[Guest lecturer] Place: University of Twente Course: Product Design to Online Business (Module 7) Audience: students of industrial engineering (Technische Bedrijfskunde - TBK) and business information technology (BIT)

1. /jjsantanna
j.j.santanna@utwente.nl
10/03/2015
The DDoS-as-a-Service Phenomenon

2. Civil Disobedience

4. 1969

5. Soul Sacrifice [Santana]
e Star-Spangled Banner [Jimi Hendrix]

7. 1979

8. Another brick in the wall [Pink Floyd]

10. 2015

11. 1969
1979
2015

14. If…

17. No more opponents!!
No more ONLINE exams!!
Economic Impact!!
More attention to your presentation!!!

19. Did you understand?
DDoS Attacks?
Amplification?
Reflection?

20. Front-end
C&C Attack Sources
DDoS Protection Companies
$$

21. Fingerprinting Booters
Understanding Who Is Behind Attacks
José Jair Santanna
University of Twente
j.j.santanna@utwente.nl
Anna Sperotto
University of Twente
a.sperotto@utwente.nl
Aiko Pras
University of Twente
a.pras@utwente.nl
ODOLOGY
igation is to fingerprint
perform
need at least two samples of a same type of attack
in di↵erent moments. However, those two sam-
ple can be di↵erent in terms of days, hours, sec-
onds, and so on. Therefore by considering a huge
er of combinations, we simplify our measure-
al weeks. In the first week,
ents, which we
Booters - An Analysis of DDoS-as-a-Service Attacks
Jos´e Jair Santanna⇤ , Roland van Rijswijk-Deij⇤† , Rick Hofstede⇤ , Anna Sperotto⇤ ,
Mark Wierbosch⇤ , Lisandro Zambenedetti Granville‡ , Aiko Pras⇤
⇤ University of Twente, The Netherlands
{j.j.santanna, r.m.vanrijswijk, r.j.hofstede, a.sperotto, a.pras}@utwente.nl
m.b.wierbosch@student.utwente.nl
† SURFnet bv, The Netherlands
roland.vanrijswijk@surfnet.nl
‡ Federal University of Rio Grande do Sul, Brazil
granville@inf.ufrgs.br
Abstract—In 2012, the Dutch National Research and Edu-
cation Network, SURFnet, observed a multitude of Distributed
Denial of Service (DDoS) attacks against educational institutions.
These attacks were effective enough to cause the online exams of
hundreds of students to be cancelled. Surprisingly, these attacks
were purchased by students from websites, known as Booters.
These sites provide DDoS attacks as a paid service (DDoS-as-a-
Service) at costs starting from 1 USD. Since this problem was
identified by SURFnet, Booters have been used repeatedly
ks on schools in SURFnet’s constituency. Very
out the characteristics of Booters,
structure. This is vital
his paper we
e
about the characteristics of the attacks that they perform, which
is essential knowledge for mitigating their attacks.
The goal of this paper is to create awareness around Booter
attacks. In our study, we investigate the characteristics of
Booter attacks in terms of the volume of generated traffic
as well as the service and networking infrastructure used by
Booters. Finally, based on our measurements, we discuss possi-
ble defense mechanisms and the relationship between Booters
and DDoS protection services. We performed measurements
to analyze the attacks generated by Booters on our own
infrastructure. We investigated more than 250 GB of traffic.
We intend to make all data acquired during our experiments
ilable to interested researchers.
a vast amount of literature on DDoS
s [5], [6], [7], [8], [9], this
first to present
ers.
Inside Booters:
An Analysis on Operational Databases
Jos´e Jair Santanna
University of Twente
j.j.santanna@utwente.nl
Romain Durban
INSA of Toulouse
romain.durban@gmail.com
Anna Sperotto
University of Twente
a.sperotto@utwente.nl
Aiko Pras
University of Twente
a.pras@utwente.nl
Abstract—Distributed Denial of Service (DDoS) attacks are
an increasing threat on the Internet. One of the reasons is that
websites selling attacks for prices starting from $1.00 are becom-
ing popular. These websites, called Booters, facilitate attacks by
making transparent the needed infrastructure to perform attacks
and by lowering the knowledge to control it. As a consequence,
any user on the Internet is able to launch attacks at any time.
Although security experts and operators acknowledge the poten-
tial of Booters for DDoS attacks, little is known about Booters
spects in terms of users, attacks and infrastructure.
investigate this phenomenon are all
ter and therefore provide
er we extend
limited to a same database (i.e., booter.tw). Therefore, aspects
that vary between Booters cannot be observed and a general
overview is missing. For example, Booters can use different
infrastructures types to trigger attacks [9].
Our goal is to provide a comprehensive overview on the
operational side of Booters. To do so, we analyze 15 MySQL
databases of Booters, found on the Internet, in terms of users,
attacks, and infrastructure used to trigger attacks. Our main
contributions are (i) to reveal characteristics of Booter users
