[Guest lecturer]
Place: University of Twente
Course: Product Design to Online Business (Module 7)
Audience: students of industrial engineering (Technische Bedrijfskunde - TBK) and business information technology (BIT)
8. Two Goals
What I have being
doing to shutdown
Booters’ Services?
Does a similar
approach poses a
threat against your
(future) Product?
What threat DDoS
attacks pose to your
(future) Product?
22. 0
50
100
150
200
250
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
#Booters
Time
Registration Date
Expiration Date
Registration Interval
First Passive DNS
284 Booters
Prices
The Booter Phenomenon:
They Are a Legion
Jos´e Jair Santanna⇤, Joey de Vries⇤, Anna Sperotto⇤, Lisandro Zambenedetti Granville†, and Aiko Pras⇤
⇤ University of Twente, The Nederlands
E-mail: j.j.santanna, j.devries-1, a.sperotto, a.pras@utwente.nl
† Federal University of Rio Grande do Sul
E-mail: granville@inf.ufrgs.br
Abstract—Distributed Denial of Service (DDoS) is a type of
network attack that aims to make target systems unreachable. In
the past, to perform DDoS attacks require specialize knowledge
from attackers. Nowadays, however, even inexperienced Internet
users became able to launch those attacks. Thanks to Booters,
websites that offer DDoS as a service, anyone can launch attacks
at price starting from 5 Dollars. The goal of this paper is to
increase awareness about the Booter phenomenon. By analyzing
an extensive list of Booters we reveal how they have evolve over
time, to whom/where their IP address are pointing to, their
pricing schemas, and the severity of the services offered by them.
I. INTRODUCTION
Distributed Denial of Service (DDoS) is a type of network
attack that makes target systems unreachable by overloading
the targets’ resources (e.g., network connectivity and computer
memory). Famous DDoS episodes against Internet services
include a 300 Gbps attack against SpamHaus in 2013 [1] and a
400 Gbps attack against a CloudFlare customer in 2014 [2], the
largest attack reported so far. DDoS accounts, as a result, for
millions in revenue losses, reputation damage, and degradation
of the relationship between customers and companies.
DDoS involves a sophisticated orchestration of third party
compromised machines that, under the control of an attacker,
generate harmful traffic against a target victim. Performing a
DDoS attack requires specialized knowledge from the attacker,
especially in disciplines such as network protocols, distributed
systems, and computer security. More recently, however, even
inexperienced Internet users became able to carry out DDoS
attacks thanks to the phenomenon usually refereed to as
Booters [3].
Booters are websites that offer hundreds of DDoS attacks
as services, typically charging, today, prices starting from 5
USD. Booters encapsulate DDoS attacks inside Web systems
that dispense with the experience attacker. As such, ordinary,
non-technical Internet users can easily order DDoS attacks
against victim systems or users. The consequence is that the
amount of potential DDoS attacks is not bound to the number
of expert attackers anymore; it is now a function of the number
of users willing to pay for the service, regardless of their level
of technical expertise.
Although there are undergoing investigations about the
Booter phenomenon, our goal in this article is to present a
comprehensive landscape of Booters. To that end, we analyze
the most extensive list of Booters to date and show how
Booters have evolved along the recent years. With that, our
three main contributions in this article are:
• We propose a methodology to find and catalog hun-
dreds of Booters;
• We show how Booters have evolved along the last
years, based on historical data collected in North
America networks;
• We provide an analysis about the Booters’ market by
revealing the characteristics of offered services and
pricing schemas used by Booters.
We present the Booters’ current landscape according to
the following organization. First, in the next Section, we
describe the steps we took to create a comprehensive list of
Booters. Afterwards, we utilize this list of Booters to analyze
four main aspects: (i) the evolution of Booters over time,
(ii) the IP addresses that Booter websites point to and the
relationship with DDoS protection companies, (iii) the pricing
schemas in the Booter market, and (iv) the characteristics of
services offered by Booters. We finally conclude this article
summarizing our findings and discussing future perspectives.
II. CATALOGING BOOTERS
The first public signs of the Booter phenomenon started in
2012 [4], and already in 2013 Booters became popular because
of the significant number of DDoS attacks ascribed to users
of Booter websites [5]. That emphasized the severity of the
phenomenon and motivated security specialists to investigate it.
Inspired by the work of Krebs [6], Orgy [7], and an anonymous
author [8], we draw the picture of the phenomenon by first
creating a comprehensive list of Booters.
Booter
Crawler
Booter
Classi er
Keywords
Passive
DNSTLDQuery
Booter-Related
BOOTER
LIST
BDN
BDN+
Collaborators'
Lists
Fig. 1. Booter list generation workflow.
