It may soon become easier for Internet service providers to anticipate and block certain types of online assaults launched by Web-based attack-for-hire services known as “booter” or “stresser” services, new research released today suggests.
The findings come from researchers in Germany who’ve been studying patterns that emerge when miscreants attempt to mass-scan the entire Internet looking for systems useful for launching these digital sieges — known as “distributed denial-of-service” or DDoS attacks.
To understand the significance of their research, it may help to briefly examine how DDoS attacks have evolved. Not long ago, if one wanted to take down large Web site, one had to build and maintain a large robot network, or “botnet,” of hacked computers — which is a fairly time intensive, risky and technical endeavor.
These days, however, even the least sophisticated Internet user can launch relatively large DDoS attacks just by paying a few bucks for a subscription to one of dozens of booter or stresser services, some of which even accept credit cards and PayPal payments.
These Web-based DDoS-for-hire services don’t run on botnets: They generally employ a handful of powerful servers that are rented from some dodgy “bulletproof” hosting provider. The booter service accepts payment and attack instructions via a front end Web site that is hidden behind Cloudflare (a free DDoS protection service).
But the back end of the booter service is where the really interesting stuff happens. Virtually all of the most powerful and effective attack types used by booter services rely on a technique called traffic amplification and reflection, in which the attacker can reflect or “spoof” his traffic from one or more third-party machines toward the intended target.
In this type of assault, the attacker sends a message to a third party, while spoofing the Internet address of the victim. When the third party replies to the message, the reply is sent to the victim — and the reply is much larger than the original message, thereby amplifying the size of the attack.
To find vulnerable systems that can be leveraged this way, booters employ large-scale Internet scanning services that constantly seek to refresh the list of systems that can be used for amplification and reflection attacks. They do this because, as research has shown (PDF), anywhere from 40-50 percent of the amplifiers vanish or are reassigned new Internet addresses after one week.
Enter researchers from Saarland University in Germany, as well as the Yokohama National University and National Institute of Information and Communications Technology — both in Japan. In a years-long project first detailed in 2015, the researchers looked for scanning that appeared to be kicked off by ne’er-do-wells running booter services.
To accomplish this, the research team built a kind of distributed “honeypot” system — which they dubbed “AmpPot” — designed to mimic services known to be vulnerable to amplification attacks, such as DNS and NTP floods.
“To make them attractive to attackers, our honeypots send back legitimate responses,” the researchers wrote in a 2015 paper (PDF). “Attackers, in turn, will abuse these honeypots as amplifiers, which allows us to observe ongoing attacks, their victims, and the DDoS techniques. To prevent damage caused by our honeypots, we limit the response rate. This way, while attackers can still find these ratelimited honeypots, the honeypots stop replying in the face of attacks.”
In that 2015 paper, the researchers said they deployed 21 globally-distributed AmpPot instances, which observed more than 1.5 million attacks between February and May 2015. Analyzing the attacks more closely, they found that more than 96% of the attacks stem from single sources, such as booter services.
“When focusing on amplification DDoS attacks, we find that almost all of them (>96%) are caused by single sources (e.g. booters), and not botnets,” the team concluded. “However, we sadly do not have the numbers to compare this [to] DoS attacks in general.”
Many large-scale Internet scans like the ones the researchers sought to measure are launched by security firms and other researchers, so the team needed a way to differentiate between scans launched by booter services and those conducted for research or other benign purposes.
“To distinguish between scans performed by researchers and scans performed with malicious intent we relied on a simple assumption: That no attack would be based on the results of a scan performed by (ethical) researchers,” said Johannes Krupp, one of the main authors of the report. “In fact, thanks to our methodology, we do not have to make this distinction upfront, but we can rather look at the results and say: ‘We found attacks linked to this scanner, therefore this scanner must have been malicious.’ If a scan was truly performed by benign parties, we will not find attacks linked to it.”
SECRET IDENTIFIERS
What’s new in the paper being released today by students at Saarland University’s Center for IT-Security, Privacy and Accountability (CISPA) is the method by which the researchers were able to link these mass-scans to the very amplification attacks that follow soon after.