responsible for ordering attacks, (ii) give awareness about the
characteristics of attacks ordered by users, and (iii) to shed
light on the infrastructure used by Booters to trigger DDoS
s. We believe that an in-depth understanding of how
ered can help to carry on mitigation tasks.
r with advices, based on our
ated.
Booter websites characterization:
Towards a list of threats
Justyna Joanna Chromik, Jos´e Jair Santanna, Anna Sperotto, and Aiko Pras
1 University of Twente - The Nederlands
Design and Analysis of Communication Systems (DACS)
j.j.chromik@student.utwente.nl,{j.j.santanna,a.sperotto,a.pras}@utwente.nl
Abstract. Distributed Denial of Service (DDoS) attacks mean millions in rev-
enue losses to many industries, such e-commerce and online financial services.
of reported DDoS attacks has increased with 47% compared to
for this increase is the availability and ease of ac-
DoS attacks as a paid service, called
lable, current researches
k traffic or
Characterizing and Mitigating
The DDoS-as-a-Service Phenomenon
Jair Santanna and Anna Sperotto
Design and Analysis of Communication Systems (DACS)
University of Twente
Enschede, The Netherlands
{j.j.santanna,a.sperotto}@utwente.nl
The Marketing of Booters
1. INTRODUCTION
Distributed Denial of Service (DDoS) is a type of network
attack that aims to make a target system unreachable by
overloading its network resources. To understand the dam-
age of those attacks consider when your Internet connection
is down specially when you most need of it, or when the
conference paper registration system is not reachable (in a
deadline day), or even when an e-commerce company is not
(closer to the Christmas period). In other words,
millions in revenue losses, reputation
to companies. Although a
perform DDoS
ks,
2. BOOTER LIST
The first requirement to perform any research on Boot-
ers is to select which one(s) is/are intended to investigate.
In general, existent researches focus their analysis on a few
specific Booters. The reason for that is usually a punctual
involvement of Booters on attacks [ref], the discovering of
a hacked Booter’s database [ref], or the absence of a com-
prehensive Booter list that they can base their research. In-
spired by the works performed in [?] and [?], we decide to
collect the most extensive list of Booters. It is also our goal
to keep such list weekly updated, and make it available to
all researches that want to investigate this phenomenon
1 . In
this section we describe the steps to generate such compre-
sive Booter list, Figure 1 summarizes our workflow.
Automatically added
Booters under Protection
1. INTRODUCTION
Distributed Denial of Service (DDoS) is a type of network
attack that aims to make a target system unreachable by
overloading its network resources. To understand the dam-
age of those attacks consider when your Internet connection
is down specially when you most need of it, or when the
conference paper registration system is not reachable (in a
deadline day), or even when an e-commerce company is not
accessible (closer to the Christmas period). In other words,
DDoS attacks causes millions in revenue losses, reputation
nd customer attrition to companies. Although a
is usually needed to perform DDoS
to perform such attacks,
2. BOOTER LIST
The first requirement to perform any research on Boot-
ers is to select which one(s) is/are intended to investigate.
In general, existent researches focus their analysis on a few
specific Booters. The reason for that is usually a punctual
involvement of Booters on attacks [ref], the discovering of
a hacked Booter’s database [ref], or the absence of a com-
prehensive Booter list that they can base their research. In-
spired by the works performed in [?] and [?], we decide to
collect the most extensive list of Booters. It is also our goal
to keep such list weekly updated, and make it available to
all researches that want to investigate this phenomenon
1 . In
this section we describe the steps to generate such compre-
hensive Booter list, Figure 1 summarizes our workflow.
Literature
Automatically added
dress match
Defending against Booters
Best practices and Advices
José Jair Santanna
University of Twente
j.j.santanna@utwente.nl
Anna Sperotto
University of Twente
a.sperotto@utwente.nl
Aiko Pras
University of Twente
a.pras@utwente.nl
1. METHODOLOGY
The main goal of this investigation is to fingerprint
Booters by analyzing systems used by them to perform
need at least two samples of a same type of attack
in di↵erent moments. However, those two sam-
ple can be di↵erent in terms of days, hours, sec-
For less than USD 5 anyone can perform 7Gbps
attacks during 3 months.
They offer 11 different attack types.
Booters make almost USD 10k monthly.
They have all types of customers.
Booters against Booters! Potential for more than 400Gbps.

