DDoS Hide &amp; Seek:On the effectiveness of a booter services takedown

Antonakakis M.; Beverly R.; Beverly R.; Brunt R.; Büscher A.; Cardoso de Santanna J.; Cardoso de Santanna J.; Chromik J.; Collier B.; Czyz J.; Hohlfeld O.; Jonker M.; Karami M.; Karami M.; Karami M.; Karami M.; Krämer L.; Kuhnert B.; Lichtblau F.; Richter P.; Santanna J.; Scheitle Q.; Zhang W.

DDoS Hide & Seek:On the effectiveness of a booter services takedown

Authors: Antonakakis M.
Beverly R.
Beverly R.
Brunt R.
Büscher A.
Cardoso de Santanna J.
Cardoso de Santanna J.
Chromik J.
Collier B.
Czyz J.
Hohlfeld O.
Jonker M.
Karami M.
Karami M.
Karami M.
Karami M.
Krämer L.
Kuhnert B.
Lichtblau F.
Richter P.
Santanna J.
Scheitle Q.
Zhang W.
Publication date: 1 January 2019
Publisher: Association for Computing Machinery
Doi

Abstract

Booter services continue to provide popular DDoS-as-a-service platforms and enable anyone irrespective of their technical ability, to execute DDoS attacks with devastating impact. Since booters are a serious threat to Internet operations and can cause significant financial and reputational damage, they also draw the attention of law enforcement agencies and related counter activities. In this paper, we investigate booter-based DDoS attacks in the wild and the impact of an FBI takedown targeting 15 booter websites in December 2018 from the perspective of a major IXP and two ISPs. We study and compare attack properties of multiple booter services by launching Gbps-level attacks against our own infrastructure. To understand spatial and temporal trends of the DDoS traffic originating from booters we scrutinize 5 months, worth of inter-domain traffic. We observe that the takedown only leads to a temporary reduction in attack traffic. Additionally, one booter was found to quickly continue operation by using a new domain for its website