February 26, 2019
Last year, the FBI cracked down on the world’s 15 biggest DDoS-for-hire websites, known as “booters”, which are believed to have mounted more than 200,000 attacks since 2014. Thanks to enforcement efforts, attack activity decreased noticeably in Q4, especially December following the high-profile takedown. In fact, cracking down on booter sites and seizing the command-and-control (C&C) servers of botnets used to generate DDoS attacks and commit other crimes have long been part of the FBI’s cybercrime fighting campaign.
Figure 1. FBI Seized the Website of a Booter
The headache that won’t go away
In 2011, the FBI obtained a court order authorizing them to seize 29 domain names used to control the notorious Coreflood botnet and redirect traffic intended for its operators to FBI servers. Earlier last year, it seized the control of a C&C server behind a botnet of 500,000 hacked routers, allegedly built and controlled by Russia.
To combat cybercrimes, US and other nations’ law enforcement agencies will, as expected, carry on their efforts to crack down on DDoS attack weapons such as booters and C&C servers. But despite collaborative efforts, will the headache of DDoS attacks just go away and the cyberworld will herald a new peace era?
While traditional botnets are largely comprised of computers compromised by malware, it is evident that botnet builders will continue to find ways to exploit the security vulnerabilities of internet-connected devices. The spread of the source code of Mirai, a malware that turns networked devices running Linux into bots, demonstrates this trend. The release of the Mirai source code immediately fueled the exponential growth of botnets. The Satori malware, evolved from Mirai, was further advanced to exploit zero-day vulnerabilities of other types of IoT devices.
Compared with tracking down C&C servers and alerting the owners of compromised devices, booter websites are more visible and accessible via search engines and therefore it requires less efforts to shut them down. Having said that, we believe that the December crackdown just scratched the surface of the global problem. Since a paid attack can easily be generated against a victim in another country, law enforcement agencies across countries have yet to intensify cross-border intelligence sharing, for example via Interpol.
The root cause of botnets as a global problem, after all, stems from hardware/software vulnerabilities, human ignorance or simply gullibility that open up room for malware such as Mirai and Satori to detect and take control. Patching all vulnerabilities and raising security awareness across all levels of users, in theory, is the way out. But in reality it is easier said than done, suggesting that botnets and DDoS-for-hire services will not disappear any time in sight.
DDoS attacks made easy and affordable
On one typical booter website we looked at, the price of a 50Gbps attack on the layers 3/4 is quoted at a mere US$30. With a budget of US$300, you can buy a dedicated 216 Gbps attack for just US$ 299.99 on the layers 3/4 and 7 of the target website. In other words, booter websites make DDoS attack-as-a-service easy and cost-effective.
Figure 3. Examples of Some Selected Service Plans
Price (USD) |
3 to 299.99 |
Attack size (Gbps) |
0.5 to 216 |
Duration (Seconds) |
30 to 10800 |
No. of concurrent attack |
1 to 4 |
Available types of attack |
NTP, SSDP, DNS, CHARGEN, LDAP, SNMP, ZAP, MSSQL, PORTMAP, HTTP GET/POST, TCP SYN, Solwloris, etc. |
Table 1. Example of Service Details of Booters
There is no question that using any booter website, very often disguised as a tool to "stress test" your own website, is illegal. Even if the “user” of a booter website claims that he “owns” the target website by adding a meta tag or uploading an HTML file to it, the legal owner of a domain name is always the person and/or organization listed as the domain’s registrant or owner contact. In that sense, once firing an attack through a booter site, the user has already violated laws that apply to DDoS attacks, e.g. those listed on the Department of Justice Cybercrime website if the attack is carried out within the US.
One side effect of using a booter website is unintended attack traffic. It is no secret that network attacks such as TCP flood and SYN flood are very often masked behind spoofed source IPs. If a spoofed IP happens to be a valid one and the victim replies to it, the traffic generated therefrom causes yet another SYN/ACK attack. In this scenario, it will take more efforts and expertise for the law enforcement agency to determine if the owner of the source IP is suspicious or just plain innocent.
Botnets, DDoS-for-hire won’t disappear any time soon
For the layman, carrying out DDoS attacks no longer requires coding or hacking skills and is now just a few clicks away. Growing bandwidth, faster connection speed, as well as unpatched and unknown hardware/software vulnerabilities, will only make DDoS attacks a persistent headache despite continued law enforcement efforts.