22. DDoS Attack
The DDoS-as-a-Service Phenomenon
Less than 5 Dollars to attack everyone

24. 0
1.5
3
4.5
6
7.5
0 20 40 60 80 100
Trafficrate[Gbps]
Time [s]
CharGen-based attacks DNS-based attacks
0
0.4
0.8
1.2
1.6
2
0 20 40 60 80 100
Trafficrate[Gbps]
Time [s]
NTP
CharGen
SSDP
Quake P.
Steam P.
QOTD
BitTorrent
Kad
NetBIOS
SNMP
DNS
556.9x358.8x
108x

25. Booter Type of Attack
N° Misused
systems
B1 DNS-based 4486
B2 DNS-based 78
B3 DNS-based 54
B4 DNS-based 2970
B5 DNS-based 8281
B6 DNS-based 7379
B7 DNS-based 6075
B8 CharGen-based 281
B9 CharGen-based 3779

26. Booter Type of Attack
Avg Traffic Rate
[Gbps]
N° Misused
systems
B1 DNS-based 0.7 4486
B2 DNS-based 0.25 78
B3 DNS-based 0.33 54
B4 DNS-based 1.19 2970
B5 DNS-based 0.006 8281
B6 DNS-based 0.15 7379
B7 DNS-based 0.32 6075
B8 CharGen-based 0.99 281
B9 CharGen-based 5.48 3779
29x

27. Booter Type of Attack
Avg Traffic Rate
[Gbps]
N° Misused
systems
B1 DNS-based 0.7 4486
B2 DNS-based 0.25 78
B3 DNS-based 0.33 54
B4 DNS-based 1.19 2970
B5 DNS-based 0.006 8281
B6 DNS-based 0.15 7379
B7 DNS-based 0.32 6075
B8 CharGen-based 0.99 281
B9 CharGen-based 5.48 3779
9427x

29. CN
US
KR
RU
IN
TR
UA
FR
TH
DE
Top 10
1755
630
275
192
105
81
76
56
55
530 1755
US
JP
DE
RU
CN
NL
GB
CA
FR
TW
5822
1986
1909
1871
825
731
716
603
561
459
Top 10
0 5822
0
20
40
60
80
100
B1 B2 B3 B4 B5 B6 B7 B8 B9
Percentage
Booter
Europe
North-America
Asia
Others
CharGen-based attacks DNS-based attacks

31. 0
100
200
300
400
500
0 2 4 6 8 10 12
Price[USD]
Package expiration time [month]
∞
0
100
200
300
400
500
0 2 4 6 8 10 12
Price[USD]
0
2.5
5
7.5
0 2.5 5 7.510
[min]
Price[USD]
Attack duration [hour]
0
5
10
15
20
25
PaypalBitcoinCreditCard
G
oogleW
allet
W
ebM
oney
SkrillRsgpPerfM
oney
PayzaLitecoinCashUM
oneypak
Booters

32. Attacks(k)
Type of Attacks
0
5
10
15
20
25
30
35
40
45
50
U
D
P
CH
A
RG
EN
D
RD
O
SLA
G
N
TP
SY
N
TCPA
M
PTCP
RU
D
Y
SLO
W
LO
RIS
H
TTPG
ETH
TTPH
EA
D
H
TTPPO
ST
A
RM
E
UDP-based (56%) TCP-based (29%) Application-layer (14%)
0
20
40
60
80
100
0 60 180 300
50%: 4min20s
70%: 10min
8333
0
20
40
60
80
100
0 50 100 150 200 250
51%: 2 attacks
90%: 13 attacks
38%: 1 attack

33. /jjsantanna
j.j.santanna@utwente.nl
10/03/2015
The DDoS-as-a-Service Phenomenon
Flamingo
EU FP7