The researchers worked out a way to encode a secret identifier into the set of AmpPot honeypots that any subsequent attack will use, which varies per scan source. They then tested to see if the scan infrastructure was also used to actually launch (and not just to prepare) the attacks.
Their scheme was based in part on the idea that similar traffic sources should have to travel similar Internet distances to reach the globally-distributed AmpPot sensors. To do this, they looked at the number of “hops” or Internet network segments that each scan and attack had to traverse.
Using trilateration –the process of determining absolute or relative locations of points by measurement of distances — the research team was able to link scanners to attack origins based on hop counts.
These methods revealed some 286 scanners that are used by booter services in preparation for launching amplification attacks. Further, they discovered that roughly 75 percent of those scanners are located in the United States.
The researchers say they were able to confirm that many of the same networks that host scanners are also being used to launch the attacks. More significantly, they were able to attribute approximately one-third of the attacks back to their origin.
“This is an impressive result, given that the spoofed source of amplification attacks usually remains hidden,” said Christian Rossow of Saarland University.
Rosso said the team hopes to conduct further research on their methods to more definitively tie scanning and attack activity to specific booter services by name. The group is already offering a service to hosting providers and ISPs to share information about incidents (such as attack start and end times). Providers can then use the attack information to inform their customers or to filter attack traffic.
“We have shared our findings with law enforcement agencies — in particular, Europol and the FBI — and a closed circle of tier-1 network providers that use our insights on an operational basis,” the researchers wrote. “Our output can be used as forensic evidence both in legal complaints and in ways to add social pressure against spoofing sources.”
ANALYSIS
Even if these newly-described discovery methods were broadly deployed today, it’s unlikely that booter services would be going away anytime soon. But this research certainly holds the promise that booter service owners will be able to hide the true location of their operations less successfully going forward. and that perhaps more of them will be held accountable for their crimes.
Efforts by other researchers have made it more difficult for booter and stresser services to accept PayPal payments, forcing more booters to rely more on Bitcoin.
Also, there are a number of initiatives that seek to identify a handful of booter services which resell their infrastructure to other services who brand and market them as their own. Case in point, in September 2016 I published an expose on vDOS, a booter service that earned (conservatively) $600,000 over two years helping to launch more than 150,000 DDoS attacks.
Turns out, vDOS’s infrastructure was used by more than a half-dozen other booter services, and shortly after vDOS was taken offline most of those services went dark or were dismantled as well.
One major shift that could help to lessen the appeal of booter services — both for the profit-seeking booter proprietors and their customers — is a clear sign from law enforcement officials that this activity is in fact illegal and punishable by real jail time. So far, many booter service owners have been operating under the delusion or rationalization that their services are intended solely for Web site owners to test the ability of their sites to withstand data deluges. The recent arrest of two alleged Lizard Squad members who resold vDOS services through their own “PoodleStresser” service is a good start.
Many booter operators apparently believe (or at least hide behind) a wordy “terms of service” agreement that all customers must acknowledge somehow absolves them of any sort of liability for how their customers use the service — regardless of how much hand-holding and technical support they offer those customers.
Indeed, the proprietors of vDOS — who were arrested shortly after my story about them — told the Wall Street Journal through their attorneys that, “If I was to buy a gun and shoot something, is the person that invents the gun guilty?”
The alleged proprietors of vDOS — 18-year-old Israelis Yarden Bidani and Itay Huri — were released from house arrest roughly ten days after their initial arrest. To date, no charges have been filed against either men, but I have reason to believe that may not be the case for long.
Meanwhile, changes may be afoot for booter services advertised at Hackforums[dot]net, probably the biggest open-air online marketplace where booter services are advertised, compared and rated (hat tip to @MalwareTechblog). Earlier this week, Hackforums administrator Jesse “Omniscient” LaBrocca began restricting access to its “stressers” subsection of the sprawling forum, and barring forum members from advertising booter services in their user profiles.
“I can absolutely see a day when it’s removed entirely,” LaBrocca said in a post explaining his actions. “Could be very soon too.”
