Booter services help DDoS bad guys hide and monetize their efforts. Researchers offer suggestions on how to remove booters from the loop.
DDoS attacks are a pain in the you know what. Akamai's State of the Internet / Security Q2 2015 report states why, "The second quarter of 2015 set a record for the number of Distributed Denial of Service (DDoS) attacks recorded... more than double what was reported in Q2 2014."
Figure A shows DDoS attack size as a function of time. Each attack that took place during a given quarter is displayed as a dot so we can observe the size of individual attacks. The number of dots in Q1 and Q2 of 2015 represent a 132% increase when compared to the same time last year. Then there are what Akamai calls Mega Attacks.
Figure B shows 10 of the 12 Mega Attacks from Q2 2015, with the largest measuring 249 Gbps. The longest Mega Attack lasted over 13 hours. Bandwidth is not the only measure of attack size. "Q2 2015 saw one of the highest packet rate attacks recorded across the Prolexic Routed Network, which peaked at 214 million packets per second (Mpps)," notes the Akamai report's authors. "That volume is capable of taking out tier 1 routers, such as those used by Internet service providers."
To get some perspective, imagine your company being down 13 hours straight during a normal business day — or, worse yet, on Black Friday.
TechRepublic's Dan Patterson, in his post Your 4-step DDoS attack protection plan: What you can learn from Protonmail attack, offers advice on how to deflect and survive DDoS attacks. However, like most reactionary measures, current practices are far less than satisfactory, especially if the Akamai report is any indication of what's to come.
At the conclusion of their report, the Akamai authors offer insight on how to defeat DDoS attacks. "Collaboration continues to be an imperative for the software and hardware development industry, application and platform service providers, and the security industry in order to break the cycle of mass exploitation, botnet building, and monetization."
Why the rampant increase in attacks?
Three researchers, Mohammad Karami (George Mason University), Youngsam Park (University of Maryland, College Park), and Damon McCoy (International Computer Science Institute), have a good idea why DDoS attacks are increasing at an alarming rate. In their paper Stress Testing the Booters: Understanding and Undermining the Business of DDoS Services (PDF), the academics explain:
"A large number of DDoS attacks are being launched by relatively unsophisticated attackers that have purchased subscriptions to low-cost DDoS-for-hire (commonly called booter) services. These services are operated by profit-motivated adversaries that have scaled up their DDoS infrastructure to meet the increasing demand for DDoS attacks."
Booters are web-based applications set up by individuals who have DDoS expertise, botnets, and or high-bandwidth virtual servers scattered around the globe; so individuals lacking the expertise and equipment, yet wanting to reap digital harm on someone or some organization, and are more than willing to pay for it have the opportunity to do so.
Take it down, it's just a website
If it's a website, why not just take it down? Thanks to bad guy know-how, it's not that simple. The Booter website (2) as shown in Figure C is just an interface. The command/control servers (5) along with the amplifiers (6) — botnet and virtual servers — are safely ensconced and hard to trace. Additionally, ISPs hosting booter websites more often than not are unaware anything illegal is going on.
The researchers go to work
First step, are Booter services the problem? Karami, Park, and McCoy write, "Our analysis of leaked and scraped data from three booters — Asylum Stresser, Lizard Stresser, and VDO 1 — demonstrates that these services have attracted over 6,000 subscribers and have launched over 600,000 attacks."
Next the researchers determine that most clients use PayPal to transfer funds, with Bitcoins being a distant second. This is where it gets interesting. "To measure the resilience of their payment infrastructure, we conduct a payment intervention in collaboration with PayPal," mention the researchers. "Our evaluation of the effectiveness of this approach suggests that it is a promising method for reducing the subscriber base of Booters."
Simply put, bad guys are business types, and if there is no return on their investment they move on. Some other points of interest found by the researchers:
- Based on aggregated geolocation information provided by PayPal over 44% of the customer and merchant PayPal accounts associated with Booters are most likely owned by someone in the US.
- Due to its effectiveness, amplified volume-based DDoS is the default attack technique offered by most Booter services.
Probably the most interesting and ironical find: All of the Booter services studied by the researchers hired companies that offer DDoS protection. It seems Booter services are not beyond using their DDoS infrastructure to try and negate the competition.
The researchers conclude, "Our hope is that by continuing to explore new methods for understanding and undermining booters, we can identify increasingly effective methods of adding friction, cost, and risk to these ventures that further erode their attack potency, scale, and profitability over time."
Historically, DDoS attacks and defenses are a back and forth escalation of bandwidth to either attack or divert an attack. Removing the ability for bad guys to monetize DDoS seems like a better way.