Ben Collier
Daniel R. Thomas
ABSTRACT
Illegal booter services offer denial of service (DoS) attacks for a fee of a few tens of dollars a month. Internationally, police have implemented a range of different types of intervention aimed at those using and offering booter services, including arrests and website takedown. In order to measure the impact of these interventions we look at the usage reports that booters themselves provide and at measurements of reflected UDP DoS attacks, leveraging a five year measurement dataset that has been statistically demonstrated to have very high coverage. We analysed time series data (using a negative binomial regression model) to show that several interventions have had a statistically significant impact on the number of attacks. We show that, while there is no consistent effect of highly-publicised court cases, takedowns of individual booters precede significant, but short-lived, reductions in recorded attack numbers. However, more wide-ranging disruptions have much longer effects. The closure of HackForums' booter market reduced attacks for 13 weeks globally (and for longer in particular countries) and the FBI's coordinated operation in December 2018, which involved both takedowns and arrests, reduced attacks by a third for at least 10 weeks and resulted in lasting change to the structure of the booter market.
- Angus Bancroft and Peter Scott Reid. 2017. Challenging the techno-politics of anonymity: The case of cryptomarket users. Information, Communication & Society 20, 4 (2017), 497--512. https://doi.org/10.1080/1369118X. 2016.1187643Google Scholar
Cross Ref
- BBC News. 2017. Teenage cyber hacker Adam Mudd gets jail term reduced. https://www.bbc.co.uk/news/uk-england-beds-bucks-herts-40744373Google Scholar
- Richard Berk, Geoffrey Barnes, Lindsay Ahlman, and Ellen Kurtz. 2010. When second best is good enough: A comparison between a true experiment and a regression discontinuity quasi-experiment. Journal of Experimental Criminology 6, 2 (2010), 191--208.Google ScholarCross Ref
- Richard Berk and John M. MacDonald. 2008. Overdispersion and Poisson regression. Journal of Quantitative Criminology 24 (2008), 269--284.Google ScholarCross Ref
- Anthony A. Braga and Brenda J. Bond. 2008. Policing crime and disorder hot spots: A randomized controlled trial. Criminology 46, 3 (2008), 577--607.Google ScholarCross Ref
- Gerben J. Bruinsma and David Weisburd. 2007. Experimental and quasi-experimental criminological research in the Netherlands. Journal of Experimental Criminology 3, 2 (2007), 83--88.Google ScholarCross Ref
- Ryan Brunt, Prakhar Pandey, and Damon McCoy. 2017. Booted: An analysis of a payment intervention on a DDoS-for-hire service. In Workshop on the Economics of Information Security (2017-06-26) (WEIS). 12.Google Scholar
- Catalin Cimpanu. 2018. Law enforcement shut down DDoS booters ahead of annual Christmas DDoS attacks. https://www.zdnet.com/article/law-enforcement-shut-down-ddos-booters-ahead-of-annual-christmas-ddos-attacks/Google Scholar
- Richard Clayton. 2018. Google doesn't seem to believe booters are illegal. https://www.lightbluetouchpaper.org/2018/08/28/google-doesnt-seem-to-believe-booters-are-illegal/Google Scholar
- Thomas D. Cook and D. T. Campbell. 1979.. Goodyear Publishing Company, Santa Monica, CA, USA, Chapter The design and conduct of true experiments and quasi-experiments in field settings.Google Scholar
- Nicholas Corsaro. 2018. Interrupted Time Series Analysis Using STATA. Justice Research Statistics Association (JRSA) Conference. http://www.jrsa.org/events/presentations/western-2018 /corsaro.pdfGoogle Scholar
- David Décary-Hétu and Luca Giommoni. 2017. Do police crackdowns disrupt drug cryptomarkets? A longitudinal analysis of the effects of Operation Onymous. Crime, Law and Social Change 67, 1 (2017), 55--75. https://doi.org/10.1007/s10611-016-9644-4Google ScholarCross Ref
- Department of Justice. 2018. Criminal charges filed in Los Angeles and Alaska in conjunction with seizures of 15 websites offering DDoS-For-Hire services. https://www.justice.gov/opa/pr/criminal-charges-filed-los-angeles-and-alaska-conjunction-seizures-15-websites-offering-ddosGoogle Scholar
- Laura Dugan, Gary LaFree, and Alex R. Piquero. 2005. Testing a rational choice model of airline hijackings. Criminology 43, 4 (2005), 1031--1065.Google ScholarCross Ref
