Evidence based policing (of booters)

“Booters” (they usually call themselves “stressers” in a vain attempt to appear legitimate) are denial-of-service-for-hire websites where anyone can purchase small scale attacks that will take down a home Internet connection, a High School (perhaps there’s an upcoming maths test?) or a poorly defended business website. Prices vary but for around $20.00 you can purchase as many 10 minute attacks as you wish to send for the next month! In pretty much every jurisdiction, booters are illegal to run and illegal to use, and there have been a series of Law Enforcement take-downs over the years, notably in the US, UK, Israel and the Netherlands.

On Wednesday December 14th, in by far the biggest operation to date, the FBI announced the arrest of six booter operators and the seizure of 49 (misreported as 48) booter domain names. Visiting those domains will now display a “WEBSITE SEIZED” splash page.

FBI website seizure splash page

The seizures were “evidence based” in that the FBI specifically targeted the most active booters by taking advantage of one of the datasets collected by the Cambridge Cybercrime Centre, which uses self-reported data from booters.

The majority of booters (c 70%) report the number of users they have and the number of attacks performed — this is part of their marketing… if others are using the booter at scale, then this will help convince a new visitor that the booter is not a scam and so they will purchase.

On the Monday before the FBI seizure there were 108 operational booters — of various sizes. The “top 20” were the only booters reporting more than 1000 attacks per day (on average over the previous week). On the Wednesday, seventeen of these were shut down.

                          booter   boots/day 

 1 ( 1)              stresser.app     23166
 2 ( 7)         blackstresser.net     10809
 3 ( 3)           brrsecurity.org      6672
 4 ( 8)          zerostresser.com      5641
 5 ( 6)     nightmarestresser.com      5003
 6 ( 5)        dragonstresser.com      4919
 7 ( 9)           sunstresser.com      3422
 8 (19)             defconpro.net      3118
 9 (12)          xxxxxxxxxxxx.xxx      2886
10 (10)              stresser.top      2680
11 (14)          yyyyyyyyyyyy.yyy      2616
12 (11)               stresser.gg      2455
13 (15)               kraysec.com      2238
14 (20)      quantum-stresser.net      2207
15 (17)                mcstorm.io      1843
16 (13)            zdstresser.net      1789
17 (16)               bootyou.net      1734
18 (22)        dreams-stresser.io      1651
19 (18)          zzzzzzzzzzzz.zzz      1638
20 (21)               api-sky.xyz      1446

I am not naming #9 … but it wasn’t seized because it was a scam (several testing sessions failed to deliver any denial-of-service traffic at all). #11 is outside the FBI’s jurisdiction but local law enforcement is expected to act in the New Year, and #19 was not operational for several weeks and so it was never tested. The US judiciary would only hand down court orders for websites that had been determined to be working booters — taking money under false pretences is a matter for the Federal Trade Commission not the FBI. In fact #9 was far from alone in being tested and not working … people inclined to purchase booter services might reflect on the fact that unseized domains are where all the scams are to be found!

About half the booters websites have decided that is a Good Idea to resurrect themselves with new domain names. They are perhaps under the impression that it will be another four years before the FBI repeats a takedown (the last big action was in December 2018), but this does seem an unwise assumption to me. However, there is early evidence that publicity around the FBI’s action (assisted by advertising campaigns run by the British and Dutch police) has suppressed supply as well as demand.

The “top 10” chart for the booters reporting 1000+ attacks/day on Monday 26th (12 days on from the FBI action) looks like this … I have given the exact Dec 12th figures except when this was unrepresentative of recent levels of activity. As can be seen almost all of the booters are doing far less business than before — an overall reduction of about 50%. The full list runs to 75 booters (down from 108 2 weeks ago), but as I indicated above, perhaps half of these don’t actually work in practice.

                           booter   boots/day      Dec 12th

 1  NEW name for stresser.app          12949         23166
 2  NEW name for stresser.best          9066 usually 15000+
 3  NEW name for cyberstress.us         7659 usually 20000+
 4  NEW name for quantum-stresser.net   4470         2207
 5  NEW name for zerostresser.com       3927         5641
 6             zzzzzzzzzzzz.zzz         2814         1638
 7             xxxxxxxxxxxx.xxx         1850         2886
 8  NEW name for nightmarestresser.com  1766         5003
 9  NEW name for dreams-stresser.io     1694         1651
10             vvvvvvvvvvvv.vvv         1578 usually 1200
11             wwwwwwwwwwww.www         1329         1789
12  NEW name for mcstorm.io             1074         1843
13  NEW name for stresser.gg            1056         2455
14  NEW name for redstresser.cc         1049 usually 1000

also yyyyyyyyyyyy.yyy was running at around 5K attacks per day, but had
erased some logs and reset the counters so I don't have an exact number.

When we studied the impact of the 2018 initiative in a 2019 IMC paper (Booting the Booters), we found that that it took around six weeks for activity to return to previous levels. This time around Law Enforcement is being provided with extremely timely evidence of the impact of what they are doing. Since they are taking action based on evidence, I am reasonably confident that the booter marketplace is going to disrupted for rather more than six weeks this time.

3 thoughts on “Evidence based policing (of booters)

  1. Interesting that criminals are scamming other criminals, not the first article indicating this I have read recently. Honour among thieves appears to be a nice fiction.

  2. > The majority of booters (c 70%) report the number of users they have and the
    > number of attacks performed — this is part of their marketing… if others are
    > using the booter at scale, then this will help convince a new visitor that the
    > booter is not a scam and so they will purchase.”

    Why would a *self reported* figure from the booters convince anyone that they weren’t a scam? Surely a scammy booter would simply claim high figures?

  3. Scammy booters do indeed pad their numbers with an extra 500K attacks from time to time, but they don’t do it consistently so when we are assessing each week’s “top 10” the outlier is obvious. Of course they could be doing it consistently, but if so they have expert advice on how to make their numbers appear legitimate .. because fancy statistical tests indicate that the numbers are naturally generated…

    … additionally, from time to time, attack databases and codebases are leaked (or seized by Law Enforcement) and the code we see is a straightforward SQL query to count entries and the databases are the size we expect.

Leave a Reply

Your email address will not be published. Required fields are marked *