research-article

DDoS Hide & Seek: On the Effectiveness of a Booter Services Takedown

Authors:

Matthias Wichtlhuber,

Oliver Hohlfeld,

Christoph DietzelAuthors Info & Claims

IMC '19: Proceedings of the Internet Measurement Conference

Pages 65 - 72

https://doi.org/10.1145/3355369.3355590

Published: 21 October 2019 Publication History

Abstract

Booter services continue to provide popular DDoS-as-a-service platforms and enable anyone irrespective of their technical ability, to execute DDoS attacks with devastating impact. Since booters are a serious threat to Internet operations and can cause significant financial and reputational damage, they also draw the attention of law enforcement agencies and related counter activities. In this paper, we investigate booter-based DDoS attacks in the wild and the impact of an FBI takedown targeting 15 booter websites in December 2018 from the perspective of a major IXP and two ISPs. We study and compare attack properties of multiple booter services by launching Gbps-level attacks against our own infrastructure. To understand spatial and temporal trends of the DDoS traffic originating from booters we scrutinize 5 months, worth of inter-domain traffic. We observe that the takedown only leads to a temporary reduction in attack traffic. Additionally, one booter was found to quickly continue operation by using a new domain for its website.

References

[1]

Akamai. State of the Internet Security Report (Q4 2017). https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2017-state-of-the-internet-security-report.pdf, 2017.

[2]

Akamai. State of the Internet Security Report (Attack Spotlight: Memcached). https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-summer-2018-attack-spotlight.pdf, 2018.

[3]

Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J. A., Invernizzi, L., Kallitsis, M., Kumar, D., Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., and Zhou, Y. Understanding the Mirai Botnet. USENIX Security Symposium (2017).

Digital Library

[4]

BBC. 'Hacking attacks' hit Russian political sites. http://www.bbc.com/news/technology-16032402, 2012.

[5]

Beverly, R., and Bauer, S. The spoofer project: Inferring the extent of internet source address filtering on the internet. In Steps to Reducing Unwanted Traffic on the Internet Workshop, SRUTI'05, Cambridge, MA, USA, July 7, 2005 (2005).

[6]

Beverly, R., Berger, A., Hyun, Y., and claffy, k. Understanding the Efficacy of Deployed Internet Source Address Validation Filtering. In Internet Measurement Conference (IMC) (Nov 2009).

[7]

Brunt, R., Pandey, P., and McCoy, D. Booted: An analysis of a payment intervention on a DDoS-for-Hire-Service. In Workshop on the Economics of Information Security (2017).

[8]

Bukac, V., Stavova, V., Nemec, L., Riha, Z., and Matyas, V. Service in denial-clouds going with the winds. In International Conference on Network and System Security (2015).

[9]

Büscher, A., and Holz, T. Tracking DDoS Attacks: Insights into the Business of Disrupting the Web. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (2012).

[10]

Cardoso de Santanna, J., Durban, R., Sperotto, A., and Pras, A. Inside Booters: an analysis on operational databases. In IFIP/IEEE International Symposium on Integrated Network Management (2015).

[11]

Cardoso de Santanna, J., and Sperotto, A. Characterizing and Mitigating the DDoS-as-a-Service Phenomenon. In AIMS (2014).

[12]

Chromik, J., Cardoso de Santanna, J., Sperotto, A., and Pras, A. Booter websites characterization: Towards a list of threats. In Brazilian Symposium on Computer Networks and Distributed Systems (2015).

[13]

Collier, B., Thomas, D. R., Clayton, R., and Hutchings, A. Booting the Booters: Evaluating the Effects of Police Interventions in the Market for Denial-of-Service Attacks. In IMC (2019).

[14]

Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., and Karir, M. Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks. In ACM IMC (2014).

[15]

Dittrich, D. The DoS Project's 'trinoo' distributed denial of service attack tool. https://staff.washington.edu/dittrich/misc/trinoo.analysis, 1999.

[16]

Douglas, D., Santanna, J., Schmidt, R., Granville, L., and Pras, A. Booters: can anything justify distributed denial-of-service (DDoS) attacks for hire? Journal of Information, Communication and Ethics in Society 15, 01 (2017).

[17]

Hohlfeld, O. Operating a DNS-based active internet observatory. In ACM SIGCOMM Poster (2018).

[18]

Hutchings, A., and Clayton, R. Exploring the provision of online booter services. Deviant Behavior 37, 10 (2016).

[19]

Interfax-Ukraine. Poroshenko reports on DDoS-attacks on Ukrainian CEC from Russia on Feb. 24-25. https://www.kyivpost.com/ukraine-politics/poroshenko-reports-on-ddos-attacks-on-ukrainian-cec-from-russia-on-feb-24-25.html, 2019.

