The growth of DDoS-as-a-Service has resulted in a wide array of powerful and affordable DDoS services available to the public. Since the beginning of 2016, Radware’s ERT Research division has been monitoring a number of services available on both the clear and the darknet. These off-the-shelf attack services have been used to launch attacks on a number of industries including ISPs, media, financial service companies and online gaming. These services are commoditizing the art of hacking by making it possible for novices with no experience to launch large scale attacks.
|zstress||1200||1||30||15 to 20||yes||$15||zstress.net|
|Data Booter||900||1||30||10 to 20||YES||$15||databooter.com|
|Instabooter||1800||1||30||10 to 20||yes||$20||instabooter.com|
|ragebooter||700||2||30||5 to 10||yes||$15||ragebooter.net|
|ddos.service||1 hour||2||30||10 max||yes||$15.00||ddos.services|
|Netdown||1800||1||30||10 to 12||yes||$20||netdown.pw|
|Defcon||800||2||30||8 to 12||yes||$25||defcon.pro|
|CloudStress||1800||1||30||10 to 20||yes||$20||Cloudstress.com|
These services often provide clients with a user-friendly interface and offer various packages depending on the attack duration, volume and frequency of use. For a small fee, normally in Bitcoin or Paypal, a user can access the service to launch consecutive DDoS attacks for up to 30 days. Standard packages normally cost $20 a month and allow the user to launch one attack at a time for a 20-minute period. These tools also utilize a number of attack vectors like DNS, SNMP, NTP, HTTP, TCP and UDP floods.
• DNS – A DNS amplification attack is a sophisticated denial-of-service attack where the attacker performs two malicious tasks. First, the attacker spoofs the IP address of the DNS resolver and replaces it with the victim’s IP address, so all DNS replies will be sent to the victim’s servers. Second, the attacker finds an Internet domain that is registered with many DNS records. During the DoS attack, the attacker sends DNS queries that request the entire list of DNS records for that domain. This results in replies from the DNS servers, usually so big that they need to be split over several packets.
• SNMP – A SNMP amplification attack is a sophisticated denial-of-service attack that takes advantage of the Simple Network Management Protocol(SNMP), an everyday protocol found in a number of devices including routers, printers and switches, in order to amplify an attack. Like other reflective attacks, the attacker spoofs the IP address of the SNMP query and sends the malformed packets to a number of devices, resulting in a very large response being sent to the victim’s device.
• NTP Monlist Flood – The NTP Amplification attack is an emerging form of DDoS attacks that relies on the use of publically accessible NTP servers to overwhelm a victim’s system with UDP traffic. The NTP service supports a monitoring service that allows administrators to query the server for traffic counts of connected clients. This information is provided via the ‘monlist’ command. The basic DDoS attack technique consists of an attacker sending a “get monlist” request to a vulnerable NTP server, with the source address spoofed to be the victim’s address.
• HTTP Flood – A method used by hackers to attack web servers and applications. It consists of seemingly legitimate session-based sets of HTTP GET or POST requests that are designed to consume a significant amount of a server’s resources, and can result in a denial-of-service condition – without necessarily requiring a high rate of network traffic.
• SSYN – A SSYN attack is a spoofed SYN attack. In a SYN attack, the attacker floods their victim’s computer with a large amount of SYN packets. This DDoS attack is intended to exhaust the victim’s device. Once all of the connections are filled, the server will not be able to respond to legitimate users, thus causing a denial of service. In a spoofed SYN attack the attacker runs a similar script that spoofs the attacking IP addresses to prevent the attacker from being traced.
• TCP Flood – This is one of the oldest types of DDoS attacks. It involves sending numerous SYN packets to the victim. In many cases, attackers will spoof the SRC IP so the reply (SYN+ACK packet) will not return, thus overwhelming the session/connection tables of the targeted server or one of the network entities on the way (typically the firewall). Servers need to open a state for each SYN packet that arrives and store this state in tables that have limited size. As big as this table may be, it is easy to send a sufficient amount of SYN packets that will fill the table, and once this happens the server starts to drop a new request, including legitimate ones. Similar effects can happen on a firewall which also has to process and invest in each SYN packet. Unlike other TCP or application-level DDoS attacks, the attacker does not have to use a real IP – this is perhaps the biggest strength of the DDoS attack.
• UDP Flood – In a UDP flood, the attacker sends large UDP packets to a single destination or to random ports. Since the UDP protocol is “connectionless” and does not have any type of handshake mechanism, the main intention of a UDP flood is to saturate the Internet pipe. Usually, the attackers spoof the SRC IP.
Stresser services are not necessary illegal and there are many legitimate uses for such tools. Most legitimate services will require you to provide proof that you own the website and have agreed to the network test. Unfortunately, most of the stresser services that we have observed do not require you to submit proof, let alone verify the email address used to register an account. Instead they try to hide behind their Terms of Service by putting the legal responsibility back onto those carrying out the attacks.
In addition to these services playing fast and loose, they are also targeted by law enforcement and criminal hackers. Most notable, last year the alleged operators, Yarden Bidani and Itay Huri, of a popular stresser service called VDoS were arrested in Israel on the behest of the FBI and accused of launching more than 150,000 attacks from its platform.
More recently, at the beginning of September, Researcher Derrick Farmer discovered a file posted on Pastebin.com that detailed a recent breach of a stresser service called TrueStress. The leak contained the details of 331 users including their username, password and email. The dump also included API details showing the TrueStresser was using an upstream DDoS-as-a-Service provider, Defcon.pro, to launch its attacks.
On August 25th, Radware’s Research division discovered another post on Pastebin that detailed the breach of a stresser service called PriateStress.pro. This leak came shortly after the dox of the alleged admin of Piratestress.pro, Kamikazi. The PirateStress.pro database was leaked by Packet.World and contained the details of 842 users, the attack logs and other information related to the service. Out of the 842 users in the database, 533 users used Gmail accounts for registration. Like many other services, Piratestress.pro does not verify registrants’ email addresses, allowing users the ability to register anonymously and use the service for malicious activity. The PirateStress dump also included an attack log of 2,432 attacks. After analyzing the attacks, it was determined that only 845 are unique targets.
The entry level package for PirateStresser is $10 a month and gives a user access to six attack vectors including LDAP, RAW-UDP, VSE, OVH bypass, DNS, and a generic bypass method. The Diamond packs for $80 dollars a month give a user access to 11 attack vectors for 30 days. Additionally, it appears that at one point in time, Piratestress.pro sold API access to other stresser services similar to Defcon.pro.
On a funny note, at the moment BTC payments are disabled and currently only taking payments via an Israeli PayPal payment page with the owner’s Gmail address, firstname.lastname@example.org, exposed.
These services can be very profitable for the operators. Today you can find hundreds of these services publicly available with a simple search on Google but at the same time they cause a lot of damage for those on the receiving end. This is why they are targeted by both hackers and law enforcement. To make matters worse for the operators, most of these services are utilizing similar templates and are deployed with misconfigurations, making them a prime target for hackers like in the case of TrueStresser and PirateStress.
Read “Top 9 DDoS Threats Your Organization Must Be Prepared For” to learn more.
Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.