Analysis It’s not often an entirely new and thriving sector of the “digital economy” – one hitherto unmentioned by the popular press – floats to the surface of the lake in broad daylight, waving a tentacle at us.
This is the DDoS-for-hire industry, and it’s fascinating for a few reasons. This shady marketplace has done everything a legitimate “digital” business should do.
Hitherto, what are euphemistically called “booter” services have been pretty obscure. But if anything deserves an as-a-service “-aaS” (“software as a service, SaaS; platform as a service, PaaS) created in its honour, it’s the 'DDoSaaS' or perhaps 'DoSaaS' industry: Denial-of-service-as-a-service.
We now know much more about the marketplace because its leading business, vDOS, was hacked this year, and security expert Brian Krebs has been joining the dots. Krebs has documented the DaaS business for some years, a thankless job resulting in regular attacks on Krebs' own website. The key business and technical architects also helpfully described it in an academic paper.
Two Israelis allegedly behind vDOS, both 18, were arrested after an FBI investigation. The site had been operating for four years. vDOS offered four retail tiers: from a $19.99 “bronze” plan to a $199/month “VIP plan”. Just as blogs and social media “democratised” the media, by making the tools of production and distribution cheap and readily available, so too did booter services.
To take a site you didn’t like offline you used to have to have a network of contacts and great technical expertise. But the booter services put a DDoS attack into anyone’s hands, and all it took was a quick retail transaction -as low as $20. Booter services were the Uber of DDoS. How’s that for disruption?
“To say that vDOS has been responsible for a majority of the DDoS attacks clogging up the Internet over the past few years would be an understatement. The various subscription packages to the service are sold based in part on how many seconds the denial-of-service attack will last,” Krebs noted, adding:
And in just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years worth of attack traffic.
Like many “booter” services, vDOS had been hiding behind CloudFlare’s CDN. The CloudFlare CDN acts as a cloaking service, and has been criticised for keeping pro-ISIS sites online. CloudFlare has also been under fire for doxing; a sample of CloudFlare’s clients can be found here.)
In a January post entitled Spreading the disease and selling the cure, Krebs observed: “The booter services are proliferating thanks mainly to free services offered by CloudFlare, a content distribution network that offers gratis DDoS protection for virtually all of the booter services currently online.”
As well as providing protection for the DoS [denial of service] industry, CloudFlare operates a DoS-protection service for clients worried about DoS attacks. Krebs added: “If CloudFlare adopted a policy of not enabling booter services, it could eliminate a huge conflict of interest for the company and – more importantly – help eradicate the booter industry.”
CloudFlare says it responds to individual law enforcement requests and will not proactively police its network for DDoS-ers.
What made vDOS particularly interesting was that it operated in both “retail” and “wholesale” markets. “PoodleStresser, as well as a large number of other booter services, appears to rely exclusively on firepower generated by vDOS,” Krebs notes.
This isn’t unusual in legitimate sectors. A food manufacturer may sell white label versions of its goods to supermarkets, and mobile networks have for years made better use of their capacity by wholesaling to MVNOs, mobile virtual network operators).
The vDOS pair maintained a network of PayPal accounts but many of the participants are US based.
Damon McCoy, cited at Krebs' blog, notes that vDOS blocked clients from disabling Israeli sites, most likely to avoid unwanted attention from authorities at home: “The main reason was they didn’t want to make trouble in their local jurisdiction in the hopes that no one in their country would be a victim and have standing to bring a case against them.”
The cover story offered by booter operations is that the software has a legitimate use: for sites to stress test their own web servers. In reality, the “democratization of DDoS” – with kits available on the dark web for a fiver – means that buying DDoS protection offered by CloudFlare is almost mandatory. ®