[20]

Jonker, M., King, A., Krupp, J., Rossow, C., Sperotto, A., and Dainotti, A. Millions of targets under attack: a macroscopic characterization of the DoS ecosystem. In ACM IMC (2017).

[21]

Karami, M., and McCoy, D. Rent to Pwn: Analyzing Commodity Booter DDoS Services. In USENIX (2013).

[22]

Karami, M., and McCoy, D. Understanding the Emerging Threat of DDoS-as-a-service. In USENIX Workshop on Large-Scale Exploits and Emergent Threats (2013).

[23]

Karami, M., and McCoy, D. Understanding the emerging threat of ddos-as-a-service. In LEET (2013).

[24]

Karami, M., Park, Y., and McCoy, D. Stress Testing the Booters: Understanding and Undermining the Business of DDoS Services. In WWW (2016).

[25]

Krämer, L., Krupp, J., Makita, D., Nishizoe, T., Koide, T., Yoshioka, K., and Rossow, C. AmpPot: Monitoring and Defending Against Amplification DDoS Attacks. In International Workshop on Recent Advances in Intrusion Detection (RAID) (2015), Springer, pp. 615--636.

[26]

Krebs, B. KrebsOnSecurity Hit With Record DDoS. https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos, 2016.

[27]

Krebs, B. UK Man Gets Two Years in Jail for Running 'Titanium Stresser' Attack-for-Hire Service. https://krebsonsecurity.com/2017/04/uk-man-gets-two-years-in-jail-for-running-titanium-stresser-attack-for-hire-service/, 2017.

[28]

Krebs, B. DDoS-for-Hire Service Webstresser Dismantled. https://krebsonsecurity.com/2018/04/ddos-for-hire-service-webstresser-dismantled/, 2018.

[29]

Krebs, B. Feds Charge Three in Mass Seizure of Attack-for-hire Services. https://krebsonsecurity.com/2018/12/feds-charge-three-in-mass-seizure-of-attack-for-hire-services/, 2018.

[30]

Krebs, B. 250 Webstresser Users to Face Legal Action. https://krebsonsecurity.com/2019/02/250-webstresser-users-to-face-legal-action/, 2019.

[31]

Krupp, J., Karami, M., Rossow, C., McCoy, D., and Backes, M. Linking amplification DDoS attacks to booter services. In International Symposium on Research in Attacks, Intrusions, and Defenses (2017).

[32]

Kuhnert, B., Steinberger, J., Baier, H., Sperotto, A., and Pras, A. Booters and Certificates: An Overview of TLS in the DDoS-as-a-Service Landscape. In 2nd International Conference on Advances in Computation, Communications and Services, ACCSE (2017).

[33]

Lab, K. Research reveals hacker tactics: Cybercriminals use ddos as smokescreen for other attacks on business. https://www.kaspersky.com/about/press-releases/2016research-reveals-hacker-tactics-cybercriminals-use-ddos-as-smokescreen-for-other-attacks-on-business, 2016.

[34]

Lichtblau, F., Streibelt, F., Krüger, T., Richter, P., and Feldmann, A. Detection, Classification, and Analysis of Inter-domain Traffic with Spoofed Source IP Addresses. In ACM IMC (2017).

[35]

Mohamed, J. Daily Mirror: Hackers attack the Stock Exchange: Cyber criminals take down website for more than two hours as part of protest against world's banks. http://www.dailymail.co.uk/news/article-3625656/Hackers-attack-Stock-Exchange-Cyber-criminals-website-two-hours-protest-against-world-s-banks.html, 2016.

[36]

Moore, D., Voelker, G., and Savage, S. Inferring Internet Denial-of-Service Activity. In USENIX Security Symposium (Washington, D.C., Aug 2001).

[37]

Morales, C. NETSCOUT Arbor Confirms 1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon Us. https://asert.arbornetworks.com/netscout-arbor-confirms-1-7-tbps-ddos-attack-terabit-attack-era-upon-us/, 2018.

[38]

Noroozian, A., Korczyński, M., Gañan, C., Makita, D., Yoshioka, K., and van Eeten, M. Who gets the boot? Analyzing victimization by DDoS-as-a-Service. In International Symposium on Research in Attacks, Intrusions, and Defenses (2016), Springer.

[39]

Prince, M. The DDoS That Knocked Spamhaus Offline (And How We Mitigated It). https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho/, 2013.

[40]

Prince, M. Technical Details Behind a 400Gbps NTP Amplification DDoS Attack. https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/, 2014.

[41]

Richter, P., Smaragdakis, G., Feldmann, A., Chatzis, N., Boettger, J., and Willinger, W. Peering at Peerings: On the Role of IXP Route Servers. In ACM IMC (2014).

