The US Department of Justice seized 48 Internet domains and charged six suspects for their involvement in running ‘Booter’ or ‘Stresser’ platforms. These platforms allow anyone to easily conduct distributed denial of service attacks. Booters are online platforms allowing threat actors to pay for distributed denial-of-service attacks on websites and Internet-connected devices. Essentially, they are "booting" the target off of the Internet. Stressers offer the same DDoS features but claim that they're for the legitimate testing of the reliability of web services & servers.
Some of the websites claim to offer "stress testing" services for one's own infrastructure, but are actually providing services for conducting DDoS (distributed denial-of-service) attacks on victim computers without authorization. According to the affidavit written by an FBI Special Agent from the Alaska field office, threat actors will pay for the services by depositing cryptocurrency after registering an account.
Most stressor/booter websites require the subscriber to agree not to use the services to conduct and attack, but the same websites are seen promoted on hacker forums and criminal marketplaces. The FBI says that In many cases, the platforms' owners themselves promote deals and coupons on cybercrime sites or use affiliates who earn commissions for promoting the service. The US Attorney’s Office in the Central District of California and the US Attorney’s Office in the District of Alaska have announced the charging of six individuals for operating booter/stressor sites.
"These booter services allow anyone to launch cyberattacks that harm individual victims and compromise everyone's ability to access the internet," said United States Attorney Martin Estrada. "This week's sweeping law enforcement activity is a major step in our ongoing efforts to eradicate criminal conduct that threatens the internet's infrastructure and our ability to function in a digital world."
The suspects include a person from Texas, three from Florida, one from New York, and another from Hawaii who allegedly operated various stressor/booter sites, including RoyalStresser[.]com, SecurityTeam[.]io, Astrostress[.]com, Booter[.]sx, Ipstressor[.]com, and TrueSecurityServices[.]io.
The FBI dubbed the extensive operations against DDoS platforms as Operation PowerOFF. It is an international law enforcement effort that saw 48 stressor and booter platforms taken offline globally.
Once the domains have officially been seized and transferred to DNS used by law enforcement, they will display a seizure message warning that these services are illegal, as shown below. Thom Mrozek, the Media Relations Director for the US Attorney's Office Central District of California, told BleepingComputer that the FBI is currently working with domain authorities to apply the seizure messages but that the platforms are no longer functioning. The FBI is also working with the United Kingdom's National Crime Agency and the Netherlands Police to display ads in search engines when people search for booter services. For example, when searching for 'booter service' on Google, the search engine showed us an advertisement stating, "Looking for DDoS tools? Booting is illegal."
DDoS attacks are difficult to defend against as legitimate vs illegitimate packets are hard to distinguish between. Typical DDoS attacks will either abuse bandwidth or applications. Below are methods of defending against DDoS attacks:
- Sinkholing: In this approach, all traffic is diverted to a “sink hole” where it is discarded. The problem with this method is that both good and bad traffic is removed, and the business loses actual customers.
- Routers and firewalls: Routers can be used to stop attacks by filtering nonessential protocols and invalid IP addresses, but when a botnet is using a spoofed IP address, this makes the filtering process worthless. Firewalls also have difficulties when actual IP addresses are spoofed.
- Intrusion-detection systems: These solutions can leverage machine learning to recognize patterns to automatically block traffic through a firewall. These technologies are not always automated and may require fine tuning to avoid false positives.
- DDoS mitigation appliances: Various vendors make devices designed to sanitize traffic through load balancing and firewall blocking. Organizations have had varying levels of success with such products, some legitimate traffic will get blocked, and some bad traffic will still get through.
- Over-provisioning: Some organizations choose to leverage extra bandwidth to handle sudden spikes in traffic during a DDoS attack. This bandwidth is often outsourced to a service provider who can pick up the bandwidth during an attack. As attacks grow larger, this mitigation technique may become more expensive and less viable.