“Booters” (they usually call themselves “stressers” in a vain attempt to appear legitimate) are denial-of-service-for-hire websites where anyone can purchase small scale attacks that will take down a home Internet connection, a High School (perhaps there’s an upcoming maths test?) or a poorly defended business website. Prices vary but for around $20.00 you can purchase as many 10 minute attacks as you wish to send for the next month! In pretty much every jurisdiction, booters are illegal to run and illegal to use, and there have been a series of Law Enforcement take-downs over the years, notably in the US, UK, Israel and the Netherlands.
On Wednesday December 14th, in by far the biggest operation to date, the FBI announced the arrest of six booter operators and the seizure of 49 (misreported as 48) booter domain names. Visiting those domains will now display a “WEBSITE SEIZED” splash page.
The seizures were “evidence based” in that the FBI specifically targeted the most active booters by taking advantage of one of the datasets collected by the Cambridge Cybercrime Centre, which uses self-reported data from booters.
The majority of booters (c 70%) report the number of users they have and the number of attacks performed — this is part of their marketing… if others are using the booter at scale, then this will help convince a new visitor that the booter is not a scam and so they will purchase.
On the Monday before the FBI seizure there were 108 operational booters — of various sizes. The “top 20” were the only booters reporting more than 1000 attacks per day (on average over the previous week). On the Wednesday, seventeen of these were shut down.
booter boots/day 1 ( 1) stresser.app 23166 2 ( 7) blackstresser.net 10809 3 ( 3) brrsecurity.org 6672 4 ( 8) zerostresser.com 5641 5 ( 6) nightmarestresser.com 5003 6 ( 5) dragonstresser.com 4919 7 ( 9) sunstresser.com 3422 8 (19) defconpro.net 3118 9 (12) xxxxxxxxxxxx.xxx 2886 10 (10) stresser.top 2680 11 (14) yyyyyyyyyyyy.yyy 2616 12 (11) stresser.gg 2455 13 (15) kraysec.com 2238 14 (20) quantum-stresser.net 2207 15 (17) mcstorm.io 1843 16 (13) zdstresser.net 1789 17 (16) bootyou.net 1734 18 (22) dreams-stresser.io 1651 19 (18) zzzzzzzzzzzz.zzz 1638 20 (21) api-sky.xyz 1446
I am not naming #9 … but it wasn’t seized because it was a scam (several testing sessions failed to deliver any denial-of-service traffic at all). #11 is outside the FBI’s jurisdiction but local law enforcement is expected to act in the New Year, and #19 was not operational for several weeks and so it was never tested. The US judiciary would only hand down court orders for websites that had been determined to be working booters — taking money under false pretences is a matter for the Federal Trade Commission not the FBI. In fact #9 was far from alone in being tested and not working … people inclined to purchase booter services might reflect on the fact that unseized domains are where all the scams are to be found!
About half the booters websites have decided that is a Good Idea to resurrect themselves with new domain names. They are perhaps under the impression that it will be another four years before the FBI repeats a takedown (the last big action was in December 2018), but this does seem an unwise assumption to me. However, there is early evidence that publicity around the FBI’s action (assisted by advertising campaigns run by the British and Dutch police) has suppressed supply as well as demand.
The “top 10” chart for the booters reporting 1000+ attacks/day on Monday 26th (12 days on from the FBI action) looks like this … I have given the exact Dec 12th figures except when this was unrepresentative of recent levels of activity. As can be seen almost all of the booters are doing far less business than before — an overall reduction of about 50%. The full list runs to 75 booters (down from 108 2 weeks ago), but as I indicated above, perhaps half of these don’t actually work in practice.
booter boots/day Dec 12th 1 NEW name for stresser.app 12949 23166 2 NEW name for stresser.best 9066 usually 15000+ 3 NEW name for cyberstress.us 7659 usually 20000+ 4 NEW name for quantum-stresser.net 4470 2207 5 NEW name for zerostresser.com 3927 5641 6 zzzzzzzzzzzz.zzz 2814 1638 7 xxxxxxxxxxxx.xxx 1850 2886 8 NEW name for nightmarestresser.com 1766 5003 9 NEW name for dreams-stresser.io 1694 1651 10 vvvvvvvvvvvv.vvv 1578 usually 1200 11 wwwwwwwwwwww.www 1329 1789 12 NEW name for mcstorm.io 1074 1843 13 NEW name for stresser.gg 1056 2455 14 NEW name for redstresser.cc 1049 usually 1000 also yyyyyyyyyyyy.yyy was running at around 5K attacks per day, but had erased some logs and reset the counters so I don't have an exact number.
When we studied the impact of the 2018 initiative in a 2019 IMC paper (Booting the Booters), we found that that it took around six weeks for activity to return to previous levels. This time around Law Enforcement is being provided with extremely timely evidence of the impact of what they are doing. Since they are taking action based on evidence, I am reasonably confident that the booter marketplace is going to disrupted for rather more than six weeks this time.