[42]

Rossow, C. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. NDSS (2014).

[43]

Ryba, F. J., Orlinski, M., Wählisch, M., Rossow, C., and Schmidt, T. C. Amplification and DRDoS Attack Defense-A Survey and New Perspectives. arXiv preprint arXiv:1505.07892 (2015).

[44]

Santanna, J., de Vries, J., de O. Schmidt, R., Tuncer, D., Z. Granville, L., and Pras, A. Booter list generation: The basis for investigating DDoS-for-hire websites. International journal of network management 28 (Jan 2018).

[45]

Santanna, J., Schmidt, R., Tuncer, D., Sperotto, A., Granville, L., and Pras, A. Quiet dogs can bite: Which booters should we go after, and what are our mitigation options? IEEE Communications Magazine 55, 7 (2017).

[46]

Santanna, J. J., d. O. Schmidt, R., Tuncer, D., de Vries, J., Granville, L. Z., and Pras, A. Booter blacklist: Unveiling DDoS-for-hire websites. In International Conference on Network and Service Management (CNSM) (2016).

[47]

Santanna, J. J., van Rijswijk-Deij, R., Hofstede, R., Sperotto, A., Wierbosch, M., Granville, L. Z., and Pras, A. Booters - An analysis of DDoS-as-a-service Attacks. IFIP/IEEE International Symposium on Integrated Network Management (2015).

[48]

SC Media UK. OVH suffers 1.1Tbps DDoS attack. https://www.scmagazineuk.com/ovh-suffers-11tbps-ddos-attack/article/532197/, 2016.

[49]

Scheitle, Q., Hohlfeld, O., Gamba, J., Jelten, J., Zimmermann, T., Strowes, S. D., and Vallina-Rodriguez, N. A long way to the top: Significance, structure, and stability of internet top lists. In ACM IMC (2018).

[50]

Sipgate. The Sipgate DDoS Story. https://medium.com/@sipgate/ddos-attacke-auf-sipgate-a7d18bf08c03, 2014.

[51]

Technologies, A. 2018 State of the Internet / Security: A Year in Review. https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/2018-state-of-the-internet-security-a-year-in-review.pdf, 2018.

[52]

Thomas, D. R., Clayton, R., and Beresford, A. R. 1000 days of UDP amplification DDoS attacks. In APWG Symposium on Electronic Crime Research (eCrime) (2017), IEEE, pp. 79--84.

[53]

Times, N. Y. Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool. https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html, 2017.

[54]

Traynor, I. Russia accused of unleashing cyberwar to disable Estonia. https://www.theguardian.com/world/2007/may/17/topstories3.russia, 2007.

[55]

US-CERT. UDP-Based Amplification Attacks. https://www.us-cert.gov/ncas/alerts/TA14-017A, 2018.

[56]

US Department of Justice. Criminal Charges Filed in Los Angeles and Alaska in Conjunction with Seizures Of 15 Websites Offering DDoS-For-Hire Services. https://www.justice.gov/opa/pr/criminal-charges-filed-los-angeles-and-alaska-conjunction-seizures-15-websites-offering-ddos, 2018.

[57]

Zand, A., Modelo-Howard, G., Tongaonkar, A., Lee, S., Kruegel, C., and Vigna, G. Demystifying DDoS as a Service. IEEE Communications Magazine 55, 7 (2017).

[58]

ZDNet. GitHub hit with the largest DDoS attack ever seen. https://www.zdnet.com/article/github-was-hit-with-the-largest-ddos-attack-ever-seen/, 2018.

[59]

Zhang, W., Bai, X., Chen, C., and Chen, Z. Booter Blacklist Generation Based on Content Characteristics. In International Conference on Collaborative Computing: Networking, Applications and Worksharing (2018), Springer.

Cited By

Hiesgen RNawrocki MBarcellos MKopp DHohlfeld OChan EDobbins RDoerr CRossow CThomas DJonker MMok RLuo XKristoff JSchmidt TWählisch Mclaffy kVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)The Age of DDoScovery: An Empirical Comparison of Industry and Academic DDoS AssessmentsProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688451(259-279)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688451
Fu CLi QXu K(2024)Flow Interaction Graph Analysis: Unknown Encrypted Malicious Traffic DetectionIEEE/ACM Transactions on Networking10.1109/TNET.2024.337085132:4(2972-2987)Online publication date: Aug-2024
https://doi.org/10.1109/TNET.2024.3370851
Vu AHutchings AAnderson R(2024)No Easy Way Out: the Effectiveness of Deplatforming an Extremist Forum to Suppress Hate and Harassment2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00007(717-734)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00007
Show More Cited By

