[Guest lecturer]
Place: University of Twente
Course: Product Design to Online Business (Module 7)
Audience: students of industrial engineering (Technische Bedrijfskunde - TBK) and business information technology (BIT)
21. Fingerprinting Booters
Understanding Who Is Behind Attacks
José Jair Santanna
University of Twente
j.j.santanna@utwente.nl
Anna Sperotto
University of Twente
a.sperotto@utwente.nl
Aiko Pras
University of Twente
a.pras@utwente.nl
ODOLOGY
igation is to fingerprint
perform
need at least two samples of a same type of attack
in di↵erent moments. However, those two sam-
ple can be di↵erent in terms of days, hours, sec-
onds, and so on. Therefore by considering a huge
er of combinations, we simplify our measure-
al weeks. In the first week,
ents, which we
Booters - An Analysis of DDoS-as-a-Service Attacks
Jos´e Jair Santanna⇤ , Roland van Rijswijk-Deij⇤† , Rick Hofstede⇤ , Anna Sperotto⇤ ,
Mark Wierbosch⇤ , Lisandro Zambenedetti Granville‡ , Aiko Pras⇤
⇤ University of Twente, The Netherlands
{j.j.santanna, r.m.vanrijswijk, r.j.hofstede, a.sperotto, a.pras}@utwente.nl
m.b.wierbosch@student.utwente.nl
† SURFnet bv, The Netherlands
roland.vanrijswijk@surfnet.nl
‡ Federal University of Rio Grande do Sul, Brazil
granville@inf.ufrgs.br
Abstract—In 2012, the Dutch National Research and Edu-
cation Network, SURFnet, observed a multitude of Distributed
Denial of Service (DDoS) attacks against educational institutions.
These attacks were effective enough to cause the online exams of
hundreds of students to be cancelled. Surprisingly, these attacks
were purchased by students from websites, known as Booters.
These sites provide DDoS attacks as a paid service (DDoS-as-a-
Service) at costs starting from 1 USD. Since this problem was
identified by SURFnet, Booters have been used repeatedly
ks on schools in SURFnet’s constituency. Very
out the characteristics of Booters,
structure. This is vital
his paper we
e
about the characteristics of the attacks that they perform, which
is essential knowledge for mitigating their attacks.
The goal of this paper is to create awareness around Booter
attacks. In our study, we investigate the characteristics of
Booter attacks in terms of the volume of generated traffic
as well as the service and networking infrastructure used by
Booters. Finally, based on our measurements, we discuss possi-
ble defense mechanisms and the relationship between Booters
and DDoS protection services. We performed measurements
to analyze the attacks generated by Booters on our own
infrastructure. We investigated more than 250 GB of traffic.
We intend to make all data acquired during our experiments
ilable to interested researchers.
a vast amount of literature on DDoS
s [5], [6], [7], [8], [9], this
first to present
ers.
Inside Booters:
An Analysis on Operational Databases
Jos´e Jair Santanna
University of Twente
j.j.santanna@utwente.nl
Romain Durban
INSA of Toulouse
romain.durban@gmail.com
Anna Sperotto
University of Twente
a.sperotto@utwente.nl
Aiko Pras
University of Twente
a.pras@utwente.nl
Abstract—Distributed Denial of Service (DDoS) attacks are
an increasing threat on the Internet. One of the reasons is that
websites selling attacks for prices starting from $1.00 are becom-
ing popular. These websites, called Booters, facilitate attacks by
making transparent the needed infrastructure to perform attacks
and by lowering the knowledge to control it. As a consequence,
any user on the Internet is able to launch attacks at any time.
Although security experts and operators acknowledge the poten-
tial of Booters for DDoS attacks, little is known about Booters
spects in terms of users, attacks and infrastructure.
investigate this phenomenon are all
ter and therefore provide
er we extend
limited to a same database (i.e., booter.tw). Therefore, aspects
that vary between Booters cannot be observed and a general
overview is missing. For example, Booters can use different
infrastructures types to trigger attacks [9].
Our goal is to provide a comprehensive overview on the
operational side of Booters. To do so, we analyze 15 MySQL
databases of Booters, found on the Internet, in terms of users,
attacks, and infrastructure used to trigger attacks. Our main
contributions are (i) to reveal characteristics of Booter users
responsible for ordering attacks, (ii) give awareness about the
characteristics of attacks ordered by users, and (iii) to shed
light on the infrastructure used by Booters to trigger DDoS
s. We believe that an in-depth understanding of how
ered can help to carry on mitigation tasks.
r with advices, based on our
ated.
