Global DDoS-for-hire Takedown

Introduction

DDoS-for-hire systems are commonly known as “booters” or “stressers” in the internet underground and security community. The term “booter” derives from a common use-case for these services: to “boot” a player out of a game by disrupting their connection, presumably allowing a competitive, attacking player to gain an advantage or deflate a target player’s ranking. A “stresser” is a term favored by DDoS-for-hire operators, which might suggest an air of legitimacy, as if the use-case is only to “stress test” a target network that has agreed to receive DDoS attack traffic. DDoS-for-hire operators even put language into their service description that claims a user of the service is solely responsible for any damages that result from the service. Unfortunately for those operators, most jurisdictions disagree. Not only is operating these services generally illegal so is the use of them. In other words, all parties across the globe that are involved in setting up, coordinating, operating, purchasing, and using these services put themselves in legal jeopardy and risk serious criminal liability.

The Takedown

On December 15, 2022, The U.S. Federal Bureau of Investigation (FBI), in cooperation with several international law enforcement partners, seized 49 domain names and arrested six individuals for their alleged involvement in the operation of illegal DDoS-for-hire activity.

 The coordinated seizure led by the FBI in December is colloquially known as a “takedown” event, but it might be best thought of as a “disruption”. While the seizures affected approximately 50% of the most active DDoS-for-hire services on the Internet, many of them reconstituted operations using new domain names albeit as Dr. Clayton shows in the NANOG presentation, the frequency of attacks sourced from these services was significantly reduced, or disrupted thanks to the actions of the FBI and its partners (Figure 1).

The number of DDoS attacks these sites were responsible for were staggering. Many facilitated 100’s of attacks per day, while the largest averaged 1000’s of attacks per day! Many of the DDoS-for-hire services publish attack capabilities and statistics. Not only were security researchers involved in the takedown able to validate actual attack volume with these reported statistics, but one only needs to look at NETSCOUT’s global attack statistics to realize the purported claims of the attack statistics on DDoS-for-hire sites is an accurate reflection of reality.

NOTE: This article is a companion piece to the recent NANOG 87 talk Assessing the Aftermath: Evaluating the effects of a global DDoS-for-hire service takedown given by Dr Richard Clayton of the University of Cambridge, and NETSCOUT ASERT principal analyst, John Kristoff.

Network Effects After Takedown

NETSCOUT researchers part in the takedown assessment was to examine what, if any, measurable effect in DDoS attack activity resulted from the December 15, 2022 takedown event. Our ATLAS platform provides insight into attack alerts as seen by networks around the globe. This DDoS attack telemetry spans the globe and allows unparalleled insight into real-time DDoS activity. We analyzed our attack data to see if we could identify any takedown cause and effect.

DDoS-for-hire operators advertise a variety of attack types that can be carried out by their platform. This includes application-layer attacks, such as HTTP request floods, TCP state exhaustion attacks such as SYN floods, and amplification/reflection style attacks using common UDP request/response protocols such as DNS, NTP, and CLDAP. On and around December 15, 2022, we examined if any difference in total TCP and UDP attack traffic occurred. This proved too wide of a lens from which to draw any definitive conclusions given the vast quantities of DDoS-for-hire services, botnets, and attack tools always present in our data. Instead we focused our attention on specific networks and attack vector types.

Knowing that many users of DDoS-for-hire services target gamers or gaming servers, we homed in on one large US broadband provider (Figure 2) and one large European server hosting provider (Figure 3). From these two plots it appears as if the takedown event corresponds almost perfectly with a visible, sudden drop in attacks towards these networks.

Not only was there a precipitous drop in traffic in both cases on or around December, but the overall attack volume remained, on average, significantly reduced through the end of January 2023. This seemed to suggest a direct correlation between the takedown event and observed DDoS attack traffic.

Similarly, when we considered specific attack vectors such as DNS (Figure 4) and NTP amplification/reflection (Figure 5) attacks, we saw similar patterns.

We were tempted to declare incontrovertible evidence of a correlation between the takedown and global DDoS attack traffic, but then we examined how these attack trends compared with the same period one year earlier. Here is where our conclusions must be tempered by declaring there was a “probable” decrease in global DDoS attack numbers. Due to the breadth and coverage of our attack data, all other DDoS attacks that continued uninterrupted make December 15, 2022, period graphs look a little underwhelming. We compared the shape of the NTP attacks plot from 2022 to 2023 (Figure 5) with the NTP attacks plot from 2021 to 2022 (Figure 6).

The shape and trend of attacks during the same interval is clearly different in the most recent period to that of a year earlier. In the December 15, 2022, time frame, the change in attack volume is sudden and dramatic. In the year earlier there is a more gradual decrease in attack volume, with no single inflection point. What we find when we compare attack trends between the two years is that there is a corresponding decrease in attacks that coincide with seasonal trends, a trend that tracks back many years. These end-of-year seasonal trends appear to mask, at least somewhat, the effect of the takedown event in December 2022.  Nonetheless, on average the number of NTP attacks are 40% lower after December 15 than the equivalent period prior to the takedown.  The trend is similar for other specific and common DDoS-for-hire targets and attack vectors.

Conclusion

The primary aim of the December takedown event was DDoS-for-hire service disruption. Disruption is like cutting off several heads on a hydra. There’s temporary relief, but inevitably, the adversary regains their ability to launch attacks. However, this is just one form of mitigating DDoS attacks. These takedowns also act as a deterrent to DDoS service operators and users. Arrests and threats of legal action are another deterrent that continue to be used in conjunction with all the technical tools at our disposal. Though the takedown wasn’t as impactful as hoped, the joint efforts from security research and law enforcement is just one of many paths to solving the worlds DDoS problem. 

References

• Six Charged in Mass Takedown of DDoS-for-Hire Sites 
• Federal Prosecutors in Los Angeles and Alaska Charge 6 Defendants with Operating Websites that Offered Computer Attack Services 
• Global crackdown against DDoS services shuts down most popular platforms | Europol