Denial of Service (DoS) attacks have come a long way since the days of LOIC and other GUI-based tools. Today, potential hackers do not have to know the first thing about conducting such an attack. They can simply purchase attack services to carry one out for them. Just a few years ago, attackers would have had to download simple GUI-based tool to launch a DoS attack. As time moved on, hackers started to combine their efforts and tools in distributed group attacks. Today, attackers are now abandoning GUI and script tools and opting to pay for attack services via stresser services.
Basic DoS tools are easy to defend against and have left attackers wanting more power. With this demand came a supply of new attack tools and services that will quickly test the limits of most defensive systems. But this new demand was not created out of the good nature of a hacker’s heart. It was fueled by profits and has now created a blooming industry around DDoS-as-a-service.
These new, off-the-shelf attack services are commoditizing the art of hacking, making it possible for novice hackers with little know-how to launch attacks via affordable tools that are available on the Darknet and the Clearnet. To add humor into the situation, most DDoS-as-a-service websites use DDoS mitigation companies to prevent their competition from taking them offline.
Figure: zStress attack panel
Many notorious DDoS groups like Lizard Squad, Poodle Corp, New World Hackers and others have all entered the DDoS-as-a-service business, monetizing their capabilities in peace-time by renting out their powerful stresser services. The high demand for DDoSaaS makes it a very profitable business and can generate thousands of dollars a week for operators. The entry level continues to decrease, allowing novice attackers the ability to carry out larger and more sophisticated attacks then just a few years ago. For as little as $19.99 a month an attacker can run 20 minute bursts for 30 days, utilizing a number of attack vectors like DNS, SNMP, SSYN and slow GET/POST application layer DoS attacks. All an attacker has to do is create an account, select a plan, pay in Bitcoin and access the attack hub where they can target the victim by port, time and method.
|Booters and Stresser (Low end)|
These services offer multiple attack vectors, allowing the attacker to directly target their victim’s network with accuracy and power. Some of the most common attack vectors found on these sites are DNS, NTP, SSDP, Chargen, SSYN, ACK, XMLRPC, Portmap and Joomla.
For more about attack vectors, check out our recent ERT Alert.
Due to their effectiveness, amplification-based attacks are the default attack technique offered by most booters services. These attacks are easy to conduct and rely on misconfigured services. The attacker sends a spoofed packet with the victim’s IP to the service, resulting in a response from the server sent to the victim’s IP. Attackers will also use reflection-based attacks by misusing popular content management systems (CMS) like WordPress and Joomla to generate HTTP requests to target web servers. They will also abuse gaming consoles and routers in an attempt to generate larger attacks. By using reflection and amplification, attackers are able to mask their origin and turn a tiny amount of bandwidth into a much larger scale assault.
In addition to these vectors, a number of services also offer tools on their website like resolvers, IP loggers, geo-location, ping and VPN detectors.
Figure: zStress tools and services
Additional Services, Resolvers:
- Domain Resolver resolves the domain name to get the IP address of a server.
- Protection Resolver resolves a website’s IP address that is hidden behind a mitigation service.
- Skype Resolver resolves Skype username and returns their IP address.
Most booting services today are using cloud-based hosting to leverage their network. By using cloud services to host their attack scripts they are able to provide larger bandwidth for their attacks. Owners behind these stresser services only have a few expenses to get their service up and running. One of the core expenses for owners is the back-end servers. These servers must allow IP address spoofing, have a fast uplink, 1Gbps+, and have unmetered bandwidth usage. Once the owner has their servers, all they have to do is setup the service by uploading the shell of their choice.
Stressers are not necessary illegal and there are many legitimate uses for such tools. Most legitimate services will require you to provide proof that you own the website and ISP, and have agreed to the network test. Unfortunately, most of the stresser services that we have observed do not require you to submit proof. Instead they try to hide behind their Terms of Service by putting the legal responsibility back onto those carrying out the attacks.
Terms of Service:
Booters and stressers have become popular over the years with hacktivists like Anonymous. For the most part Anonymous is a collective of teenagers unable to compile a script, and forced to work at a collective level to obfuscate their inexperience. In the past we have seen hacktivists arrested for downloading LOIC and using attack tools without a VPN or any form of anonymization. Stressers offer potential hackers a layer of anonymization with the website acting as a proxy.
This growth around stresser services has resulted in a wide array of powerful and affordable tools available in the marketplace. Since the beginning of 2016, Radware has witnessed these tools being used against ISP’s, media, financial service companies, online gaming and other industries. Organizations are being forced to improve defenses as these tools combine high traffic volumes with multi-vector attacks. Companies are quickly racing to buy bigger pipes in an attempt to combat the growth in large scale attack services, but this is a futile attempt. Stresser owners are hedging their bets for profit and will purchase and use the same massive cloud services that some of their victims use.
Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.
Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.