Booter websites characterization:
Towards a list of threats
Justyna Joanna Chromik, Jos´e Jair Santanna, Anna Sperotto, and Aiko Pras
1 University of Twente - The Nederlands
Design and Analysis of Communication Systems (DACS)
j.j.chromik@student.utwente.nl,{j.j.santanna,a.sperotto,a.pras}@utwente.nl
Abstract. Distributed Denial of Service (DDoS) attacks mean millions in rev-
enue losses to many industries, such e-commerce and online financial services.
of reported DDoS attacks has increased with 47% compared to
for this increase is the availability and ease of ac-
DoS attacks as a paid service, called
lable, current researches
k traffic or
Characterizing and Mitigating
The DDoS-as-a-Service Phenomenon
Jair Santanna and Anna Sperotto
Design and Analysis of Communication Systems (DACS)
University of Twente
Enschede, The Netherlands
{j.j.santanna,a.sperotto}@utwente.nl
The Marketing of Booters
1. INTRODUCTION
Distributed Denial of Service (DDoS) is a type of network
attack that aims to make a target system unreachable by
overloading its network resources. To understand the dam-
age of those attacks consider when your Internet connection
is down specially when you most need of it, or when the
conference paper registration system is not reachable (in a
deadline day), or even when an e-commerce company is not
(closer to the Christmas period). In other words,
millions in revenue losses, reputation
to companies. Although a
perform DDoS
ks,
2. BOOTER LIST
The first requirement to perform any research on Boot-
ers is to select which one(s) is/are intended to investigate.
In general, existent researches focus their analysis on a few
specific Booters. The reason for that is usually a punctual
involvement of Booters on attacks [ref], the discovering of
a hacked Booter’s database [ref], or the absence of a com-
prehensive Booter list that they can base their research. In-
spired by the works performed in [?] and [?], we decide to
collect the most extensive list of Booters. It is also our goal
to keep such list weekly updated, and make it available to
all researches that want to investigate this phenomenon
1 . In
this section we describe the steps to generate such compre-
sive Booter list, Figure 1 summarizes our workflow.
Automatically added
Booters under Protection
1. INTRODUCTION
Distributed Denial of Service (DDoS) is a type of network
attack that aims to make a target system unreachable by
overloading its network resources. To understand the dam-
age of those attacks consider when your Internet connection
is down specially when you most need of it, or when the
conference paper registration system is not reachable (in a
deadline day), or even when an e-commerce company is not
accessible (closer to the Christmas period). In other words,
DDoS attacks causes millions in revenue losses, reputation
nd customer attrition to companies. Although a
is usually needed to perform DDoS
to perform such attacks,
2. BOOTER LIST
The first requirement to perform any research on Boot-
ers is to select which one(s) is/are intended to investigate.
In general, existent researches focus their analysis on a few
specific Booters. The reason for that is usually a punctual
involvement of Booters on attacks [ref], the discovering of
a hacked Booter’s database [ref], or the absence of a com-
prehensive Booter list that they can base their research. In-
spired by the works performed in [?] and [?], we decide to
collect the most extensive list of Booters. It is also our goal
to keep such list weekly updated, and make it available to
all researches that want to investigate this phenomenon
1 . In
this section we describe the steps to generate such compre-
hensive Booter list, Figure 1 summarizes our workflow.
Literature
Automatically added
dress match
Defending against Booters
Best practices and Advices
José Jair Santanna
University of Twente
j.j.santanna@utwente.nl
Anna Sperotto
University of Twente
a.sperotto@utwente.nl
Aiko Pras
University of Twente
a.pras@utwente.nl
1. METHODOLOGY
The main goal of this investigation is to fingerprint
Booters by analyzing systems used by them to perform
need at least two samples of a same type of attack
in di↵erent moments. However, those two sam-
ple can be di↵erent in terms of days, hours, sec-
For less than USD 5 anyone can perform 7Gbps
attacks during 3 months.
They offer 11 different attack types.
Booters make almost USD 10k monthly.
They have all types of customers.
Booters against Booters! Potential for more than 400Gbps.