Hackforums administrator Jesse “Omniscient” LaBrocca explaining a decision to restrict access to the “stressers” portion of the Hackforums marketplace.
My worry is that we may soon see a pendulum shift in the way that many booter services operate. For now, the size of attacks launched by booter services is somewhat dependent on the number and power of the back-end servers used to initiate amplification and reflection attacks.
However, I could see a day in the not-too-distant future in which booter service operators start earning most of their money by reselling far more powerful attacks launched by actual botnets made from large networks of hacked Internet of Things (IoT) devices — such as poorly-secured CCTV cameras and digital video recorders (DVRs).
In some ways this has already happened, as I detailed in my January 2015 story, Lizard Stresser Runs on Hacked Home Routers. But with the now public release of the source code for the Mirai botnet — the same malware strain that was used in the record 620 Gbps DDoS on my site last month and in the widespread Internet outage last week caused by an attack against infrastructure provider Dyn — far more powerful and scalable attacks are now available for resale.
A copy of the paper released today at the ACM CSS conference in Vienna is available here (PDF).
Brian, great analysis. Last line link to ACM paper is broken.
The researchers noted that botnets were not the normal original source of reflection/amplification attacks; this does not surprise me. The whole point of reflection or amplification is to accomplish the effect of a botnet, but without the botnet. As witnessed very recently, a botnet works best by simply going after the target directly without use of another device. This approach also allows for attack types that are difficult or impossible to spoof (like application-based DoS attacks that require a TCP handshake). Still, this is excellent work towards retiring a significant avenue of attack by “booters.”
Great article but the link to the PDF at the end of the article is not working:
An error occurred while processing your request.
Reference #50.d3f354b8.1477583918.a1509a7
Do you have a link to the new research paper? I’m curious about their technique on fingerprinting scanning and attacks based on hops.
To correlate between those two, I would imagine that it’s only effective when the scans are executed by nodes that also execute the attacks. But this would easily be avoided by having scanning nodes and attack nodes on different continents.
I suppose fingerprinting might also be done based on nodes hit in one scan, and afterwards used simultaneously in future attacks. Simple segmentation / randomisation of attack nodes would bypass this..
As far as I’m aware, there’s almost no possibility to fingerprint abusing parties based on the data that’s available. It’s so simple to use segmentation, randomisation and proxies to obfuscate the source of attacks that any attempt at fingerprinting is easily circumvented.
Some are looking at using IP TTL starvation to limit:
1.) where there web servers can be reached from
2.) where cameras can communicate
3.) where databases can communicate
4.) where legacy devices can communicate
5.) where routers and switches can be reached from
Using TTL=20 on US Military web servers means Russian and Chinese hackers and script kiddies have to be in the US where enforcement is possible.
Using TTL=5 on databases means their packets stay inside the datacenter even if firewalls fail.
Using TTL=8 on cameras means they can’t be touched by far away devices beyond the rule of law. Nor can they send beyond 8 routers.
TTL=x where x=max router hops a device can communicate
https://youtu.be/Gbht5UqA0MI
This is useful for locking down a user’s computer, but it’s not going to fix IoT devices that use embedded linux in firmware, like BusyBox. Every reboot will go back to the fimeware TTL value.
Some college campuses already set TTL=1 for computers meant only for intra-campus use.
Vb, most cameras in corporate networks are addressed by DHCP and using option 23 one can set the time-to-live TTL to the of router hops desired.
And another source, not mentioned, but briefly, white hat stressing sources. We all know Russia and China could be part of the wh services. Personally, I’m expecting another big hit soon, mid terms are here, I’m sure one of the classes will set one loose, unintentionally. But I also have read of other attacks, scheduled by our services, supposed to have been late fall. Could that have been some of the American 75 %. It would be interesting to find out.
Outstanding !
Very interesting article !
The news says IoT devices are being used in these attacks. It isn’t clear from this article where those devices fit in. Brian, can you clarify this? Do these attacks require a botnet of previously compromised IoT devices?
