If it feels like you’ve been hearing about the scourge of DDoS for hire services for years, it’s because you have been. These shady services have been in the public consciousness since the Lizard Squad took down the Sony PlayStation Network and Microsoft Xbox Live during the 2014 holiday season in a massive ad for their stresser service.
Don’t be expecting these services to drop out of the headlines any time soon. What started out as bad has got exponentially worse. The current crop of DDoS for hire services are powered by massive botnets that are making their owners filthy rich while websites and users across the internet feel their wrath.
There is good news, however, and it’s that more and more of the headlines about DDoS for hire services are starting to include information on major arrests.
A bazooka by any other name
Distributed denial of service (DDoS) for hire services are otherwise known as stressers and booters, which are defined by DDoS mitigation provider Incapsula as services that sell access to botnets, which are networks of internet-connected devices that have been hijacked by malware that allow them to be controlled remotely.
By purchasing access to a botnet, anyone can aim a distributed denial of service attack at the website or online platform of their choosing. The malicious traffic generated by the devices in the botnet is used to knock the target website offline, or slow it down so much it’s rendered unusable. Consequences of a DDoS attack include monetary losses, software or hardware damage, and a loss of user trust.
The issue with the IoT
DDoS for hire services were bad enough when hacker groups like the Lizard Squad and New World Hacking were assembling botnets made up of under-secured computers, but now that the internet of things (IoT) with its 4-6 billion connected and largely unsecured devices like smart TVs and fitness trackers is ripe for the hijacking, botnets are getting downright unwieldy and producing stunning amounts of malicious traffic for distributed denial of service flood and amplification attacks.
The first quarter of 2016 saw 19 DDoS attacks that exceeded 100 Gbps, a stark increase from the five attacks of similar size that occurred in the fourth quarter of 2015. All 19 of the Q1 attacks were found to have originated from booters or stressers. As bad as this seemed at the time, a botnet producing 100 Gbps attacks seems almost quaint now.
The Mirai IoT botnet, which is estimated to be made up of between 150,000 and 400,000 infected devices, is speculated to be available for hire. It’s been reported that the record-setting DDoS attack on DNS provider Dyn in October – a whopping 1.2 Tbps attack – was the work of a single angry gamer who paid $7,500 for use of the Mirai botnet. The Dyn attack was responsible for knocking the Sony PlayStation Network, Netflix, Paypal, Twitter, CNN and 55+ other major websites and platforms offline.
Crime and punishment
The Atlantic reports that the cost of a successful distributed denial of service attack can exceed $100,000 per hour for the target. And that isn’t even quantifying the lingering user loyalty issues that accompany these attacks. With damage totals like that as well as a sharp uptick in attacks – a 129 per cent increase from Q2 2015 to Q2 2016, according to The Atlantic – it’s no wonder major law enforcement agencies like the FBI and Europol are trying to trace the creators of booters and stressers.
However, getting to the bottom of botnets is easier said than done. These for-hire services are difficult to trace, particularly if infected endpoints are being used to launch attacks. Yet while 2016 has been the year that’s ushered in the era of massive for-hire attacks, it’s also been a year of progress in taking down some of the major players.
Two hackers behind the vDos stresser were arrested In September after a hack revealed they had made $600,000 from their service in two years. One month later, the 19-year-old behind the Titanium Stresser pled guilty to one count of money laundering and two counts of the computer misuse act. This after he earned $385,000 with his stresser. Also in October, two members of the Lizard Squad and PoodleCorp were arrested, building on the arrests of six Lizard Squad ringleaders in 2015.
These arrests and convictions have worked to turn up the heat on hackers and their ilk. In light of law enforcement interest as well as the staggering Dyn attack, HackForums, the biggest hacking forum in the world, removed its DDoS-for-hire section in an act of self-preservation.
Though progress has been made, law enforcement agencies face an uphill battle when it comes to tracking down and locking up the owners of botnets, especially now that IoT botnets are littering the landscape. Organisations and website owners are much better off relying on professional distributed denial of service mitigation for protection. Though the headlines have recently swung ever so slightly in law enforcement’s favour, there’s still a long way to go.