Let’s take a journey through a real-life booter and stresser service to better understand the tools, the trade and pricing behind DDoS-as-a-Service.
Putinstresser.eu is a fairly recent player, an addition to the growing number of low-priced DDoS-as-a-Service, commonly known as booters and stressers, services. The site illustrates the maturity and the ease of access these services have reached. It provides different, very accessible payment options, discovery tools, support and flexible attack options for a wide range of customers.
There are hundreds, maybe thousands, of those services on the dark and clear net, most of them offering very similar services but with one common objective: making money from customers that are looking to perform illegal DDoS attacks. The growing number of customers for these platforms are hacktivists, ransom engineers, businesses trying to impact their competition, unhappy customers, disgruntled employees, and kids (including grown-up kids) trying to get an edge on their multi-player gaming adversaries.
Signing up to the service is easy and requires only a username, password and an email address. The email address does not get validated. The site is encrypted and its authenticity verified through a certificate from the online free, automated, and open Certificate Authority Let’s Encrypt.
According to the site there are 3,246 registered users and they performed a total of 37,894 boots (attacks). Website states that the services are powered by 24 attack servers hosted across three major providers: Voxility, OVH and Combahot/link11. According to the FAQ, the attack plane of the booter performs up to 350Gbps per stress using DNS amplification given that the total load on the network is less than 50%. TCP stress provides 600,000pps per stress and more, and uses slots to ensure fair and constant power for each attack.
Plans and Products
The plans start with a trial plan at $5 for 400sec attack time, valid for one week. The first full plan starts at $10 per month for 600sec attack time with 1 concurrent attack. The highest plan provides almost 3.5 hours of attack time for $400 including the ability to run six concurrent attacks.
Counter-Strike: Global Offensive (CSGO) is a first-person multi-player shooter developed by Hidden Path Entertainment and Valve Corporation, running on the Source engine. CSGO has a very competitive community and one of the games used in professional competitions such as the ESL Prod League. Games with huge communities come with a large ecosystems and one of the traded valuables in CSGO are skins, allowing players to differentiate themselves with unique and custom skins for their favorite weapons in the game. CSGO skins have become a currency and can be bought and sold online through sites such as csgo-skins.com and skins.cash.
To put the CSGO ecosystem in its right perspective, the site skins.cash alone sold almost 25 million skins as of March 2018. A factory new, Souvenir AWP Dragon Lore skin with minimal wear can be yours for $35,000 (source: OPSkins). In January a CSGO fan dropped over $60k for this rifle skin, autographed by Tyler “Skadoodle” Latham, a member of the Cloud9 Counter-Strike team that became the first American squad to win a Valve-sponsored CSGO event, the ELeague Boston Major in January 2018.
Attack Hub and DDoS vectors
The “attack hub” provides an easy interface to perform and manage several concurrent attacks with differing attack vectors and victims. From the attack hub one can start a new attack by filling in the victim’s IP address, the target port, the duration of the attack in seconds and the method or attack vector. A convenient table shows the history of performed attacks and the live attacks that can be stopped at any time through a simple click on a button.
The attack methods or vectors available to choose from include the ‘golden standards’ such as DNS, NTP, SNMP amplification attacks as well as the latest Memcached attack. Also the traditional TCP XSYN, XACK and XMAS floods, GRE-based attacks, attacks targeting TeamSpeak servers using the TS3 protocol, as well as attack vectors for different multi-player gaming platforms such as Valve Source Engine (VSE), Minecraft, Counter Strike (GK_CS), Steam and Grand Theft Auto San Andreas Multi-Player (GK_Samp). The owners of the site advertised their attack vectors on Pastebin with a short description and some help for unseasoned attackers.
The site delivers some convenient tools for resolving IP addresses and checking if a website is ‘Up’ or ‘Down.’ It also includes an option to find the IP address of services protected (hidden) behind Cloudflare.
Live chat and support
For users in need, the site has a live chat and support feature to submit and track support tickets as well as live chat options through Discord. Discord is a proprietary freeware VoIP application designed for gaming communities and providing an alternative to Skype or TeamSpeak. As of December 2017 there were 87 million unique users on Discord.
I hope this peek inside an active booter and stresser service has given you more insights and understanding of what makes up such services.
While a lot of the hacking community draws parallels to the gaming ecosystem, and their tools and payment options are sourced through that ecosystem, let us not forget that the objective is to make money and limit as much as possible the risk of being exposed or tracked down.
From a booter customer point of view, your targets can be anything from financial institutions, gaming sites, governments, organizations, and online businesses up to individual gamers, and your motivations can range from activism, unfair competition (whether it is business or gaming), and anger therapy to ransom campaigns.
Better understanding the tools, the level of pricing and the attack vectors enables us to estimate the risk and threat landscape for DDoS, and this should help you assess your organization’s exposure and risk to DDoS attacks.