Evidence based policing (of booters)

“Booters” (they usually call themselves “stressers” in a vain attempt to appear legitimate) are denial-of-service-for-hire websites where anyone can purchase small scale attacks that will take down a home Internet connection, a High School (perhaps there’s an upcoming maths test?) or a poorly defended business website. Prices vary but for around $20.00 you can purchase as many 10 minute attacks as you wish to send for the next month! In pretty much every jurisdiction, booters are illegal to run and illegal to use, and there have been a series of Law Enforcement take-downs over the years, notably in the US, UK, Israel and the Netherlands.

On Wednesday December 14th, in by far the biggest operation to date, the FBI announced the arrest of six booter operators and the seizure of 49 (misreported as 48) booter domain names. Visiting those domains will now display a “WEBSITE SEIZED” splash page.

FBI website seizure splash page

The seizures were “evidence based” in that the FBI specifically targeted the most active booters by taking advantage of one of the datasets collected by the Cambridge Cybercrime Centre, which uses self-reported data from booters.

The majority of booters (c 70%) report the number of users they have and the number of attacks performed — this is part of their marketing… if others are using the booter at scale, then this will help convince a new visitor that the booter is not a scam and so they will purchase.

On the Monday before the FBI seizure there were 108 operational booters — of various sizes. The “top 20” were the only booters reporting more than 1000 attacks per day (on average over the previous week). On the Wednesday, seventeen of these were shut down.

                          booter   boots/day 

 1 ( 1)              stresser.app     23166
 2 ( 7)         blackstresser.net     10809
 3 ( 3)           brrsecurity.org      6672
 4 ( 8)          zerostresser.com      5641
 5 ( 6)     nightmarestresser.com      5003
 6 ( 5)        dragonstresser.com      4919
 7 ( 9)           sunstresser.com      3422
 8 (19)             defconpro.net      3118
 9 (12)          xxxxxxxxxxxx.xxx      2886
10 (10)              stresser.top      2680
11 (14)          yyyyyyyyyyyy.yyy      2616
12 (11)               stresser.gg      2455
13 (15)               kraysec.com      2238
14 (20)      quantum-stresser.net      2207
15 (17)                mcstorm.io      1843
16 (13)            zdstresser.net      1789
17 (16)               bootyou.net      1734
18 (22)        dreams-stresser.io      1651
19 (18)          zzzzzzzzzzzz.zzz      1638
20 (21)               api-sky.xyz      1446

I am not naming #9 … but it wasn’t seized because it was a scam (several testing sessions failed to deliver any denial-of-service traffic at all). #11 is outside the FBI’s jurisdiction but local law enforcement is expected to act in the New Year, and #19 was not operational for several weeks and so it was never tested. The US judiciary would only hand down court orders for websites that had been determined to be working booters — taking money under false pretences is a matter for the Federal Trade Commission not the FBI. In fact #9 was far from alone in being tested and not working … people inclined to purchase booter services might reflect on the fact that unseized domains are where all the scams are to be found!

About half the booters websites have decided that is a Good Idea to resurrect themselves with new domain names. They are perhaps under the impression that it will be another four years before the FBI repeats a takedown (the last big action was in December 2018), but this does seem an unwise assumption to me. However, there is early evidence that publicity around the FBI’s action (assisted by advertising campaigns run by the British and Dutch police) has suppressed supply as well as demand.

The “top 10” chart for the booters reporting 1000+ attacks/day on Monday 26th (12 days on from the FBI action) looks like this … I have given the exact Dec 12th figures except when this was unrepresentative of recent levels of activity. As can be seen almost all of the booters are doing far less business than before — an overall reduction of about 50%. The full list runs to 75 booters (down from 108 2 weeks ago), but as I indicated above, perhaps half of these don’t actually work in practice.

                           booter   boots/day      Dec 12th

 1  NEW name for stresser.app          12949         23166
 2  NEW name for stresser.best          9066 usually 15000+
 3  NEW name for cyberstress.us         7659 usually 20000+
 4  NEW name for quantum-stresser.net   4470         2207
 5  NEW name for zerostresser.com       3927         5641
 6             zzzzzzzzzzzz.zzz         2814         1638
 7             xxxxxxxxxxxx.xxx         1850         2886
 8  NEW name for nightmarestresser.com  1766         5003
 9  NEW name for dreams-stresser.io     1694         1651
10             vvvvvvvvvvvv.vvv         1578 usually 1200
11             wwwwwwwwwwww.www         1329         1789
12  NEW name for mcstorm.io             1074         1843
13  NEW name for stresser.gg            1056         2455
14  NEW name for redstresser.cc         1049 usually 1000

also yyyyyyyyyyyy.yyy was running at around 5K attacks per day, but had
erased some logs and reset the counters so I don't have an exact number.

