not try to make money at this.