Index Terms

DDoS Hide & Seek: On the Effectiveness of a Booter Services Takedown
1. Networks
  1. Network performance evaluation
    1. Network measurement
  2. Network properties
    1. Network security
      1. Denial-of-service attacks
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

United We Stand: Collaborative Detection and Mitigation of Amplification DDoS Attacks at Scale
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Amplification Distributed Denial of Service (DDoS) attacks' traffic and harm are at an all-time high. To defend against such attacks, distributed attack mitigation platforms, such as traffic scrubbing centers that operate in peering locations, e.g., ...
Booting the Booters: Evaluating the Effects of Police Interventions in the Market for Denial-of-Service Attacks
IMC '19: Proceedings of the Internet Measurement Conference

Illegal booter services offer denial of service (DoS) attacks for a fee of a few tens of dollars a month. Internationally, police have implemented a range of different types of intervention aimed at those using and offering booter services, including ...
Survey of network-based defense mechanisms countering the DoS and DDoS problems

This article presents a survey of denial of service attacks and the methods that have been proposed for defense against these attacks. In this survey, we analyze the design decisions in the Internet that have created the potential for denial of service ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '19: Proceedings of the Internet Measurement Conference

October 2019

497 pages

ISBN:9781450369480

DOI:10.1145/3355369

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 October 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Bundesministerium für Bildung und Forschung
Horizon 2020
SIDN fonds

Conference

IMC '19

Sponsor:

IMC '19: ACM Internet Measurement Conference

October 21 - 23, 2019

Amsterdam, Netherlands

Acceptance Rates

IMC '19 Paper Acceptance Rate 39 of 197 submissions, 20%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
686
Total Downloads

Downloads (Last 12 months)55
Downloads (Last 6 weeks)4

Reflects downloads up to 16 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Hiesgen RNawrocki MBarcellos MKopp DHohlfeld OChan EDobbins RDoerr CRossow CThomas DJonker MMok RLuo XKristoff JSchmidt TWählisch Mclaffy kVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)The Age of DDoScovery: An Empirical Comparison of Industry and Academic DDoS AssessmentsProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688451(259-279)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688451
Fu CLi QXu K(2024)Flow Interaction Graph Analysis: Unknown Encrypted Malicious Traffic DetectionIEEE/ACM Transactions on Networking10.1109/TNET.2024.337085132:4(2972-2987)Online publication date: Aug-2024
https://doi.org/10.1109/TNET.2024.3370851
Vu AHutchings AAnderson R(2024)No Easy Way Out: the Effectiveness of Deplatforming an Extremist Forum to Suppress Hate and Harassment2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00007(717-734)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00007
Nawrocki MKristoff JHiesgen RKanich CSchmidt TWählisch M(2023)SoK: A Data-driven View on Methods to Detect Reflective Amplification DDoS Attacks Using Honeypots2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00041(576-591)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00041
Nguyen MDebroy S(2022)Moving Target Defense-Based Denial-of-Service Mitigation in Cloud EnvironmentsSecurity and Communication Networks10.1155/2022/22230502022Online publication date: 1-Jan-2022
https://dl.acm.org/doi/10.1155/2022/2223050
Davanian AFaloutsos MBarakat CPelsser CBenson TChoffnes D(2022)MalNetProceedings of the 22nd ACM Internet Measurement Conference10.1145/3517745.3561463(472-487)Online publication date: 25-Oct-2022
https://dl.acm.org/doi/10.1145/3517745.3561463
Nawrocki MJonker MSchmidt TWählisch MLevin DMislove AAmann JLuckie M(2021)The far side of DNS amplificationProceedings of the 21st ACM Internet Measurement Conference10.1145/3487552.3487835(419-434)Online publication date: 2-Nov-2021
https://dl.acm.org/doi/10.1145/3487552.3487835
Griffioen HOosthoek Kvan der Knaap PDoerr CKim YKim JVigna GShi E(2021)Scan, Test, Execute: Adversarial Tactics in Amplification DDoS AttacksProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484747(940-954)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484747
Kopp DDietzel CHohlfeld O(2021)DDoS Never Dies? An IXP Perspective on DDoS Amplification AttacksPassive and Active Measurement10.1007/978-3-030-72582-2_17(284-301)Online publication date: 30-Mar-2021
https://doi.org/10.1007/978-3-030-72582-2_17
Moura GHesselman CSchaapman GBoerman Nde Weerdt O(2020)Into the DDoS maelstrom: a longitudinal study of a scrubbing service2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW51379.2020.00081(550-558)Online publication date: Sep-2020
https://doi.org/10.1109/EuroSPW51379.2020.00081
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten