Daniel Kopp
ABSTRACT
Booter services continue to provide popular DDoS-as-a-service platforms and enable anyone irrespective of their technical ability, to execute DDoS attacks with devastating impact. Since booters are a serious threat to Internet operations and can cause significant financial and reputational damage, they also draw the attention of law enforcement agencies and related counter activities. In this paper, we investigate booter-based DDoS attacks in the wild and the impact of an FBI takedown targeting 15 booter websites in December 2018 from the perspective of a major IXP and two ISPs. We study and compare attack properties of multiple booter services by launching Gbps-level attacks against our own infrastructure. To understand spatial and temporal trends of the DDoS traffic originating from booters we scrutinize 5 months, worth of inter-domain traffic. We observe that the takedown only leads to a temporary reduction in attack traffic. Additionally, one booter was found to quickly continue operation by using a new domain for its website.
- Akamai. State of the Internet Security Report (Q4 2017). https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2017-state-of-the-internet-security-report.pdf, 2017.Google Scholar
- Akamai. State of the Internet Security Report (Attack Spotlight: Memcached). https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-summer-2018-attack-spotlight.pdf, 2018.Google Scholar
- Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., and Zhou, Y. Understanding the Mirai Botnet. USENIX Security Symposium (2017).Google ScholarDigital Library
- BBC. 'Hacking attacks' hit Russian political sites. http://www.bbc.com/news/technology-16032402, 2012.Google Scholar
- Beverly, R., and Bauer, S. The spoofer project: Inferring the extent of internet source address filtering on the internet. In Steps to Reducing Unwanted Traffic on the Internet Workshop, SRUTI'05, Cambridge, MA, USA, July 7, 2005 (2005).Google Scholar
- Beverly, R., Berger, A., Hyun, Y., and claffy, k. Understanding the Efficacy of Deployed Internet Source Address Validation Filtering. In Internet Measurement Conference (IMC) (Nov 2009).Google Scholar
- Brunt, R., Pandey, P., and McCoy, D. Booted: An analysis of a payment intervention on a DDoS-for-Hire-Service. In Workshop on the Economics of Information Security (2017).Google Scholar
- Bukac, V., Stavova, V., Nemec, L., Riha, Z., and Matyas, V. Service in denial-clouds going with the winds. In International Conference on Network and System Security (2015).Google ScholarCross Ref
- Büscher, A., and Holz, T. Tracking DDoS Attacks: Insights into the Business of Disrupting the Web. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (2012).Google Scholar
- Cardoso de Santanna, J., Durban, R., Sperotto, A., and Pras, A. Inside Booters: an analysis on operational databases. In IFIP/IEEE International Symposium on Integrated Network Management (2015).Google Scholar
- Cardoso de Santanna, J., and Sperotto, A. Characterizing and Mitigating the DDoS-as-a-Service Phenomenon. In AIMS (2014).Google Scholar
- Chromik, J., Cardoso de Santanna, J., Sperotto, A., and Pras, A. Booter websites characterization: Towards a list of threats. In Brazilian Symposium on Computer Networks and Distributed Systems (2015).Google Scholar
- Collier, B., Thomas, D. R., Clayton, R., and Hutchings, A. Booting the Booters: Evaluating the Effects of Police Interventions in the Market for Denial-of-Service Attacks. In IMC (2019).Google Scholar
- Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., and Karir, M. Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks. In ACM IMC (2014).Google Scholar
- Dittrich, D. The DoS Project's 'trinoo' distributed denial of service attack tool. https://staff.washington.edu/dittrich/misc/trinoo.analysis, 1999.Google Scholar
- Douglas, D., Santanna, J., Schmidt, R., Granville, L., and Pras, A. Booters: can anything justify distributed denial-of-service (DDoS) attacks for hire? Journal of Information, Communication and Ethics in Society 15, 01 (2017).Google ScholarCross Ref
- Hohlfeld, O. Operating a DNS-based active internet observatory. In ACM SIGCOMM Poster (2018).Google Scholar
- Hutchings, A., and Clayton, R. Exploring the provision of online booter services. Deviant Behavior 37, 10 (2016).Google ScholarCross Ref
- Interfax-Ukraine. Poroshenko reports on DDoS-attacks on Ukrainian CEC from Russia on Feb. 24-25. https://www.kyivpost.com/ukraine-politics/poroshenko-reports-on-ddos-attacks-on-ukrainian-cec-from-russia-on-feb-24-25.html, 2019.Google Scholar
