José Jair Cardoso de Santanna

Booters — An analysis of DDoS-as-a-service attacks

In 2012, the Dutch National Research and Education Network, SURFnet, observed a multitude of Distributed Denial of Service (DDoS) attacks against educational institutions. These attacks were effective enough to cause the online exams of hundreds of students to be cancelled. Surprisingly, these attacks were purchased by students from Web sites, known as Booters. These sites provide DDoS attacks as a paid service (DDoS-as-a-Service) at costs starting from 1 USD. Since this problem was first identified by SURFnet, Booters have been used repeatedly to perform attacks on schools in SURFnets constituency. Very little is known, however, about the characteristics of Booters, and particularly how their attacks are structure. This is vital information needed to mitigate these attacks. In this paper we analyse the characteristics of 14 distinct Booters based on more than 250 GB of network data from real attacks. Our findings show that Booters pose a real threat that should not be underestimated, especially since our analysis suggests that they can easily increase their firepower based on their current infrastructure.

Inside booters: An analysis on operational databases

Distributed Denial of Service (DDoS) attacks are an increasing threat on the Internet. One of the reasons is that Web sites selling attacks for prices starting from

Characterizing and Mitigating the DDoS-as-a-Service Phenomenon

1.00 are becoming popular. These Web sites, called Booters, facilitate attacks by making transparent the needed infrastructure to perform attacks and by lowering the knowledge to control it. As a consequence, any user on the Internet is able to launch attacks at any time. Although security experts and operators acknowledge the potential of Booters for DDoS attacks, little is known about Booters operational aspects in terms of users, attacks and infrastructure. The existing works that investigate this phenomenon are all restricted to the analysis of a single Booter and therefore provide a narrow overview of the phenomenon. In this paper we extend the existing work by providing an extensive analysis on 15 distinct Booters. We analyze their operational databases containing logs of users, attacks, and the infrastructure used to perform attacks. Among our findings we reveal that (i) some Booters have several database records completely equal, (ii) users that access Booters via proxies and VPNs performed much more attacks than those that accessed using a single IP address, and (iii) the infrastructure used to perform attacks is slightly different from what is known through existing work. The contribution of our work is to bring awareness of Booter characteristics facilitating future works to mitigate this phenomenon.

Characterisation of the Kelihos.B Botnet

Distributed Denial of Service (DDoS) attacks are an increasing threat on the Internet. Until a few years ago, these types of attacks were only launched by people with advanced knowledge of computer networks. However, nowadays the ability to launch attacks have been offered as a service to everyone, even to those without any advanced knowledge. Booters are online tools that offer DDoS-as-a-Service. Some of them advertise, for less than U

Booters: can anything justify distributed denial-of-service (DDoS) attacks for hire?

5, up to 25 Gbps of DDoS traffic, which is more than enough to make most hosts and services on the Internet unavailable. Booters are increasing in popularity and they have shown the success of attacks against third party services, such as government websites; however, there are few mitigation proposals. In addition, existing literature in this area provides only a partial understanding of the threat, for example by analyzing only a few aspects of one specific Booter. In this paper, we propose mitigation solutions against DDoS-as-a-Service that will be achieved after an extensive characterization of Booters. Early results show 59 different Booters, which some of them do not deliver what is offered. This research is still in its initial phase and will contribute to a Ph.D. thesis after four years.

Booter list generation: The basis for investigating DDoS‐for‐hire websites

Botnets are organized networks of infected computers that are used for malicious purposes. An example is Kelihos.B, a botnet of the Kelihos family used primarily for mining bitcoins, sending spam and stealing bitcoin wallets. A large part of the Kelihos.B botnet was sinkholed in early 2012 and since then bots are sending requests to controlled servers. In this paper, we analyze and characterize the behavior of Kelihos. B. Our analysis is based on the log file of the bot request logged at the sinkhole from March 2012 to early November 2013. We investigate both the overall characteristics of the botnets, as well as on its evolution over time since the time of the sinkholing. Our results indicate that, although this trend is decreasing, there are possibly still newly infected bots even more than a year from the original sinkholing.

Booter websites characterization: towards a list of threats

Purpose This paper aims to examine whether there are morally defensible reasons for using or operating websites (called ‘booters’) that offer distributed denial-of-service (DDoS) attacks on a specified target to users for a price. Booters have been linked to some of the most powerful DDoS attacks in recent years. Design/methodology/approach The authors identify the various parties associated with booter websites and the means through which booters operate. Then, the authors present and evaluate the two arguments that they claim may be used to justify operating and using booters: that they are a useful tool for testing the ability of networks and servers to handle heavy traffic, and that they may be used to perform DDoS attacks as a form of civil disobedience on the internet. Findings The authors argue that the characteristics of existing booters disqualify them from being morally justified as network stress testing tools or as a means of performing civil disobedience. The use of botnets that include systems without the permission of their owners undermines the legitimacy of both justifications. While a booter that does not use any third-party systems without permission might in principle be justified under certain conditions, the authors argue that it is unlikely that any existing booters meet these requirements. Practical/implications Law enforcement agencies may use the arguments presented here to justify shutting down the operation of booters, and so reduce the number of DDoS attacks on the internet. Originality/value The value of this work is in critically examining the potential justifications for using and operating booter websites and in further exploring the ethical aspects of using DDoS attacks as a form of civil disobedience.

Towards validation of the Internet Census 2012

Summary The expansion of Distributed Denial of Service (DDoS)–for-hire websites, known as Booters, has radically modified both the scope and stakes of DDoS attacks. Until recently, however, Booters have only received little attention from the research community. Given their impact, addressing the challenges associated with this phenomenon is crucial. In this paper, we present a rigorous methodology to identify a comprehensive set of existing Booters in the Internet. Before presenting our methodology, we illustrate the benefits of a set of booters on monitoring users from the Dutch NREN, SURFNet, from 2015 to 2017. Our methodology relies on well-defined mechanisms to generate a Booter list, from crawling suspect URLs to characterizing and classifying the collected URLs. The list obtained using the methodology presented in this paper has a classification accuracy of 95.5%, which is 10.5% better compared to previous work.