The past few years have witnessed a rapid proliferation of cheap, Web-based services that troublemakers can hire to knock virtually any person or site offline for hours on end. Such services succeed partly because they’ve enabled users to pay for attacks with PayPal. But a collaborative effort by PayPal and security researchers has made it far more difficult for these services to transact with their would-be customers.
By offering a low-cost, shared distributed denial-of-service (DDoS) attack infrastructure, these so-called “booter” and “stresser” services have attracted thousands of malicious customers and are responsible for hundreds of thousands of attacks per year. Indeed, KrebsOnSecurity has repeatedly been targeted in fairly high-volume attacks from booter services — most notably a service run by the Lizard Squad band of miscreants who took responsibility for sidelining the Microsoft xBox and Sony Playstation on Christmas Day 2014.
For more than two months in the summer 2014, researchers with George Mason University, UC Berkeley’s International Computer Science Institute, and the University of Maryland began following the money, posing as buyers of nearly two dozen booter services in a bid to discover the PayPal accounts that booter services were using to accept payments. In response to their investigations, PayPal began seizing booter service PayPal accounts and balances, effectively launching their own preemptive denial-of-service attacks against the payment infrastructure for these services.
PayPal will initially limit reported merchant accounts that are found to violate its terms of service (turns out, accepting payments for abusive services is a no-no). Once an account is limited, the merchant cannot withdraw or spend any of the funds in their account. This results in the loss of funds in these accounts at the time of freezing, and potentially additional losses due to opportunity costs the proprietors incur while establishing a new account. In addition, PayPal performed their own investigation to identify additional booter domains and limited accounts linked to these domains as well.
The efforts of the research team apparently brought some big-time disruption for nearly two-dozen of the top booter services. The researchers said that within a day or two following their interventions, they saw the percentage of active booters quickly dropping from 70 to 80 percent to around 50 percent, and continuing to decrease to a low of around 10 percent that were still active.
While some of the booter services went out of business shortly thereafter, more than a half-dozen shifted to accepting payments via Bitcoin (although the researchers found that this dramatically cut down on the services’ overall number of active customers). Once the target intervention began, they found the average lifespan of an account dropped to around 3.5 days, with many booters’ PayPal accounts only averaging around two days before they were no longer used again.
The researchers also corroborated the outages by monitoring hacker forums where the services were marketed, chronicling complaints from angry customers and booter service operators who were inconvenienced by the disruption (see screen shot galley below).
As I’ve noted in past stories on booter service proprietors I’ve tracked down here in the United States, many of these service owners and operators are kids operating within easy reach of U.S. law enforcement. Based on the aggregated geo-location information provided by PayPal, the researchers found that over 44% of the customer and merchant PayPal accounts associated with booters are potentially owned by someone in the United States.
The research team also pored over leaked and scraped data from three popular booter services —”Asylum Stresser,” another one called “VDO,” and the booter service referenced above called “Lizard Stresser.” All three of these booter services had been previously hacked by unknown individuals. By examining the leaked data from these services, the researchers found these three services alone had attracted over 6,000 subscribers and had launched over 600,000 attacks against over 100,000 distinct victims.
Like other booter services, Asylum, Lizard Stresser and VDO rely on a subscription model, where customers or subscribers can launch an unlimited number of attacks that have a duration typically ranging from 30 seconds to 1-3 hours and are limited to 1-4 concurrent attacks depending on the tier of subscription purchased. The price for a subscription normally ranges from $10-$300 USD per a month depending on the duration and number of concurrent attacks provided.
“We also find that the majority of booter customers prefer paying via PayPal and that Lizard Stresser, which only accepted Bitcoin, had a minuscule 2% signup to paid subscriber conversion rate compared to 15% for Asylum Stresser and 23% for VDO 1, which both accepted PayPal,” they wrote.
The research team found that some of the biggest attacks from these booter services take advantage of common Internet-based hardware and software — everything from consumer gaming consoles to routers and modems to Web site content management systems — that ships with networking features which can easily be abused for attacks and that are turned on by default.
Specific examples of these include DNS amplification attacks, network time protocol (NTP) attacks, Simple Service Discovery Protocol (SSDP) attacks, and XML-RPC attacks. These attack methods are particularly appealing for booter services because they hide the true source of attacks and/or can amplify a tiny amount of attack bandwidth into a much larger assault on the victim. Such attack methods also offer the booter service virtually unlimited, free attack bandwidth, because there are tens of millions of misconfigured devices online that can be abused in these attacks.
Finally, the researchers observed a stubborn fact about these booter services that I’ve noted in several stories: That the booter service front-end Web sites where customers go to pay for service and order attacks were all protected by CloudFlare, a content distribution network that specializes in helping networks stay online in the face of withering online attacks.
I have on several occasions noted that if CloudFlare adopted a policy of not enabling booter services, it could eliminate a huge conflict of interest for the company and — more importantly — help eradicate the booter industry. The company has responded that this would lead to a slippery slope of censorship, but that it will respond to all proper requests from law enforcement regarding booters. I won’t rehash this debate again here (anyone interested in CloudFlare’s take on this should see this story).
In any case, the researchers note that they contacted CloudFlare’s abuse email on June 21st, 2014 to notify the company of the abusive nature of these services.
“As of the time of writing this paper, we have not received any response to our complaints and they continue to use CloudFlare,” the paper notes. “This supports the notion that at least for our set of booters CloudFlare is a robust solution to protect their frontend servers. In addition, crimeflare.com has a list of over 100 booters that are using CloudFlare’s services to protect their frontend servers.”
A copy of the research paper is available here (PDF).