Intel 471 recently wrote about the prevalence and effects of distributed denial-of-service (DDoS) attacks in the cyber underground. A law enforcement action in December involving the FBI, the U.K.’s National Crime Agency (NCA), Netherlands Police, Europol and private security companies took aim at some of the most long-running DDoS services for hire. Seven people were arrested or charged, and 48 domains where DDoS services were sold were seized by law enforcement as part of an operation called PowerOFF. What does this action mean, and will it reduce the risk of DDoS attacks against organizations?
DDoS: A Recap
DDoS attacks overwhelm a website, web service or even just a home internet connection with junk internet traffic, causing those services to fail. As with many other parts of the cybercriminal economy, DDoS services have long been productized, with buyers able to order attacks through illicit websites. The services are profitable due to a surprisingly large amount of demand from the general public.
Buyers can select how much they want to pay, the strength and duration of an attack and plug in the target’s IP addresses. The services are advertised as “booters” or “stressers” under a claim they can be used as legitimate security testing tools. However, prosecutors in the U.S. and elsewhere have rejected these characterizations based on the mostly illegal ways the services are used.
Some types of DDoS attacks are extremely powerful. With reflective amplification attacks, attackers can send small DNS requests and spoof the address where the responses will be sent, thus sending much larger DNS responses to a victim’s network. This is the most common type of DDoS attack and because of the amplification effect, the most cost-effective. Unfortunately, this is possible because some DNS resolvers are configured to allow anyone to make a request, which has been a longstanding security issue. Internet service providers (ISPs) should practice network ingress filtering, which ensures that incoming packets come from the network they purport to originate. Most ISPs do this now, but the ones that don’t are often abused.
Amplification attacks can also be accomplished by abusing other open internet services, such as Network Time Protocol. Another type of DDoS attack relies on networks of hacked computers known as botnets to bombard a service with traffic.
Skilled attackers can cause significant disruption with an older-style attack called HTTP flood. That type of attack targets the application layer rather than routers and available bandwidth. An example of a HTTP flood attack would be making repetitive requests that trigger some back-end activity, like performing a search or looking up something in a database repeatedly, such as if a user exists. However, HTTP flood attacks can be expensive attacks to mount.
The cumulative damage caused by DDoS attacks is costly and persistent even if, as the FBI says, the attacks are usually short in duration. ISPs face higher costs to defend their systems, and those costs may be passed onto their customers. In some cases, the attacks irreparably hurt ISPs. Persistent attacks against businesses, governments, schools and hospitals require spending on DDoS mitigation services. Other targets have often included universities and public utilities. The motivations vary, from disgruntled teenagers attacking their own school to hacktivists using DDoS for political or social aims to extortionists seeking a ransom.
Scale of Attacks
The law enforcement action was aided by the leak of booter databases online and also databases seized through court-approved warrants. The databases contained valuable information such as the number of attacks, where the attacks were directed, payments for the services and communication records between booter operators and customers. The databases also revealed the scale and popularity of DDoS Services.
The logs from a database from a booter service called ipstressor[.]com, whose domain is now controlled by law enforcement, shows that a staggering 30 million attacks were either conducted or attempted. That service had two million registered users and had been running since 2009. Another booter, securityteam[.]io, retained logs for 1.3 million attacks and some 50,000 users. Victims of that service included a school district in central California. Another booter service called Astrostress[.]com was used for 700,000 attacks over two years and had 30,000 registered users.
Analysis
International law enforcement actions have taken aim at DDoS providers several times before. What makes Operation PowerOFF different, and what are the emerging trends for organizations that are victimized by DDoS?
An affidavit filed by the FBI highlights some trends in how the DDoS services are run, sold and procured. First, the FBI noted that services are usually paid for in cryptocurrency. Some actors still take payment through PayPal or Google Wallet, but law enforcement agencies have successfully made it harder to get paid for DDoS services through traditional payment providers. That’s good, but now the problem has shifted of course, and it’s the one faced in the fight against ransomware: the use of cryptocurrency.
Secondly, many DDoS services do not work as advertised. The FBI tested at least 100 booter services by buying low-level subscriptions or trying their free offerings. Many booter services were only intermittently available, displayed error messages or appeared to be scams, taking funds but not delivering. The application programming interfaces (APIs) for some booter sites did not function properly. Sometimes, advertised DDoS services depend on attack infrastructure from other entities. What this means is that it may appear through Google searches that there are many DDoS services, the true viable pool of services is likely smaller.
A key prong of this effort and past law enforcement raids (including this one four years ago) has been deterrence. To deter customers using search engines to find booter services, The U.K.’s National Crime Agency and FBI have bought Google ads based on keywords that someone might use.
Dutch law enforcement has gone even further, intervening on Telegram channels where booter services are advertised with this message:
Interested in booters? Sure they’re safe? Today Operation Power OFF strikes again. This International Law Enforcement collaboration is taking down DDoS sites and services since 2018. This is a warning. 2023 will not be a good year for booters. DDoS attacks are illegal and we hold users accountable. Did you ever use a DDoS service? We are happy with the KYC-policy (know your customer) of the booters we seized. This helps, as we’re scheduling some visits. And now you might already have signed up for your new service. We can’t guarantee the safety of this one neither. Operation Power OFF will continue. Until next time.
Check for yourself: Netherlands LEA.
As Dutch law enforcement notes, the operation is not over. The fact that law enforcement has obtained the customer databases for a half dozen DDoS services may also serve to unnerve some who bought services. But because DDoS services are in high demand, the disruption in market offerings is likely to be temporary. We expect an eventual resumption, and fighting booter services will be a continuing battle. Tracing the cryptocurrency accounts for DDoS operators may be one of the most effective tactics. If getting paid becomes more difficult or risky, that may act as the most powerful, long-term deterrent.
Special thanks to Unit 221B, a cybersecurity company that participated in Operation PowerOFF, for help with this post.