DDoS attacks are on the rise, and one of the reasons is the plethora of service providers that make it easy to mount your attacks, especially if you are a lazy or inexperienced criminal. A blog post this past summer says, “potential hackers do not have to know the first thing about conducting a DDoS attack. They can simply purchase attack services to carry one out for them. Today, attackers are now abandoning GUI and script tools and opting to pay for attack services.” It is a big growth industry.
The high demand for DDoS services makes it a very profitable business and can generate thousands of dollars a week for these criminal operators.
Sadly, there are dozens if not hundreds of these booter or stresser services, as they are known. The latter name comes from the fact that they hide behind a legitimate service of testing out the resilience of your network connections and webservers. Yeah, you could say that. But they are really illegal. They have one big advantage, in that they automatically can obscure the identity of the attacker, since their websites proxy the attack origin. For the ultimate in configurability, they offer multiple attack vectors and protocols, such as DNS or NTP-based attacks. You can target particular websites via geolocation and automatically skip VPNs.
Some security researchers have found that rental fees for DDoS service providers can range from $15 to $40 a month to produce from 15 to 200 Gbps attacks, and they even come with 24×7 email support too. One hacker even posted a screencast video that rates one hacker’s top five stressor tools, giving you a matter-of-fact demo like they were showing you some Excel feature. It was quickly removed from YouTube.
Brian Krebs, whose server was the subject of one such attack, delves further into this strange world. Like any DDoS attack, the idea is that they can leverage a botnet army to clog up your website with requests, so that the regular folks can’t get any bandwidth and access your site.
Krebs’ research shows that the criminal providers make use of one shady domain registrar called namecentral.com. Ordinarily, as Krebs points out, most registrars have thousands or millions of domains, and certainly some are bad apples. But namecentral has been used to register just 38 domains – ever. Most of these are bad guys, such as the registrar for the vDOS operation that was at the center of the attack on Krebs. Krebs gets the 19 year-old owner of the service to exchange emails with him, and of course the owner plays the innocent.
What is interesting about namecentral is they are also in the business of selling DDoS protection services against the very DDoS attack providers that make use of the same registrar. “In other words, a classic protection racket,” as Krebs says in his post. Not only is this the case, but selling these mitigation services also preventst heir competition from taking their DDoS efforts offline with another DDoS attack on their own servers. Nice.
Certainly, DDoS attackers getting better at harnessing more and more bandwidth to bring down their targets. Sadly, these booter and stressor services are here to stay, and will only get more potent.