For years, systems administrators have had to deal with “denial of service” attacks, which effectively knock a computer off the Internet by flooding it with traffic. Recently, launching DOS attacks has gotten easier than ever. How easy? Anyone can sign up for a DOS “service” for just $10 per month.
At the recent Usenix security conference, Mohammad Karami and Damon McCoy of George Mason University took a close look at one of these “DOS for hire” services known as “booters.” Karami and McCoy got their hands on records from one service, called TwBooter, that included detailed records of the service’s operation.
“It’s incredibly simple,” McCoy says. “You pay via PayPal. Some of these services are as cheap as $10 per month.”
Specifically, for $10 you can get a month of service that lets you overwhelm any target on the Internet with traffic in one-minute intervals. Customers can generate as many 1-minute traffic bursts as they like. If they upgrade to the $69 plan, customers can order traffic floods that last for an hour instead.
Why would people want that? McCoy says the service has become popular with unscrupulous gamers: “You knock off your competition to win a video game.”
Booting services have other nefarious uses too. “These services can knock off a medium-sized Web site,” McCoy says. The technology site Ars Technica, the blog of security researcher Brian Krebs, the Los Angeles Police Department’s Web site, and government Web sites in India have all been targeted by TwBooter customers, according to records McCoy examined.
TwBooter and its competitors officially market themselves as “stress testing” services, giving them a “thin veneer of legitimacy.” But, McCoy says, “then you go on the underground forums, and some of these companies have names like DOSome. On the underground, they market themselves as denial of service tools.”
And the tools are “incredibly simple to use,” according to McCoy. “You give it an IP address or a domain name. If you want to attack a particular person, you can give a Skype address to attack.” The software will automatically keep track of the target’s IP address.
The services use a variety of tricks to drive large quantities of traffic toward their targets. In one attack, known as DNS amplification, the service generates a flood of forged requests to a DNS server. Each response is much larger than its corresponding request, and because its return address is forged, it’s sent to the target rather than the computer that sent the original request.
As a result, the target receives a much larger volume of traffic than the original source could have generated. McCoy says this attack can generate about 800 Mbps of traffic, almost 100 times the capacity of a typical residential broadband connection.
“I’m pretty amazed that these services continue to operate,” McCoy says. TwBooter appears to have half a dozen servers at a hosting provider in the Netherlands. Others seem to use servers they had previously hacked into.
McCoy isn’t a lawyer and doesn’t know if such attacks are illegal. But an activity doesn’t need to be illegal for Internet service providers to disconnect bad actors from their networks, McCoy says.
“I think there should be more active tracing and attribution of these attacks,” he says. “The services can run for months if not years without being disrupted by law enforcement or their hosting facility.”
TwBooter itself is still online. We contacted the site for comment but haven’t received a response. We’ll update the story if they get back to us.