The DDoS-as-a-Service Phenomenon [Jair Santanna] Design and Analysis of Communication Systems Less than 5 Dollars to attack everyone Internet Management and Measurement (IMM) —
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The DDoS-as-a-Service Phenomenon
[Jair Santanna]
Design and Analysis of Communication Systems
Less than 5 Dollars to attack everyone
Internet Management and Measurement (IMM)
—
Denial of Service
"1 against 1"
Application layer
Infrastructure layer
Group of attacks
ApplicationInfrastructure
time
resourcescomputingpackets
X
XDifficult to StopEase to Detect
Difficult to DetectEase to Stop
Type of Attacks
SYN
[Prolexic Global DDoS attack report]s
GET
SSL GET Slowloris
ICMP
ACKIGMP
RIPUDP
UDP FragmentedTCP Fragmented
HTTP HeadRESET
FIN
PUSH POST SSL POST
DNSNTP
SNMPv2
NetBIOSSSDP
CharG
EN
QOTD
BitTorrent Kad
Quake Network Protocol
Steam Protocol
Type of Attacks per Group
SYNGET
SSL GET
SlowlorisICMPACK
IGMP
RIP
UDP
UDP Fragmented
TCP Fragmented
HTTP HeadRESET
FIN
PUSH
POST
SSL POSTDNS
NTP
SNMPv2 NetBIOS
SSDP
CharG
EN
QOTD
BitTorrent
Kad
Quake Network Protocol
Steam Protocol
Appli
catio
n lay
er
Infra
struc
ture
layer
Type of Attacks per Group
SYNGET
SSL GET
SlowlorisICMPACK
IGMP
RIP
UDP
UDP Fragmented
TCP Fragmented
HTTP HeadRESET
F
PUSH
POST
SSL POSTDNS
NTP
SNMPv2 NetBIOS
SSDP
CharG
EN
QOTD
BitTorrent
Kad
Quake Network Protocol
Steam Protocol
Appli
catio
n lay
er
Infra
struc
ture
layer
Spoofed requestresponse
Reflection AttacksDNSNTP
SNMPv2
NetBIOSSSDP CharGEN
QOTDBitTorrentKad
Quake Network ProtocolSteam Protocol
normal situation
Denial of Service
"1 against 1"
Denial of ServiceDISTRIBUTED"∞" against 1
- Services been misused- Compromised systems
worse than this!
*Amplification Factor
DNSNTP
SNMPv2
NetBIOSSSDP CharGEN
QOTDBitTorrentKad
Quake Network ProtocolSteam Protocol
54x
556.9
x6.3
x
3.8x
30.8x 35
8.8x
140.3x
3.8x
16.3x
63.9x
5.5x
[Cert.us: TA14-017A]
maximu
n
2014-
400Gb
ps
2020
-…
2013-
300G
bps
1Tbps
Right?
[link]
[link]
2013-
300G
bps
2014-
400Gb
ps
2020
-1Tbps
Right?
… NO!2014 1Tbps OR higher
DNSNTP
[or not]
[4,529]
[30,956] -> ~28 million
-> 94,534IC measured 20 million
lets change a little bit the topic...
Black-hat communities are changing!
DDoS Attack
The DDoS-as-a-Service Phenomenon
Less than 5 Dollars to attack everyone
DDoS Attack
The DDoS-as-a-Service Phenomenon
Less than 5 Dollars to attack everyone
No more opponents!!
No more ONLINE exams!!
More attention to your presentation!!!
why not?
DDoS Attack
The DDoS-as-a-Service Phenomenon
Less than 5 Dollars to attack everyone
Economic Impact!!
BootersOnline Tools that offer DDoS-as-a-$ervice.
~U$ 5"Booter"
"Stresser" "DDoSer"
"DDoS-as-a Service" "DDoS-for-hire"
Front-en
d
Customer Booter TargetBack-
end
DNS Server
charGEN Server
Bot (from botnet)
How Booters work?
Characterise and MitigateThe DDoS-as-a-Service Phenomenon
MeasurementsCrawler & Classifier
MeasurementsSurvey
Measurements
My goal as a Ph.D:
Measurements
active passive
packet flowscans raw
Some Results...
59 Booters listed since July 2013 [Crawler]
14 Booters hired and tested
# DDoS as a $erviceOffer
[Gbps]
1 http://booter.tw ?
2 http://restricted-stresser.info 5
3 http://anonymous-stresser.net 5
4 http://destressbooter.com 25
5 http://flashstresser.net ?
6 http://dejabooter.com 10
7 http://rebel-security.com Up to 3
8 http://grimboot.com 6
9 http://quantumbooter.net 1,5
10 http://olympusstresser.org Up to 3
11 http://ebooter.5gbfree.com ?
12 http://vdoss.net ?
13 http://respawn.ca 8
14 http://onionstresser.com ?
price [€]
10,90
1,95
3,12
3,89
3,89
3,89
3,00
3,90
8,00
4,90
free
3,11
3,90
3,90
€58,35
14 Booters hired and tested
http://respawn.ca http://onionstresser.com
14 Booters hired and tested
3 193.174.93.114:80
NL-ECATELNetherlands, Europe
http://olympusstresser.org http://vdoss.net http://ebooter.5gbfree.com
1190.231.55.202:5900 ->VNCApolo -Gold-Telecom-PerTelecom Argentina S.A.
14 Booters hired and tested
# DDoS as a $erviceOffer
[Gbps]
1 http://booter.tw ?
2 http://restricted-stresser.info 5
3 http://anonymous-stresser.net 5
4 http://destressbooter.com 25
5 http://flashstresser.net ?
6 http://dejabooter.com 10
7 http://rebel-security.com Up to 3
8 http://grimboot.com 6
9 http://quantumbooter.net 1,5
10 http://olympusstresser.org Up to 3
11 http://ebooter.5gbfree.com ?
12 http://vdoss.net ?
13 http://respawn.ca 8
14 http://onionstresser.com ?
UT[Gbps]
0,07
1,22
0,38
0,72
3,0
1,1
1,0
0,37
0,37
SURFnet[Gbps]
0,112
1,952
0,608
1,152
4,8
1,76
1,6
0,592
0,592
IPs involved*
8,28
7,369
6,075
4,486
3,779
2,97
281
78
54
Attacks based on
*DNS
*DNS
*DNS
*DNS
*Chargen
*DNS
*Chargen
*DNS
*DNS
price [€]
10,90
1,95
3,12
3,89
3,89
3,89
3,00
3,90
8,00
4,90
free
3,11
3,90
3,90
€58,35
33.372
14 Booters hired and tested
8280
http://booter.tw http://restricted-stresser.info
7369
http://anonymous-stresser.net
6075
http://destressbooter.com
4486
http://flashstresser.net
3779
http://dejabooter.com
2970
http://rebel-security.com
281
http://grimboot.com
78
http://quantumbooter.net
*54
98%
Cheaper and more Powerful
http://booter.tw http://restricted-stresser.info http://anonymous-stresser.net
http://destressbooter.com http://flashstresser.net http://dejabooter.com
http://rebel-security.com http://grimboot.com http://quantumbooter.net
**Tr
affic
[by
tes]
per
tim
e [s
]
http://booter.tw http://restricted-stresser.info http://anonymous-stresser.net
http://destressbooter.com http://flashstresser.net http://dejabooter.com
http://rebel-security.com http://grimboot.com http://quantumbooter.net
** #
Pac
kets
sen
d pe
r IP
Current Step...
Current Step...
Crawler & Classifier
MeasurementsSurvey
Popularity and Characteristics of Booters
Thanks for your attention!