From Brian’s article:
“These Web-based DDoS-for-hire services don’t run on botnets: They generally employ a handful of powerful servers…”
The IoT botnets are a new and different type of DDoS animal.
You don’t need a massive a botnet to coordinate sending of fragmented datagrams to multicast addresses in order to be a bona fide “booter.” Before DDoS was necessary, non-distributed DoS attacks did the trick (e.g. Satanic Mechanic’s nuke.c and Soldier’s pepsi.c).. All you really need is a collection of kernel space NULL pointer dereference bugs or an algorithmic attack creative enough to cause a box to fork bomb itself. The real way to split the Internet in pieces isn’t flooding anything and everything–it’s by targeting backbone router peer groups.
“If I was to buy a gun and shoot something, is the person that invents the gun guilty?”
Inventors? No. More like owners of the gun willfully lending it out.
“If I was to buy a gun and shoot something, is the person that invents the gun guilty?”
What a ridiculous excuse they made up. They clearly are kids and dumb. You are responsible if you are running a shop that sells 10,000 guns to anonymous people without any check or verification.
That is exactly what they did.
They didn’t verify or check a single one of their users, not only that, they didn’t verify the targets either. Real stress or load testing services, not only do proper verification on the user but they require the end server or site you are stressing to be confirmed as under your control. Think of it like how Google Webmaster Tools or Bing Tools requires you to check ownership of the domain. They didn’t.
They were not even a real company, so their TOS is null, non-valid. Those services hide all the contact information and are running as anonymous as they possible can. Why would you do that if you are running a valid business? Because you are a criminal running a criminal enterprise. No legal company, no nothing. They did pay taxes for the money earned? Of course not. Where they incorporated? Of course not. Their TOS has zero enforcement on anything or anyone. They can’t use the law to protect themselves when they were trying to hide from the law because they were breaking it.
Requiring verification on targets is extremely simple. Those services don’t do that, because of course, they know their customers are dossing other people and server they don’t control. And using payment services from other people, like renting their paypal accounts is also illegal. I cannot even start to say how many laws they broke. They should be in jail. Why are they even free?
Next they are going to say they Krebs has to pay them for load testing his website.
What about axe salesmen or people selling guns anonymously in countries where it’s allowed or other items which could potentially be used for unlawful or harmful uses?
Sure, they know people are using their services maliciously, but so does people selling guns, axes, or even ISP’s know their customers are using their services to illegally download copyrighted content, maybe ISP’s should have to go through every request that’s being made using their services?
MickeyD, that is not similar here.
They where not selling a service under a legitimate organization, by this I mean as individual or company, because an individual can run his own personal business, the reason why some people run it with a corporation or LLC is for liability, but sure, you can run it as sole proprietorship. But that still requires some regulations, like identifying yourself as a person doing business or brand (DBA) which you may or not register depending on your country.
People selling axes, or guns do that. They sell it personally or as a company.
They didn’t. They where not running as sole proprietorship or incorporated because criminals know they are doing something illegal, so they hide. These persons only claim to be running a valid business once they are caught, in such case because Krebs exposed them. Otherwise they never reveal anything about them, except maybe the country they are, but no name, no address, no contact info. They try to hide how they are doing business, and even who ends up receiving the money. So yes, that is a criminal enterprise.
Second, people selling guns or axes, sure they are not responsible for what you do, but if they are selling them to minors, you can bet there are regulations for that. Again, the botter services make no verification what so ever, sell to everyone and everything and for illegal purposes which they are aware. They can’t claim they where not aware their users where using it to attack others, they knew about it because that is how they where doing their marketing to sell the services. I don’t see gun stores making marketing where they target criminals.
Another thing is if the guns you are selling are not yours. But stolen. Again, this is something the botters are doing. They are hacking into others people systems which alone already is a crime.
There are many other things they did that are illegal. Sure, they can say they are not responsible for their customers attacking other people, but can they? When there are laws and regulations about intruding others people system, stealing data, and facilitating a crime (in this case attacking other systems) you are in the minimal amount at least an accomplice or facilitator. Under most common law, you can be considered an accomplice even if you didn’t actively participated in the commission of the crime or took no part in the actual offense.
