The past few years have brought a proliferation of online services that can be hired to knock Web sites and individual Internet users offline. Once only found advertised in shadowy underground forums, many of today’s so-called “booter” or “stresser” services are operated by U.S. citizens who openly advertise their services while hiding behind legally dubious disclaimers. Oh, and they nearly all rely on Paypal to receive payments.
Many of these booter sites are based on the same source code, meaning that any vulnerabilities in that code can be used to siphon data from the back-end databases of multiple, competing services. This happened in March to booter.tw, a service that was used to launch a volley of attacks against this blog, among others.
Today we’ll be taking a closer look at another booter service whose customer database was recently leaked: asylumstresser.com (a.k.a. asylumbooter.com/net/us). Like other booter services, asylumstresser.com isn’t designed to take down large Web sites that are accustomed to dealing with massive attacks from Internet extortionists. But these services can and are used to sideline medium-sized sites, although their most common targets are online gaming servers.
Asylum says it deletes records of attacked sites after one month, and the leaked database confirms that. But the database also shows the sheer volume of online attacks that are channeled through these services: Between the week of Mar. 17, 2013 and Mar. 23, 2013, asylumstresser.com was used to launch more than 10,000 online attacks.
According to the leaked database for Asylum, the administrator and first registrant on the site uses the address firstname.lastname@example.org. That same email address was the beneficiary of more than $35,000 in Paypal payments made by customers of the service. Overall, more than 33,000 user accounts were created on the site.
That email@example.com address also is tied to a Facebook account for a 17-year-old honor roll student named Chandler Downs from suburban Chicago. A reverse WHOIS report (PDF) ordered from domaintools.com shows other interesting sites registered with that same email address.
In a brief interview conducted over Gmail chat, Downs maintained that the service is intended only for “stress testing” one’s own site, not for attacking others. And yet, asylumstresser.com includes a Skype resolver service that lets users locate the Internet address of anyone using Skype. Asylum’s resolver wouldn’t let me look up Downs’ own Skype address — “hugocub1.” But another Skype resolver service shows that that Skype username traces back to a Comcast Internet address outside of Chicago.
Asylumstresser.com also features a youtube.com ad that highlights the service’s ability to “take down your competitors’ servers or Web site.”
“Do you get annoyed all the time because of skids on xBox Live? Do you want to take down your competitors’ servers or Web site?,” reads the site’s ad, apparently recorded by this paid actor at Fiverr.com. “Well, boy, do we have the product for you! Now, with asylumstresser, you can take your enemies offline for just 30 cents for a 10 minute time period. Sounds awesome, right? Well, it gets even better: For only $18 per month, you can have an unlimited number of attacks with an increased boot time. We also offer Skype and tiny chat IP resolvers.”
Downs said he was not the owner of the site – just the administrator. He shrugged off the ad’s message, and said Asylum wasn’t responsible for what customers did with the service.
“You are able to block any of the ‘attacks’ as you say with rather basic networking knowledge,” Downs said. “If you’re unable to do such a thing you probably shouldn’t be running a website in the first place. No one would spend money to stress a site without a reason. If you’re giving someone a reason, that’s your own fault.”
Not so fast, said Mark Rasch, a computer security expert and former U.S. Justice Department attorney.
“If they’ve got their fingers on the trigger and they launch the attacks when they’re paid to, then I would say they’re criminally and civilly liable for it,” Rasch said.