- Benoit Dupont. 2017. Bots, cops, and corporations: On the limits of enforcement and the promise of polycentric regulation as a way to control large-scale cybercrime. Crime, Law and Social Change 67, 1 (2017), 97--116. https://doi.org/10.1007/s10611-016-9649-zGoogle ScholarCross Ref
- Europol. 2016. Joint international operation targets young users of DDoS cyber-attack tools. https://www.europol.europa.eu/newsroom/news/joint-international-operation-targets-young-users-of-ddos-cyber-attack-toolsGoogle Scholar
- Europol. 2018. World's biggest marketplace selling internet paralysing DDoS attacks taken down. https://www.europol.europa.eu/newsroom/news/world%E2%80%99s-biggest-marketplace-selling-internet-paralysing-ddos-attacks-taken-downGoogle Scholar
- Europol. 2019. Authorities across the world going after users of biggest DDoS-for-hire website. https://www.europol.europa.eu/newsroom/news/authorities-across-world-going-after-users-of-biggest-ddos-for-hire-websiteGoogle Scholar
- A. C. Harvey and C. Fernandes. 1989. Time series models for count or qualitative observations. Journal of Business & Economic Statistics 7, 4 (1989), 407--417. https://doi.org/10.1080/07350015.1989.10509750Google Scholar
- Hertfordshire Constabulary. 2018. Computer hacker Adam Mudd ordered to pay back £70,000. https://www.herts.police.uk/news-and-appeals/Computer-hacker-Adam-Mudd-ordered-to-pay-back-70,000-CGoogle Scholar
- Home Office. 2018. Serious and Organised Crime Strategy. https://www.gov.uk/government/publications/serious-and-organised-crime-strategy-2018Google Scholar
- Alice Hutchings and Richard Clayton. 2016. Exploring the provision of online booter services. Deviant Behavior 37, 10 (2016), 1163--1178. https://doi.org/10.1080/01639625.2016.1169829Google ScholarCross Ref
- Alice Hutchings, Richard Clayton, and Ross Anderson. 2016. Taking down websites to prevent crime. In APWG Symposium on Electronic Crime Research (eCrime). IEEE, Toronto, ON, Canada, 1--10. https://doi.org/10.1109/ECRIME.2016.7487947Google ScholarCross Ref
- Alice Hutchings and Thomas J. Holt. 2017. The online stolen data market: Disruption and intervention approaches. Global Crime 18, 1 (2017), 11--30. https://doi.org/10.1080/17440572.2016.1197123Google ScholarCross Ref
- Mattijs Jonker, Alistair King, Johannes Krupp, Christian Rossow, Anna Sperotto, and Alberto Dainotti. 2017. Millions of Targets Under Attack: A Macroscopic Characterization of the DoS Ecosystem. In Proceedings of the 2017 Internet Measurement Conference (IMC '17). ACM, 100--113. https://doi.org/10.1145/3131365.3131383Google ScholarDigital Library
- Mohammad Karami and Damon McCoy. 2013. Rent to pwn: Analyzing commodity booter DDoS services. Usenix login 38, 6 (2013), 20--23.Google Scholar
- Mohammad Karami and Damon McCoy. 2013. Understanding the emerging threat of DDoS-as-a-Service. In LEET '13. USENIX, 4.Google Scholar
- Mohammad Karami, Youngsam Park, and Damon McCoy. 2016. Stress testing the booters: Understanding and undermining the business of DDoS services. In Proceedings of the 25th International Conference on World Wide Web (WWW). International World Wide Web Conferences Steering Committee, Montréal, Québec, Canada, 1033--1043. https://doi.org/10.1145/2872427.2883004Google ScholarDigital Library
- Daniel Kopp, Matthias Wichtlhuber, Ingmar Poese, José Jair Santanna, Oliver Hohlfeld, and Christoph Dietzel. 2017. DDoS Hide & Seek: On the Effectiveness of a Booter Services Takedown. In Internet Measurement Conference, October 21--23, 2019 (IMC '19). ACM.Google Scholar
- Brian Krebs. 2016. Alleged vDOS proprietors arrested in Israel. https://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/Google Scholar
- Brian Krebs. 2016. DDoS on Dyn impacts Twitter, Spotify, Reddit. https://krebsonsecurity. com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit/Google Scholar
- Brian Krebs. 2016. Feds charge two in Lizard Squad investigation. https://krebsonsecurity.com/2016/ 10/feds-charge-two-in-lizard-squad-investigation/Google Scholar
- Brian Krebs. 2016. Hackforums shutters booter service bazaar. https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/Google Scholar