- Jonker, M., King, A., Krupp, J., Rossow, C., Sperotto, A., and Dainotti, A. Millions of targets under attack: a macroscopic characterization of the DoS ecosystem. In ACM IMC (2017).Google Scholar
- Karami, M., and McCoy, D. Rent to Pwn: Analyzing Commodity Booter DDoS Services. In USENIX (2013).Google Scholar
- Karami, M., and McCoy, D. Understanding the Emerging Threat of DDoS-as-a-service. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (2013).Google Scholar
- Karami, M., and McCoy, D. Understanding the emerging threat of ddos-as-a-service. In LEET (2013).Google Scholar
- Karami, M., Park, Y., and McCoy, D. Stress Testing the Booters: Understanding and Undermining the Business of DDoS Services. In WWW (2016).Google Scholar
- Krämer, L., Krupp, J., Makita, D., Nishizoe, T., Koide, T., Yoshioka, K., and Rossow, C. AmpPot: Monitoring and Defending Against Amplification DDoS Attacks. In International Workshop on Recent Advances in Intrusion Detection (RAID) (2015), Springer, pp. 615--636.Google Scholar
- Krebs, B. KrebsOnSecurity Hit With Record DDoS. https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos, 2016.Google Scholar
- Krebs, B. UK Man Gets Two Years in Jail for Running 'Titanium Stresser' Attack-for-Hire Service. https://krebsonsecurity.com/2017/04/uk-man-gets-two-years-in-jail-for-running-titanium-stresser-attack-for-hire-service/, 2017.Google Scholar
- Krebs, B. DDoS-for-Hire Service Webstresser Dismantled. https://krebsonsecurity.com/2018/04/ddos-for-hire-service-webstresser-dismantled/, 2018.Google Scholar
- Krebs, B. Feds Charge Three in Mass Seizure of Attack-for-hire Services. https://krebsonsecurity.com/2018/12/feds-charge-three-in-mass-seizure-of-attack-for-hire-services/, 2018.Google Scholar
- Krebs, B. 250 Webstresser Users to Face Legal Action. https://krebsonsecurity.com/2019/02/250-webstresser-users-to-face-legal-action/, 2019.Google Scholar
- Krupp, J., Karami, M., Rossow, C., McCoy, D., and Backes, M. Linking amplification DDoS attacks to booter services. In International Symposium on Research in Attacks, Intrusions, and Defenses (2017).Google ScholarCross Ref
- Kuhnert, B., Steinberger, J., Baier, H., Sperotto, A., and Pras, A. Booters and Certificates: An Overview of TLS in the DDoS-as-a-Service Landscape. In 2nd International Conference on Advances in Computation, Communications and Services, ACCSE (2017).Google Scholar
- Lab, K. Research reveals hacker tactics: Cybercriminals use ddos as smokescreen for other attacks on business. https://www.kaspersky.com/about/press-releases/2016research-reveals-hacker-tactics-cybercriminals-use-ddos-as-smokescreen-for-other-attacks-on-business, 2016.Google Scholar
- Lichtblau, F., Streibelt, F., Krüger, T., Richter, P., and Feldmann, A. Detection, Classification, and Analysis of Inter-domain Traffic with Spoofed Source IP Addresses. In ACM IMC (2017).Google Scholar
- Mohamed, J. Daily Mirror: Hackers attack the Stock Exchange: Cyber criminals take down website for more than two hours as part of protest against world's banks. http://www.dailymail.co.uk/news/article-3625656/Hackers-attack-Stock-Exchange-Cyber-criminals-website-two-hours-protest-against-world-s-banks.html, 2016.Google Scholar
- Moore, D., Voelker, G., and Savage, S. Inferring Internet Denial-of-Service Activity. In USENIX Security Symposium (Washington, D.C., Aug 2001).Google ScholarCross Ref
- Morales, C. NETSCOUT Arbor Confirms 1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon Us. https://asert.arbornetworks.com/netscout-arbor-confirms-1-7-tbps-ddos-attack-terabit-attack-era-upon-us/, 2018.Google Scholar
- Noroozian, A., Korczyński, M., Gañan, C., Makita, D., Yoshioka, K., and van Eeten, M. Who gets the boot? Analyzing victimization by DDoS-as-a-Service. In International Symposium on Research in Attacks, Intrusions, and Defenses (2016), Springer.Google ScholarCross Ref
- Prince, M. The DDoS That Knocked Spamhaus Offline (And How We Mitigated It). https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho/, 2013.Google Scholar
- Prince, M. Technical Details Behind a 400Gbps NTP Amplification DDoS Attack. https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/, 2014.Google Scholar
- Richter, P., Smaragdakis, G., Feldmann, A., Chatzis, N., Boettger, J., and Willinger, W. Peering at Peerings: On the Role of IXP Route Servers. In ACM IMC (2014).Google Scholar
- Rossow, C. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. NDSS (2014).Google Scholar