When we studied the impact of the 2018 initiative in a 2019 IMC paper (Booting the Booters), we found that that it took around six weeks for activity to return to previous levels. This time around Law Enforcement is being provided with extremely timely evidence of the impact of what they are doing. Since they are taking action based on evidence, I am reasonably confident that the booter marketplace is going to disrupted for rather more than six weeks this time.

4 thoughts on “Evidence based policing (of booters)

  1. Interesting that criminals are scamming other criminals, not the first article indicating this I have read recently. Honour among thieves appears to be a nice fiction.

  2. > The majority of booters (c 70%) report the number of users they have and the
    > number of attacks performed — this is part of their marketing… if others are
    > using the booter at scale, then this will help convince a new visitor that the
    > booter is not a scam and so they will purchase.”

    Why would a *self reported* figure from the booters convince anyone that they weren’t a scam? Surely a scammy booter would simply claim high figures?

  3. Scammy booters do indeed pad their numbers with an extra 500K attacks from time to time, but they don’t do it consistently so when we are assessing each week’s “top 10” the outlier is obvious. Of course they could be doing it consistently, but if so they have expert advice on how to make their numbers appear legitimate .. because fancy statistical tests indicate that the numbers are naturally generated…

    … additionally, from time to time, attack databases and codebases are leaked (or seized by Law Enforcement) and the code we see is a straightforward SQL query to count entries and the databases are the size we expect.

  4. I started looking into this after our site got DDoSed a while ago. I suspect it may have been through the new incarnation of the #1 stresser site on your list, but not certain. Anyway, what I find interesting (and is unmentioned in your article) is the fact that Cloudflare features prominently at all levels in this decable.

    First of all, both the old and new version of the #1 stresser site are hosted through Cloudflare. The new incarnation was registered 5 days after the FBI takedown, so really not much downtime. Presumably being hosted through Cloudflare makes it very easy for the FBI to shut them down, but other than a temporary blip it doesn’t seem to really affect them much because the takedowns only seem to occur every few years. I’m guessing the owners of this site are outside US jurisdiction and weren’t actually arrested. So what exactly is the FBI achieving by leaving the new site up and running for so long? As someone affected by an attack, it looks like not very much.

    The second link to Cloudflare is that the new stresser site openly advertises on their Telegram channel that they can DDoS Cloudflare protected sites, and there is a screenshot of an attacked site showing the Cloudflare screen that the backend server isn’t responding.

    The third interesting (and perhaps ironic) fact is that these HTTP DDoS attacks actually use Cloudflare services during the attack (presumably their free WARP VPN), and typically close to 100% of DDoS HTTP requests come from cloudflare ips. Perhaps that hides their botnets, letting them use the bots for longer before being blocked.

    Analyzing our logs, it looks like there are a smaller number of requests from various (non Cloudflare) ISPs in Brazil. Presumably these are the bots themselves (or a subset of them), not using Cloudflare WARP. I’m guessing they do this so they can check the state of the attacked host.

    Checking the Barracuda reputations, the cloudflare DDoS ips all have normal reputation, but about 25% of the Brazil (botnet?) ips have poor reputation, so clearly using Cloudflare WARP has a big advantage in terms of longevity, although it does make it much easier to mitigate the attack (unless, perhaps, your site is hosted through Cloudflare and you haven’t paid through the nose for their super duper WAF).

    The final interesting fact is that Cloudflare has no way of reporting abuse originating from their network, and all attempts to report any abuse (by phone or email or their webform) are met with frustration.

    Anyway, I’m not really sure what exactly to make of all this. Perhaps the lesson is to make sure your website is properly protected, and Cloudflare probably isn’t the best option to use for that unless you want to give them lots of money to protect against DDoS attacks that they are helping to facilitate.

Leave a Reply

Your email address will not be published. Required fields are marked *