20140313_tu_delft

The DDoS-as-a-Service Phenomenon

[Jair Santanna]

Design and Analysis of Communication Systems

Less than 5 Dollars to attack everyone

Internet Management and Measurement (IMM)

—

Denial of Service

"1 against 1"

Application layer

Infrastructure layer

Group of attacks

ApplicationInfrastructure

time

resourcescomputingpackets

X

XDifficult to StopEase to Detect

Difficult to DetectEase to Stop

Type of Attacks

SYN

[Prolexic Global DDoS attack report]s

GET

SSL GET Slowloris

ICMP

ACKIGMP

RIPUDP

UDP FragmentedTCP Fragmented

HTTP HeadRESET

FIN

PUSH POST SSL POST

DNSNTP

SNMPv2

NetBIOSSSDP

CharG

EN

QOTD

BitTorrent Kad

Quake Network Protocol

Steam Protocol

Type of Attacks per Group

SYNGET

SSL GET

SlowlorisICMPACK

IGMP

RIP

UDP

UDP Fragmented

TCP Fragmented

HTTP HeadRESET

FIN

PUSH

POST

SSL POSTDNS

NTP

SNMPv2 NetBIOS

SSDP

CharG

EN

QOTD

BitTorrent

Kad

Quake Network Protocol

Steam Protocol

Appli

catio

n lay

er

Infra

struc

ture

layer

Type of Attacks per Group

SYNGET

SSL GET

SlowlorisICMPACK

IGMP

RIP

UDP

UDP Fragmented

TCP Fragmented

HTTP HeadRESET

F

PUSH

POST

SSL POSTDNS

NTP

SNMPv2 NetBIOS

SSDP

CharG

EN

QOTD

BitTorrent

Kad

Quake Network Protocol

Steam Protocol

Appli

catio

n lay

er

Infra

struc

ture

layer

Spoofed requestresponse

Reflection AttacksDNSNTP

SNMPv2

NetBIOSSSDP CharGEN

QOTDBitTorrentKad

Quake Network ProtocolSteam Protocol

normal situation

Denial of Service

"1 against 1"

Denial of ServiceDISTRIBUTED"∞" against 1

- Services been misused- Compromised systems

worse than this!

*Amplification Factor

DNSNTP

SNMPv2

NetBIOSSSDP CharGEN

QOTDBitTorrentKad

Quake Network ProtocolSteam Protocol

54x

556.9

x6.3

x

3.8x

30.8x 35

8.8x

140.3x

3.8x

16.3x

63.9x

5.5x

[Cert.us: TA14-017A]

maximu

n

2014-

400Gb

ps

2020

-…

2013-

300G

bps

1Tbps

Right?

[link]

[link]

2013-

300G

bps

2014-

400Gb

ps

2020

-1Tbps

Right?

… NO!2014 1Tbps OR higher

DNSNTP

[or not]

[4,529]

[30,956] -> ~28 million

-> 94,534IC measured 20 million

lets change a little bit the topic...

Black-hat communities are changing!

DDoS Attack

The DDoS-as-a-Service Phenomenon

Less than 5 Dollars to attack everyone

DDoS Attack

The DDoS-as-a-Service Phenomenon

Less than 5 Dollars to attack everyone

No more opponents!!

No more ONLINE exams!!

More attention to your presentation!!!

why not?

DDoS Attack

The DDoS-as-a-Service Phenomenon

Less than 5 Dollars to attack everyone

Economic Impact!!

BootersOnline Tools that offer DDoS-as-a-$ervice.

~U$ 5"Booter"

"Stresser" "DDoSer"

"DDoS-as-a Service" "DDoS-for-hire"

Front-en

d

Customer Booter TargetBack-

end

DNS Server

charGEN Server

Bot (from botnet)

How Booters work?

Characterise and MitigateThe DDoS-as-a-Service Phenomenon

MeasurementsCrawler & Classifier

MeasurementsSurvey

Measurements

My goal as a Ph.D:

Measurements

active passive

packet flowscans raw

Some Results...

59 Booters listed since July 2013 [Crawler]

14 Booters hired and tested

# DDoS as a $erviceOffer

[Gbps]

1 http://booter.tw ?

2 http://restricted-stresser.info 5

3 http://anonymous-stresser.net 5

4 http://destressbooter.com 25

5 http://flashstresser.net ?

6 http://dejabooter.com 10

7 http://rebel-security.com Up to 3

8 http://grimboot.com 6

9 http://quantumbooter.net 1,5

10 http://olympusstresser.org Up to 3

11 http://ebooter.5gbfree.com ?

12 http://vdoss.net ?

13 http://respawn.ca 8

14 http://onionstresser.com ?

price [€]

10,90

1,95

3,12

3,89

3,89

3,89

3,00

3,90

8,00

4,90

free

3,11

3,90

3,90

€58,35

14 Booters hired and tested

http://respawn.ca http://onionstresser.com

14 Booters hired and tested

3 193.174.93.114:80

NL-ECATELNetherlands, Europe

http://olympusstresser.org http://vdoss.net http://ebooter.5gbfree.com

1190.231.55.202:5900 ->VNCApolo -Gold-Telecom-PerTelecom Argentina S.A.

14 Booters hired and tested

# DDoS as a $erviceOffer

[Gbps]

1 http://booter.tw ?

2 http://restricted-stresser.info 5

3 http://anonymous-stresser.net 5

4 http://destressbooter.com 25

5 http://flashstresser.net ?

6 http://dejabooter.com 10

7 http://rebel-security.com Up to 3

8 http://grimboot.com 6

9 http://quantumbooter.net 1,5

10 http://olympusstresser.org Up to 3

11 http://ebooter.5gbfree.com ?

12 http://vdoss.net ?

13 http://respawn.ca 8

14 http://onionstresser.com ?

UT[Gbps]

0,07

1,22

0,38

0,72

3,0

1,1

1,0

0,37

0,37

SURFnet[Gbps]

0,112

1,952

0,608

1,152

4,8

1,76

1,6

0,592

0,592

IPs involved*

8,28

7,369

6,075

4,486

3,779

2,97

281

78

54

Attacks based on

*DNS

*DNS

*DNS

*DNS

*Chargen

*DNS

*Chargen

*DNS

*DNS

price [€]

10,90

1,95

3,12

3,89

3,89

3,89

3,00

3,90

8,00

4,90

free

3,11

3,90

3,90

€58,35

33.372

14 Booters hired and tested

8280

http://booter.tw http://restricted-stresser.info

7369

http://anonymous-stresser.net

6075

http://destressbooter.com

4486

http://flashstresser.net

3779

http://dejabooter.com

2970

http://rebel-security.com

281

http://grimboot.com

78

http://quantumbooter.net

*54

98%

Cheaper and more Powerful

http://booter.tw http://restricted-stresser.info http://anonymous-stresser.net

http://destressbooter.com http://flashstresser.net http://dejabooter.com

http://rebel-security.com http://grimboot.com http://quantumbooter.net

**Tr

affic

[by

tes]

per

tim

e [s

]

http://booter.tw http://restricted-stresser.info http://anonymous-stresser.net

http://destressbooter.com http://flashstresser.net http://dejabooter.com

http://rebel-security.com http://grimboot.com http://quantumbooter.net

** #

Pac

kets

sen

d pe

r IP

Current Step...

Current Step...

Crawler & Classifier

MeasurementsSurvey

Popularity and Characteristics of Booters

Thanks for your attention!