Everyone buying a service like this is doing something illegal. And the person/persons setting a business like that, are running an illegal business which is based on the whole model of renting systems they kidnap from others and then are used to take others systems offline.
There is no way in hell, they will get away with this, even if they hire the best attorneys on planet earth. At least not in any country where there is some legal system and justice in place.
Actually another more simple analogy would be someone who owns a gun and then loans or rents it to soneone who uses it to kill someone, then returns it to you. I’m pretty sure that yes, you can be held liable for the criminal acts committed with your gun. Especially if you run a business renting guns to murderer’s.
I think an even more apt analogy would be a hit man. “You want somebody attacked? Pay me and I’ll attack your victim.” And THAT is definitely illegal.
Like having your computer infected from advertising that got in through a CDN hidden within the code of a webpage that all resulted in the purchase of a gun by a murderer that starts with ID theft from said infection.
Who is liable? The user? The owner of the initial website? The advertiser? The owner/operator of the CDN? The ISP? The company that owns the anti-virus software that missed the infection? The murder? The gun store?
When the murderer gets caught, it ends there. But that’s the problem. We all continue to deal with all this because it ends right there.
I forgot. Real stressing servers also don’t hack others people systems to use them in their service.
They have their own machines or rent Amazon Cloud instances or similar. How about that? How can they even justify something like this is legal. It is equivalent to someone stealing cars and then trying to run a taxi company from them.
BaaS
Botnet as a Service
Booter as a Service
Pick you poison.
Are their days numbered? I’ll believe it when I see it.
I imagine that it would not be too difficult to modify Mirai to make it benevolent : take out the other strains of Mirai and kill telnet access on those devices
@ Lnz please don try that…
Our experience interviewing a dozen of people involved in the stress testing scene is that they still feel that this service is legal.
After all 200+ domain names connected with booters have been and are still hosted behind a CDN provider.
Today, we are releasing information about RainSpai3n, the person behind 300+ attacks in VDOS.
http://www.spoofit.org/who-is-rainbow/
Score one for the good guys … hope we can gain some ground, as the baddies have been running roughshod on the web lately!
No one ever wants to discuss the DRAC (Dell Remote Access Card) cards that were put into many of these servers. These cards then getting built into their mother boards. Just like no one ever wants to discuss the remote access ‘service’ that runs in the background on Windows. Windows even having remote registry access being on by default. Since few home users actually go through their ‘services’ to see what is running and what isn’t.
Companies actually enjoy these servers having DRAC since it allows for displacing IT ‘as a service’ so they no longer have to have in house staff on the payroll taking care of things.
Home users enjoy having outside support staff ‘remote access’ into their machines to fix problems. Problems that they themselves COULD and SHOULD be fixing if only they had the desire to understand something about their own stuff.
So much of this goes on for so many years that is really is not much of a surprising thing that all this “booting” thing and DDOS thing takes place.
The thing I find so funny is that most people actually think they can get around all this by ‘updating’ their system. Ya know, updating is fine but you can’t get any update for the OS that will remove those DRAC cards.
How many point of sale systems are running with one of these servers?
I’ll have to look at the paper, but correlating a scan with an attack… it would have to be the same machine or subnet. You would have to be very stupid and lazy to do that. Obviously these guys aren’t hurting for money and they have to constantly scan and that doesn’t last forever as complains will be received, so they couldn’t keep it on the same machine or even provider. All they want is the ip so… their little ‘unique identifer’… can’t imagine what that is.
Hahahaha Its about TIME some research company finally figured out to do the “how to”.
Now, it IF it is applied across the board, it may work.
Mirai runs hidden behind a new network prefix at dataflow.su
Read how we discovered where one of the Mirai C2 is hidden and how new network prefixes and fake ASNs are used by bulletproof hosters. Check how routing announcements are pushed from hidden locations, RIPE objects are created with fake documents and how a “grocery store” got the IP space!
http://www.spoofit.org/mirai-hidden-behind-dataflow/