What’s better than creating your own DDoS? Renting one

Thanks to the cloud, anyone can now initiate a DDoS attack. Find out how booter services work.

Interested in denying someone access to the Internet? Ten dollars provides a very nice DDoS (Distributed Denial of Service) platform, featuring one 60-second long attack that can be used as often as needed for an entire month. For those wanting more, 169 dollars provides the ultimate DDoS, three two-hour long attacks, also rentable by the month.

Bewildered by all the different suppliers? This forum reviewed the major cloud-based DDoS platforms, coming up with these favorites.

top10Booters 2.jpg

Notice the slide’s title refers to Booters; the industry calls for-hire DDoS attacks booters when they have an online customer interface. The slide also refers to stressers [sic]. That’s an attempt to align with legitimate businesses that stress-test websites on how well they handle large volumes of incoming traffic.

I first became aware of booters when my friend and security blogger, Brian Krebs, reported in this post that someone initiated a Booter DDoS attack against his blog site. After reading Brian’s post, I realized DDoS attacks were no longer just in the realm of experienced and knowledgeable hackers. For a nominal fee, anyone can easily wreak havoc on someone else’s Internet experience.

Karami.Booters 3.jpg
Wanting to learn more, I did some digging: coming across an interesting paper by Mohammad Karami (top picture) and Damon McCoy of George Mason University, "Understanding the Emerging Threat of DDoS-As-a-Service."

Mccoy.Booters 4.jpg
Mohammad and Damon start out by mentioning that researchers know little about the operation, effectiveness, and economics of Booters. A fortunate event changed that. It seems the operations database for one specific Booter — twBooter — became public, allowing Mohammad and Damon to gain significant insight into the inner workings, including:

  • The attack infrastructure
  • Details on service subscribers
  • Information on the targets

In an interesting departure from typical DDoS operations, Mohammad and Damon noticed Booter developers prefer to rent servers instead of compromising individual PCs: “Compared to clients, servers utilized for this purpose could be much more effective as they typically have much higher computational and bandwidth capacities, making them more capable of starving bandwidth or other resources of a targeted system.”

Next, Mohammad and Damon were able to piece together twBooter’s two main components: the attack infrastructure and the user interface (shown below).

twBooters 5.jpg
The user interface slide has a window showing the different available attack techniques. Using the database, Mohammad and Damon isolated the most popular attacks:

[T]wBooter employs a broad range of different techniques for performing DDoS attacks. This includes generic attack types such as SYN flood, UDP flood, and amplification attacks; HTTP-based attacks including HTTP POST/GET/HEAD and RUDY (R-U-Dead-Yet); and application-specific attacks, such as slowloris, that targets Apache web servers with a specific misconfiguration.

The gentlemen mentioned the above DDoS techniques accounted for more than 90 percent of the twBooter attacks. To determine the effectiveness of twBooter, Mohammad and Damon subscribed to twBooter, and set about attacking their own server. First up, the UDP attack: “The UDP flood used a DNS reflection and amplification attack to generate 827 MBit/sec of DNS query response traffic directed at our server by sending out large numbers of forged DNS request queries that included our server’s IP address as the IP source address.”

Next, the SYN attack: “For the SYN flood, we observed 93,750 TCP SYN requests per second with randomly spoofed IP addresses and port numbers directed at our server in an attempt to utilize all of its memory by forcing it to allocate memory for a huge number of half-open TCP connections.”

The following slide provides details.

table.Booters 6.jpg
To recap, twBooter exemplifies the new trend in DDoS platforms: a reasonably-priced, user-friendly DDoS platform fully capable of bringing down websites, even those with significant bandwidth accommodations.

Something else I found interesting, even though twBooter did not make the Top 10 (maybe the data leak had something to do with it), Mohammad and Damon determined twBooter earned its owners in excess of 7,000 dollars a month. That amount resulted from customers launching over 48,000 DDoS attacks against 11,000 separate victims.

Final thoughts

Oddly enough, booters started out filling a niche, one that allowed online gamers to momentarily knock opponents out of the game, gaining themselves a distinct, albeit unfair, advantage. Other enterprising underworld individuals decided to repurpose booters into powerful DDoS platforms for hire — simple, yet effective.