The workflow of our methodology, depicted in Figure 1,
starts with the Booter Crawler. It systematically searches the
0
10
20
30
40
50
60
70
80
90
PayPalBitcoinPaysafecard
C
oinPaym
ents
Starpass
SkrillLitecoinYoupass
C
reditcard
O
KPayPayzaLiberty
R
eserve
R
SG
PPerfectM
oney
TrueM
oney
#Booters
Payment Systems
Payment Systems
23. Stress Testing the Booters: Understanding and
Undermining the Business of DDoS Services
Mohammad Karami
George Mason University
Youngsam Park
University of Maryland,
College Park
Damon McCoy
International Computer
Science Institute
ABSTRACT
DDoS-for-hire services, also known as booters, have com-
moditized DDoS attacks and enabled abusive subscribers of
these services to cheaply extort, harass and intimidate busi-
nesses and people by knocking them offline. However, due
to the underground nature of these booters, little is known
about their underlying technical and business structure. In
this paper we empirically measure many facets of their tech-
nical and payment infrastructure. We also perform an anal-
ysis of leaked and scraped data from three major booters—
Asylum Stresser, Lizard Stresser and VDO—which provides
us with an in-depth view of their customers and victims. Fi-
nally, we conduct a large-scale payment intervention in col-
laboration with PayPal and evaluate its effectiveness. Based
on our analysis we show that these services are responsible
for hundreds of thousands of DDoS attacks and identify po-
tentially promising methods of increasing booters’ costs and
undermining these services.
1. INTRODUCTION
Distributed Denial-of-Service (DDoS) attacks are be-
coming a growing threat with high profile DDoS at-
tacks disrupting many large scale gaming services, such
as Microsoft’s XBox Live and Sony’s PlayStation net-
works at the end of 2014 [4]. These attacks were later
claimed to be launched by the Lizard Squad as ad-
vertisements for their new DDoS-for-hire service called
Lizard Stresser [3]. There is a long line of technical
work exploring how to detect and mitigate these types
of attacks [9,10,14,20,21,23,24,33].
However, a large amount of DDoS attacks are being
launched by relatively unsophisticated attackers that
have purchased subscriptions to low-cost DDoS-for-hire
(commonly called booter) services. These services are
operated by profit-motivated adversaries that have scaled
up their DDoS infrastructure to meet the increasing de-
mand for DDoS attacks. Despite the threat they pose,
little is known about the structures of these booter ser-
vices and potential weaknesses in their operations that
could be used to undermine them.
In this paper we undertake a large scale measure-
ment study of these booter services to understand how
they are structured both technologically and econom-
ically with the focus of isolating potential weaknesses.
We explore booters from three di↵erent angles including
analysis of leaked and scraped data, measurements of
their attack infrastructure and a payment intervention.
Our analysis of leaked and scraped data from three
booters—Asylum Stresser, Lizard Stresser and VDO 1
—
demonstrates that these services have attracted over
6,000 subscribers and have launched over 600,000 at-
tacks. We also find that the majority of booter cus-
tomers prefer paying via PayPal and that Lizard Stresser,
which only accepted Bitcoin, had a minuscule 2% sign-
up to paid subscriber conversion rate compared to 15%
for Asylum Stresser and 23% for VDO, which both ac-
cepted PayPal. By analyzing attack tra c directed at
our own servers we are able to characterize the set of
amplifiers they use to direct large amounts of tra c at
their victims. In order to measure the resilience of their
payment infrastructure, we conduct a payment inter-
vention in collaboration with PayPal. Our evaluation
of the e↵ectiveness of this approach suggests that it is
a promising method for reducing the subscriber base of
booters.
In this paper, we further our understanding of the
booter ecosystem through our measurements. Based on
this we identify potential improvements to ongoing ef-
forts to disrupt their attack infrastructure and an alter-
native and possibly more e↵ective method of undermin-
ing these services by targeting their payment infrastruc-
ture. Overall, we find a few places where costs might
be marginally increased by more precisely mapping out
and targeting parts of their attack infrastructure. We
document how a large-scale payment intervention by
PayPal impacts booters, including service closures. Fi-
nally, we detail some of their strategies for evading de-
tection by PayPal and discuss how these increase the
e↵ort and costs associated with performing an ongoing
payment intervention.
1
We assign each booter service a unique three letter code
based on their domain name to avoid unintentionally ad-
vertising their services. The two exceptions are Asylum
Stresser, which ceased operation before our study and Lizard
Stresser, which has already been highly publicized.
1
arXiv:1508.03410v1[cs.CR]14Aug2015
23 Booters
25. 0
50
100
150
200
250
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
#Booters
Time
Registration Date
Expiration Date
Registration Interval
First Passive DNS
284 Booters
Prices
The Booter Phenomenon:
They Are a Legion
Jos´e Jair Santanna⇤, Joey de Vries⇤, Anna Sperotto⇤, Lisandro Zambenedetti Granville†, and Aiko Pras⇤
⇤ University of Twente, The Nederlands
E-mail: j.j.santanna, j.devries-1, a.sperotto, a.pras@utwente.nl
† Federal University of Rio Grande do Sul
E-mail: granville@inf.ufrgs.br
Abstract—Distributed Denial of Service (DDoS) is a type of
network attack that aims to make target systems unreachable. In
the past, to perform DDoS attacks require specialize knowledge
from attackers. Nowadays, however, even inexperienced Internet
users became able to launch those attacks. Thanks to Booters,
websites that offer DDoS as a service, anyone can launch attacks
at price starting from 5 Dollars. The goal of this paper is to
increase awareness about the Booter phenomenon. By analyzing
an extensive list of Booters we reveal how they have evolve over
time, to whom/where their IP address are pointing to, their
pricing schemas, and the severity of the services offered by them.