- Ryba, F. J., Orlinski, M., Wählisch, M., Rossow, C., and Schmidt, T. C. Amplification and DRDoS Attack Defense-A Survey and New Perspectives. arXiv preprint arXiv:1505.07892 (2015).Google Scholar
- Santanna, J., de Vries, J., de O. Schmidt, R., Tuncer, D., Z. Granville, L., and Pras, A. Booter list generation: The basis for investigating DDoS-for-hire websites. International journal of network management 28 (Jan 2018).Google Scholar
- Santanna, J., Schmidt, R., Tuncer, D., Sperotto, A., Granville, L., and Pras, A. Quiet dogs can bite: Which booters should we go after, and what are our mitigation options? IEEE Communications Magazine 55, 7 (2017).Google ScholarCross Ref
- Santanna, J. J., d. O. Schmidt, R., Tuncer, D., de Vries, J., Granville, L. Z., and Pras, A. Booter blacklist: Unveiling DDoS-for-hire websites. In International Conference on Network and Service Management (CNSM) (2016).Google ScholarCross Ref
- Santanna, J. J., van Rijswijk-Deij, R., Hofstede, R., Sperotto, A., Wierbosch, M., Granville, L. Z., and Pras, A. Booters - An analysis of DDoS-as-a-service Attacks. IFIP/IEEE International Symposium on Integrated Network Management (2015).Google ScholarCross Ref
- SC Media UK. OVH suffers 1.1Tbps DDoS attack. https://www.scmagazineuk.com/ovh-suffers-11tbps-ddos-attack/article/532197/, 2016.Google Scholar
- Scheitle, Q., Hohlfeld, O., Gamba, J., Jelten, J., Zimmermann, T., Strowes, S. D., and Vallina-Rodriguez, N. A long way to the top: Significance, structure, and stability of internet top lists. In ACM IMC (2018).Google Scholar
- Sipgate. The Sipgate DDoS Story. https://medium.com/@sipgate/ddos-attacke-auf-sipgate-a7d18bf08c03, 2014.Google Scholar
- Technologies, A. 2018 State of the Internet / Security: A Year in Review. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/2018-state-of-the-internet-security-a-year-in-review.pdf, 2018.Google Scholar
- Thomas, D. R., Clayton, R., and Beresford, A. R. 1000 days of UDP amplification DDoS attacks. In APWG Symposium on Electronic Crime Research (eCrime) (2017), IEEE, pp. 79--84.Google ScholarCross Ref
- Times, N. Y. Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool. https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html, 2017.Google Scholar
- Traynor, I. Russia accused of unleashing cyberwar to disable Estonia. https://www.theguardian.com/world/2007/may/17/topstories3.russia, 2007.Google Scholar
- US-CERT. UDP-Based Amplification Attacks. https://www.us-cert.gov/ncas/alerts/TA14-017A, 2018.Google Scholar
- US Department of Justice. Criminal Charges Filed in Los Angeles and Alaska in Conjunction with Seizures Of 15 Websites Offering DDoS-For-Hire Services. https://www.justice.gov/opa/pr/criminal-charges-filed-los-angeles-and-alaska-conjunction-seizures-15-websites-offering-ddos, 2018.Google Scholar
- Zand, A., Modelo-Howard, G., Tongaonkar, A., Lee, S., Kruegel, C., and Vigna, G. Demystifying DDoS as a Service. IEEE Communications Magazine 55, 7 (2017).Google ScholarCross Ref
- ZDNet. GitHub hit with the largest DDoS attack ever seen. https://www.zdnet.com/article/github-was-hit-with-the-largest-ddos-attack-ever-seen/, 2018.Google Scholar
- Zhang, W., Bai, X., Chen, C., and Chen, Z. Booter Blacklist Generation Based on Content Characteristics. In International Conference on Collaborative Computing: Networking, Applications and Worksharing (2018), Springer.Google Scholar
Index Terms
- DDoS Hide & Seek: On the Effectiveness of a Booter Services Takedown
Recommendations
United We Stand: Collaborative Detection and Mitigation of Amplification DDoS Attacks at Scale
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityAmplification Distributed Denial of Service (DDoS) attacks' traffic and harm are at an all-time high. To defend against such attacks, distributed attack mitigation platforms, such as traffic scrubbing centers that operate in peering locations, e.g., ...
Booting the Booters: Evaluating the Effects of Police Interventions in the Market for Denial-of-Service Attacks
IMC '19: Proceedings of the Internet Measurement ConferenceIllegal booter services offer denial of service (DoS) attacks for a fee of a few tens of dollars a month. Internationally, police have implemented a range of different types of intervention aimed at those using and offering booter services, including ...
Survey of network-based defense mechanisms countering the DoS and DDoS problems
This article presents a survey of denial of service attacks and the methods that have been proposed for defense against these attacks. In this survey, we analyze the design decisions in the Internet that have created the potential for denial of service ...
Comments