Who Gets the Boot? Analyzing Victimization by DDoS-as-a-Service

Noroozian, Arman; Korczyński, Maciej; Gañán, Carlos; Makita, Daisuke; Yoshioka, Katsunari; Eeten, Michel van

doi:10.1007/978-3-319-45719-2_17

Cited by 38 publications

(43 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Krupp et al were able to attribute 26% of DNS and 13% of NTP attacks to specific booters which they had bought attacks from [40]. Noroozian et al found that over 48% of UDP reflection attacks and 62% of victims are on IP addresses in access networks [48], Sharma found that 89% of US, 98% of UK, 71% of FR, and 89% of DE victims were home users [57]. Sharma also found that over 50% of attacks were less than 5 minutes.…”

Section: Datasetsmentioning

confidence: 99%

“…Although DoS attacks can be directed anywhere and be for any purpose, prior studies have shown that most attacks are on end-users (assumed to be games players) and on gaming related websites [7,48]. Sharma showed that timezone determines when peak attacks occur [57] and we take the view that there will be a significant correlation between the country of the attacker and the country of the victim.…”

Section: Analysing By Countrymentioning

confidence: 99%

“…The other major strategy for measuring booter attacks is using UDP honeypots such as the hopscotch [61] or Amp-Pot [41]. Noroozian et al [48] used AmpPot and analysed the victims of DDoS finding that most were on access networks. In contrast Jonker et al [25] combined AmpPot data with UCSD's network telescope and found that most DoS attacks were on web servers.…”

Section: Analysis Of Booter Databases Began With Karami and Mc-mentioning

confidence: 99%

See 2 more Smart Citations

Booting the Booters

Collier

Thomas

Clayton

et al. 2019

Proceedings of the Internet Measurement Conference

View full text Add to dashboard Cite

Illegal booter services offer denial of service (DoS) attacks for a fee of a few tens of dollars a month. Internationally, police have implemented a range of different types of intervention aimed at those using and offering booter services, including arrests and website takedown. In order to measure the impact of these interventions we look at the usage reports that booters themselves provide and at measurements of reflected UDP DoS attacks, leveraging a five year measurement dataset that has been statistically demonstrated to have very high coverage. We analysed time series data (using a negative binomial regression model) to show that several interventions have had a statistically significant impact on the number of attacks. We show that, while there is no consistent effect of highly-publicised court cases, takedowns of individual booters precede significant, but short-lived, reductions in recorded attack numbers. However, more wide-ranging disruptions have much longer effects. The closure of HackForums' booter market reduced attacks for 13 weeks globally (and for longer in particular countries) and the FBI's coordinated operation in December 2018, which involved both takedowns and arrests, reduced attacks by a third for at least 10 weeks and resulted in lasting change to the structure of the booter market. CCS CONCEPTS• Networks → Denial-of-service attacks; • Social and professional topics → Computer crime; • Security and privacy → Social aspects of security and privacy; • Mathematics of computing → Time series analysis.

show abstract

Section: Datasetsmentioning

confidence: 99%

Section: Analysing By Countrymentioning

confidence: 99%

Section: Analysis Of Booter Databases Began With Karami and Mc-mentioning

confidence: 99%

See 1 more Smart Citation

Booting the Booters

Collier

Thomas

Clayton

et al. 2019

Proceedings of the Internet Measurement Conference

View full text Add to dashboard Cite

show abstract

“…As the majority of them stem from booter services [19,20], they are usually shorter than 300 s [21]. After that, the network returns to regular traffic, and the attacker nodes stop adding new packets in the system.…”

Section: Simulation Detailsmentioning

confidence: 99%

Anomaly detection through information sharing under different topologies

Gallos

Korczyński

Fefferman

2017

EURASIP J. on Info. Security

Self Cite

View full text Add to dashboard Cite

Early detection of traffic anomalies in networks increases the probability of effective intervention/mitigation actions, thereby improving the stability of system function. Centralized methods of anomaly detection are subject to inherent constraints: (1) they create a communication burden on the system, (2) they impose a delay in detection while information is being gathered, and (3) they require some trust and/or sharing of traffic information patterns. On the other hand, truly parallel, distributed methods are fast and private but can observe only local information. These methods can easily fail to see the "big picture" as they focus on only one thread in a tapestry. A recently proposed algorithm, Distributed Intrusion/Anomaly Monitoring for Nonparametric Detection (DIAMoND), addressed these problems by using parallel surveillance that included dynamic detection thresholds. These thresholds were functions of nonparametric information shared among network neighbors. Here, we explore the influence of network topology and patterns in normal traffic flow on the performance of the DIAMoND algorithm. We contrast performance to a truly parallel, independent surveillance system. We show that incorporation of nonparametric data improves anomaly detection capabilities in most cases, without incurring the practical problems of fully parallel network surveillance.

show abstract

“…An extensive body of research on booters is available. These studies cover multiple lines of research including analyses of (1) the booters' leaked databases [10,21,23], (2) booter attacks [8,24,47,57], (3) victims of booters [38], (4) honeypots of servers commonly used for performing booter attacks [25,52], (5) the usage of these honeypots for attribution purposes [31], (6) TLS certificates used by booters [32], (7) booter blacklists and their origins [12,44,46,59], (8) the usage of these blacklists to understand the booter market [45], (9) ethical and legal aspects related to booters [16,18], and (10) the impact of law enforcement operations on booters from a commercial perspective [7,13]. Our contribution.…”

mentioning

confidence: 99%

DDoS Hide & Seek

Kopp¹,

Wichtlhuber²,

Poese³

et al. 2019

Proceedings of the Internet Measurement Conference

View full text Add to dashboard Cite

Booter services continue to provide popular DDoS-as-a-service platforms and enable anyone irrespective of their technical ability, to execute DDoS attacks with devastating impact. Since booters are a serious threat to Internet operations and can cause significant financial and reputational damage, they also draw the attention of law enforcement agencies and related counter activities. In this paper, we investigate booter-based DDoS attacks in the wild and the impact of an FBI takedown targeting 15 booter websites in December 2018 from the perspective of a major IXP and two ISPs. We study and compare attack properties of multiple booter services by launching Gbps-level attacks against our own infrastructure. To understand spatial and temporal trends of the DDoS traffic originating from booters we scrutinize 5 months, worth of inter-domain traffic. We observe that the takedown only leads to a temporary reduction in attack traffic. Additionally, one booter was found to quickly continue operation by using a new domain for its website.

show abstract

Who Gets the Boot? Analyzing Victimization by DDoS-as-a-Service

Cited by 38 publications

References 16 publications

Booting the Booters

Booting the Booters

Anomaly detection through information sharing under different topologies

DDoS Hide & Seek

Contact Info

Product

Resources

About