I. INTRODUCTION
Distributed Denial of Service (DDoS) is a type of network
attack that makes target systems unreachable by overloading
the targets’ resources (e.g., network connectivity and computer
memory). Famous DDoS episodes against Internet services
include a 300 Gbps attack against SpamHaus in 2013 [1] and a
400 Gbps attack against a CloudFlare customer in 2014 [2], the
largest attack reported so far. DDoS accounts, as a result, for
millions in revenue losses, reputation damage, and degradation
of the relationship between customers and companies.
DDoS involves a sophisticated orchestration of third party
compromised machines that, under the control of an attacker,
generate harmful traffic against a target victim. Performing a
DDoS attack requires specialized knowledge from the attacker,
especially in disciplines such as network protocols, distributed
systems, and computer security. More recently, however, even
inexperienced Internet users became able to carry out DDoS
attacks thanks to the phenomenon usually refereed to as
Booters [3].
Booters are websites that offer hundreds of DDoS attacks
as services, typically charging, today, prices starting from 5
USD. Booters encapsulate DDoS attacks inside Web systems
that dispense with the experience attacker. As such, ordinary,
non-technical Internet users can easily order DDoS attacks
against victim systems or users. The consequence is that the
amount of potential DDoS attacks is not bound to the number
of expert attackers anymore; it is now a function of the number
of users willing to pay for the service, regardless of their level
of technical expertise.
Although there are undergoing investigations about the
Booter phenomenon, our goal in this article is to present a
comprehensive landscape of Booters. To that end, we analyze
the most extensive list of Booters to date and show how
Booters have evolved along the recent years. With that, our
three main contributions in this article are:
• We propose a methodology to find and catalog hun-
dreds of Booters;
• We show how Booters have evolved along the last
years, based on historical data collected in North
America networks;
• We provide an analysis about the Booters’ market by
revealing the characteristics of offered services and
pricing schemas used by Booters.
We present the Booters’ current landscape according to
the following organization. First, in the next Section, we
describe the steps we took to create a comprehensive list of
Booters. Afterwards, we utilize this list of Booters to analyze
four main aspects: (i) the evolution of Booters over time,
(ii) the IP addresses that Booter websites point to and the
relationship with DDoS protection companies, (iii) the pricing
schemas in the Booter market, and (iv) the characteristics of
services offered by Booters. We finally conclude this article
summarizing our findings and discussing future perspectives.
II. CATALOGING BOOTERS
The first public signs of the Booter phenomenon started in
2012 [4], and already in 2013 Booters became popular because
of the significant number of DDoS attacks ascribed to users
of Booter websites [5]. That emphasized the severity of the
phenomenon and motivated security specialists to investigate it.
Inspired by the work of Krebs [6], Orgy [7], and an anonymous
author [8], we draw the picture of the phenomenon by first
creating a comprehensive list of Booters.
Booter
Crawler
Booter
Classi er
Keywords
Passive
DNSTLDQuery
Booter-Related
BOOTER
LIST
BDN
BDN+
Collaborators'
Lists
Fig. 1. Booter list generation workflow.
The workflow of our methodology, depicted in Figure 1,
starts with the Booter Crawler. It systematically searches the
0
10
20
30
40
50
60
70
80
90
PayPalBitcoinPaysafecard
C
oinPaym
ents
Starpass
SkrillLitecoinYoupass
C
reditcard
O
KPayPayzaLiberty
R
eserve
R
SG
PPerfectM
oney
TrueM
oney
#Booters
Payment Systems
Payment Systems
39. 1434735481, Q(Q), c861aaa8307395e94c0bc1d88e9846ff168071252198640801b108219b3899be, IN, A, quezstresser.com.
1434735481, Q(R), c861aaa8307395e94c0bc1d88e9846ff168071252198640801b108219b3899be, IN, A, quezstresser.com., NOERROR
1434735481, R(ANS), c861aaa8307395e94c0bc1d88e9846ff168071252198640801b108219b3899be, IN, A, 185.62.190.40
1434832019, Q(Q), c861aaa8307395e94c0bc1d88e9846ff168071252198640801b108219b3899be, IN, A, stagestresser.com.
1434832019, Q(R), c861aaa8307395e94c0bc1d88e9846ff168071252198640801b108219b3899be, IN, A, stagestresser.com., NOERROR
1434832019, R(ANS), c861aaa8307395e94c0bc1d88e9846ff168071252198640801b108219b3899be, IN, A, 141.101.118.99
1434832019, R(ANS), c861aaa8307395e94c0bc1d88e9846ff168071252198640801b108219b3899be, IN, A, 141.101.118.98
Passive DNS data
*Roland