DDoS attacks are too easy to launch: How effective are booter take downs?

DDoS attacks services are becoming so cheap and easy to use that even grandma can launch an attack. Are current protective measures enough?

The widely known DDoS (Distributed Denial of Service) attacks have been a major threat to Internet security and availability for over two decades. Their goal: to interrupt services by consuming critical resources: computation power or bandwidth, with a motivation of anything from political, financial, cyber warfare, deflecting from other attacks to hackers just testing their limits. Since they were first observed, these attacks have grown in both size and sophistication. By spoofing source IP addresses, traffic is not being amplified and reflected towards. Additionally, they are becoming more available. One can purchase booters and stressers for as little as the price of a cup of coffee and launch them with little technical background, enabling anyone the power to launch an attack. This is enough to keep cyber security experts on their toes as well as draw the attention of law enforcement agencies.

The more DDoS attacks become prevalent to everyday network operations, the more necessary it is to study their behavior and impact as well as the impact of current mitigation methods in order to determine network security methods.  Earlier this year, BENOCS, DE-CIX, University of Twente and Brandenburg University of Technology teamed up to study this topic and answer the following questions:

  • What is it like to be attacked and how are they amplified on larger networks, such as Tier-1 and Tier -2 ISPs as well as IXP?
  • What happens to booter websites after they have been taken down by law enforcement?

With an abundance of research focused on different aspects of booters – especially their financial impact – little attention has been given to an empirical observation of attacks as well as how effective an FBI take down of booters actually is. With something this serious stalking the network, thorough investigations and studies need to be performed in order to learn their behavior and figure out better ways to combat booter services.

Watch the video to see Daniel Kopp from DE-CIX present the study at ACM IMC, 2019

In order to draw conclusions on a DDoS attack landscape, one must first observe it in it in the wild. However, given the duration of attacks (just a few minutes), it is hard to predict where and when one will be launched. Instead of waiting for an attack, the researchers launched their own by purchasing four booter services selected from the booter blacklist – including the more expensive VIP booters on a network they had built up themselves.* From this, they were able to see where the booters directed the traffic, how they worked and to see which services were used for amplification as well as to guess the amount of amplification. On top of that, the researchers provided the first look into whether or not the attacks live up to their sale promises. The actual attacks were performed by passively capturing all traffic of the measurement platform. They showed that the booters lived up to the expectation to attack the specified targets (mostly using NTP amplification attacks), but the VIP services did not deliver on their promised attack volumes ­– as much as 75% less.

*Given the legal and ethical implications of purchasing such booters as well as the damage they can cause on a network, extra steps were taken by the team to comply with laws and cause minimal destruction.

As an attempt to cease some control over DDoS attacks, the FBI tracks down booter websites and removes booter services. But how effective is that really? In addition to observing how large these attacks can be, this research team also wanted to know what is saved by taking these sites down. The answer: not a lot. By taking weekly snapshots of all .com/.net/.org domains and booter top 1M domains, they were able to identify 58 booter services and followed them over a period of 122 days. What they discovered was the takedowns do lead to a sharp reduction of DDoS traffic on the network, however, no significant reduction when hitting the victims’ systems. Additionally, booter services, after a take down, are capable of relaunching under different domains, allowing them to continue business as usual just weeks after being deactivated. Therefore, simply taking down a booter service is not a long-term sustainable solution.

DDoS attacks are a serious threat to the network ecosystem ­­– anyone and everyone connected to the internet is a target, especially IoT devices that never receive udpdates – and current methods of trying to eliminate them, as this study has shown, are not sufficient nor sustainable. In order to find better solutions that reduce the amount of DDoS attacks bought and sold, further research is required, especially on the effects of the booter economy after an FBI take down. This research particular study will remain ongoing until 2022, which will test the capabilities of artificial intelligence and new developments in DDoS protection.

The information in this post comes from the ACM IMC paper “DDoS Hide and Seek: On the Effectiveness of a Booter Service Takedown”.

See the press release for this paper here.

Click here to read more studies to which Benocs data and technology contributed