- Brian Krebs. 2016. Israeli online attack service 'vDOS' earned $600,000 in two years. https://krebsonsecurity.com/2016/09/israeli-online-attack-service-vdos-earned-600000-in-two-years/Google Scholar
- Brian Krebs. 2016. KrebsOnSecurity hit with record DDoS. https://krebsonsecurity. com/2016/09/krebsonsecurity-hit-with-record-ddos/Google Scholar
- Brian Krebs. 2016. 'Operation Tarpit' targets customers of online attack-for-hire services. https://krebsonsecurity.com/2016/12/operation-tarpit-targets-customers-of-online-attack-for-hire-services/Google Scholar
- Brian Krebs. 2018. Mirai botnet authors avoid jail time. https://krebsonsecurity.com/2018/09/mirai-botnet-authors-avoid-jail-time/Google Scholar
- Brian Krebs. 2018. Mirai co-author gets 6 months confinement, $8.6M in fines for Rutgers attacks. https://krebsonsecurity.com/2018/10/mirai-co-author-gets-6-months-confinement-8-6m-in-fines-for-rutgers-attacks/Google Scholar
- Johannes Krupp, Michael Backes, and Christian Rossow. 2016. Identifying the scan and attack infrastructures behind amplification DDoS attacks. In ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, 1426--1437. https://doi.org/10.1145/2976749.2978293Google ScholarDigital Library
- Johannes Krupp, Mohammad Karami, Christian Rossow, Damon McCoy, and Michael Backes. 2017. Linking amplification DDoS attacks to booter services. In Research in Attacks, Intrusions, and Defenses (RAID), Vol. LNCS 10453. Springer, 427--449.Google Scholar
- Lukas Krämer, Johannes Krupp, Daisuke Makita, Tomomi Nishizoe, Takashi Koide, Katsunari Yoshioka, and Christian Rossow. 2015. AmpPot: Monitoring and Defending Against Amplification DDoS Attacks. In Research in Attacks, Intrusions, and Defenses (RAID) (2015-11), Vol. 9404 LNCS. Springer, 615--636. https://doi.org/10.1007/978-3-319-26362-528 ISSN: 0302-9743.Google Scholar
- Isak Ladegaard. 2018. We know where you are, what you are doing and we will catch you: Testing deterrence theory in digital drug markets. The British Journal of Criminology 58, 2 (2018), 414--433. https://doi.org/10.1093/bjc/azx021Google ScholarCross Ref
- Alexia Maddox, Monica J. Barratt, Matthew Allen, and Simon Lenton. 2016. Constructive activism in the dark web: Cryptomarkets and illicit drugs in the digital 'demimonde'. Information, Communication & Society 19, 1 (2016), 111--126. https://doi.org/10.1080/1369118X.2015.1093531Google ScholarCross Ref
- Ashich V. Naik, Alok Baveja, Rajan Batta, and Jonathan P. Caulkins. 1996. Scheduling crackdowns on illicit drug markets. European Journal of Operational Research 88, 2 (1996), 231--250. https://doi.org/10.1016/0377-2217(9400201-0Google ScholarCross Ref
- National Crime Agency. 2015. Operation Vivarium targets users of Lizard Squad's website attack tool. https://perma.cc/9VMC-SVNEGoogle Scholar
- National Crime Agency. 2015. Teenager admitted trying to buy gun on the dark web. https://perma.cc/98GH-G2BDGoogle Scholar
- National Crime Agency. 2016. Operation Vulcanalia targets users of netspoof website attack tool. https://perma.cc/CXB6-LKX6Google Scholar
- Arman Noroozian, Maciej Korczynski, Carlos Hernandez Ganan, Daisuke Makita, Katsunari Yoshioka, and Michel Van Eeten. 2016. Who Gets the Boot? Analyzing Victimization by DDoS-as-a-Service. In Research in Attacks, Intrusions and Defenses (RAID) (2016--09), Vol. LNCS 9854. Springer, 368--389. https://doi.org/10.1007/978-3-319-45719-217Google Scholar
- Patrick Howell O'Neill. 2018. Lizard Squad's '@fbiarelosers' hacker gets smaller sentence for helping FBI arrest his friends. https://www.cyberscoop.com/zachary-buchta-lizard-squad-sentence/Google Scholar
- D. Wayne Osgood. 2000. Poisson-based regression analysis of aggregate crime rates. Journal of Quantitative Criminology 16, 1 (01 Mar 2000), 21--43. https://doi.org/10.1023/A:1007521427059Google ScholarCross Ref
- Peter Reuter and Mark A.R. Kleiman. 1986. Risks and prices: An economic analysis of drug enforcement. Crime and Justice 7 (1986), 289--340. https://doi.org/10.1086/449116Google ScholarCross Ref
- Robert J. Sampson. 2010. Gold standard myths: Observations on the experimental turn in quantitative criminology. Journal of quantitative criminology 26, 4 (2010), 489--500.Google ScholarCross Ref
- José Jair Santanna, Romain Durban, Anna Sperotto, and Aiko Pras. 2015. Inside booters: An analysis on operational databases. In Proceedings of the 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM). IEEE, 432--440. https://doi.org/10.1109/INM.2015.7140320Google ScholarCross Ref
- José Jair Santanna, Ricardo de O. Schmidt, Daphne Tuncer, Joey de Vries, Lisandro Z. Granville, and Aiko Pras. 2016. Booter blacklist: Unveiling DDoS-for-hire websites. In 12th International Conference on Network and Service Management (CNSM). IEEE, Montréal, Québec, Canada, 144--152.Google ScholarCross Ref
- José Jair Santanna, Roland Van Rijswijk-Deij, Rick Hofstede, Anna Sperotto, Mark Wierbosch, Lisandro Zambenedetti Granville, and Aiko Pras. 2015. Booters --- An analysis of DDoS-as-a-service attacks. In IFIP/IEEE International Symposium on Integrated Network Management. IEEE, 243--251. https://doi.org/10.1109/INM.2015.7140298Google ScholarCross Ref
- Alex Scapens. 2017. Cyber attack teenager who helped gang target Netflix, Amazon and NatWest avoids jail. https://www.manchestereveningnews.co.uk/news/greater-manchester-news/cyber-attack-teenager-who-helped-14058060Google Scholar
- Yashovardhan Sharma. 2018. Characterising the Victims of DDoS Attacks. MPhil Thesis, University of Cambridge.Google Scholar
- Russell G. Smith, Nicholas Wolanin, and Glenn Worthington. 2003. E-crime solutions and crime displacement. Trends & Issues in Crime and Criminal Justice 243 (jan 2003), 1--6.Google Scholar
- Kyle Soska and Nicolas Christin. 2015. Measuring the longitudinal evolution of the online anonymous marketplace ecosystem. In 24th USENIX Security Symposium (USENIX Security 15). USENIX, Washington, DC, USA, 33--48.Google ScholarDigital Library
- Rebecca Steinbach, Chloe Perkins, Lisa Tompson, Shane Johnson, Ben Armstrong, Judith Green, Chris Grundy, Paul Wilkinson, and Phil Edwards. 2015. The effect of reduced street lighting on road casualties and crime in England and Wales: Controlled interrupted time series analysis. J Epidemiol Community Health 69, 11 (2015), 1118--1124. https://doi.org/10.1136/jech-2015-206012Google ScholarCross Ref
- Daniel R. Thomas, Richard Clayton, and Alastair R. Beresford. 2017. 1000 days of UDP amplification DDoS attacks. In 2017 APWG Symposium on Electronic Crime Research (eCrime). IEEE, Scottsdale, AZ, USA, 79--84. https://doi.org/10.1109/ECRIME.2017.7945057Google ScholarCross Ref
- Daniel R. Thomas, Sergio Pastrana, Alice Hutchings, Richard Clayton, and Alastair R. Beresford. 2017. Ethical issues in research using datasets of illicit origin. In Proceedings of the Internet Measurement Conference (IMC). ACM, 445--462. https://doi.org/10.1145/3131365.3131389Google Scholar
- Evan Wood, Patricia M. Spittal, Will Small, Thomas Kerr, Kathy Li, Robert S. Hogg, Mark W. Tyndall, Julio S.G. Montaner, and Martin T. Schechter. 2004. Displacement of Canada's largest public illicit drug market in response to a police crackdown. Canadian Medical Association Journal 170, 10 (2004), 1551--1556. https://doi.org/10.1503/cmaj.1031928Google ScholarCross Ref
Index Terms
- Booting the Booters: Evaluating the Effects of Police Interventions in the Market for Denial-of-Service Attacks
Recommendations
Stress Testing the Booters: Understanding and Undermining the Business of DDoS Services
WWW '16: Proceedings of the 25th International Conference on World Wide WebDDoS-for-hire services, also known as booters, have commoditized DDoS attacks and enabled abusive subscribers of these services to cheaply extort, harass and intimidate businesses and people by taking them offline. However, due to the underground nature ...
DDoS Hide & Seek: On the Effectiveness of a Booter Services Takedown
IMC '19: Proceedings of the Internet Measurement ConferenceBooter services continue to provide popular DDoS-as-a-service platforms and enable anyone irrespective of their technical ability, to execute DDoS attacks with devastating impact. Since booters are a serious threat to Internet operations and can cause ...
Towards a Conceptualisation of Cloud (Cyber) Crime
Human Aspects of Information Security, Privacy and TrustAbstractThe term ‘Cloud’ is a misnomer that diverts attention from the level of conceptual clarification that is needed to understand the implications of cloud technologies upon criminal behavior, crime analysis and also law enforcement. Cloud ...
Comments