20150311 bit module7_tbk_bit_lecture
0 likes185 views
This document analyzes the phenomenon of distributed denial of service (DDoS) attacks, particularly focusing on the emergence of 'booters' that offer DDoS attacks as a paid service. The research highlights how these booters have impacted educational institutions by canceling online exams and discusses their infrastructure, attack characteristics, and potential defense mechanisms. The authors aim to raise awareness about DDoS attacks and related threats while providing a comprehensive overview of the operational aspect of booters.
![Soul Sacrifice [Santana]
e Star-Spangled Banner [Jimi Hendrix]](https://image.slidesharecdn.com/20150311bitmodule7tbkbitlecture-160316135548/85/20150311-bit-module7_tbk_bit_lecture-5-320.jpg)
![Another brick in the wall [Pink Floyd]](https://image.slidesharecdn.com/20150311bitmodule7tbkbitlecture-160316135548/85/20150311-bit-module7_tbk_bit_lecture-8-320.jpg)
![Fingerprinting Booters
Understanding Who Is Behind Attacks
José Jair Santanna
University of Twente
j.j.santanna@utwente.nl
Anna Sperotto
University of Twente
a.sperotto@utwente.nl
Aiko Pras
University of Twente
a.pras@utwente.nl
ODOLOGY
igation is to fingerprint
perform
need at least two samples of a same type of attack
in di↵erent moments. However, those two sam-
ple can be di↵erent in terms of days, hours, sec-
onds, and so on. Therefore by considering a huge
er of combinations, we simplify our measure-
al weeks. In the first week,
ents, which we
Booters - An Analysis of DDoS-as-a-Service Attacks
Jos´e Jair Santanna⇤ , Roland van Rijswijk-Deij⇤† , Rick Hofstede⇤ , Anna Sperotto⇤ ,
Mark Wierbosch⇤ , Lisandro Zambenedetti Granville‡ , Aiko Pras⇤
⇤ University of Twente, The Netherlands
{j.j.santanna, r.m.vanrijswijk, r.j.hofstede, a.sperotto, a.pras}@utwente.nl
m.b.wierbosch@student.utwente.nl
† SURFnet bv, The Netherlands
roland.vanrijswijk@surfnet.nl
‡ Federal University of Rio Grande do Sul, Brazil
granville@inf.ufrgs.br
Abstract—In 2012, the Dutch National Research and Edu-
cation Network, SURFnet, observed a multitude of Distributed
Denial of Service (DDoS) attacks against educational institutions.
These attacks were effective enough to cause the online exams of
hundreds of students to be cancelled. Surprisingly, these attacks
were purchased by students from websites, known as Booters.
These sites provide DDoS attacks as a paid service (DDoS-as-a-
Service) at costs starting from 1 USD. Since this problem was
identified by SURFnet, Booters have been used repeatedly
ks on schools in SURFnet’s constituency. Very
out the characteristics of Booters,
structure. This is vital
his paper we
e
about the characteristics of the attacks that they perform, which
is essential knowledge for mitigating their attacks.
The goal of this paper is to create awareness around Booter
attacks. In our study, we investigate the characteristics of
Booter attacks in terms of the volume of generated traffic
as well as the service and networking infrastructure used by
Booters. Finally, based on our measurements, we discuss possi-
ble defense mechanisms and the relationship between Booters
and DDoS protection services. We performed measurements
to analyze the attacks generated by Booters on our own
infrastructure. We investigated more than 250 GB of traffic.
We intend to make all data acquired during our experiments
ilable to interested researchers.
a vast amount of literature on DDoS
s [5], [6], [7], [8], [9], this
first to present
ers.
Inside Booters:
An Analysis on Operational Databases
Jos´e Jair Santanna
University of Twente
j.j.santanna@utwente.nl
Romain Durban
INSA of Toulouse
romain.durban@gmail.com
Anna Sperotto
University of Twente
a.sperotto@utwente.nl
Aiko Pras
University of Twente
a.pras@utwente.nl
Abstract—Distributed Denial of Service (DDoS) attacks are
an increasing threat on the Internet. One of the reasons is that
websites selling attacks for prices starting from $1.00 are becom-
ing popular. These websites, called Booters, facilitate attacks by
making transparent the needed infrastructure to perform attacks
and by lowering the knowledge to control it. As a consequence,
any user on the Internet is able to launch attacks at any time.
Although security experts and operators acknowledge the poten-
tial of Booters for DDoS attacks, little is known about Booters
spects in terms of users, attacks and infrastructure.
investigate this phenomenon are all
ter and therefore provide
er we extend
limited to a same database (i.e., booter.tw). Therefore, aspects
that vary between Booters cannot be observed and a general
overview is missing. For example, Booters can use different
infrastructures types to trigger attacks [9].
Our goal is to provide a comprehensive overview on the
operational side of Booters. To do so, we analyze 15 MySQL
databases of Booters, found on the Internet, in terms of users,
attacks, and infrastructure used to trigger attacks. Our main
contributions are (i) to reveal characteristics of Booter users
responsible for ordering attacks, (ii) give awareness about the
characteristics of attacks ordered by users, and (iii) to shed
light on the infrastructure used by Booters to trigger DDoS
s. We believe that an in-depth understanding of how
ered can help to carry on mitigation tasks.
r with advices, based on our
ated.
Booter websites characterization:
Towards a list of threats
Justyna Joanna Chromik, Jos´e Jair Santanna, Anna Sperotto, and Aiko Pras
1 University of Twente - The Nederlands
Design and Analysis of Communication Systems (DACS)
j.j.chromik@student.utwente.nl,{j.j.santanna,a.sperotto,a.pras}@utwente.nl
Abstract. Distributed Denial of Service (DDoS) attacks mean millions in rev-
enue losses to many industries, such e-commerce and online financial services.
of reported DDoS attacks has increased with 47% compared to
for this increase is the availability and ease of ac-
DoS attacks as a paid service, called
lable, current researches
k traffic or
Characterizing and Mitigating
The DDoS-as-a-Service Phenomenon
Jair Santanna and Anna Sperotto
Design and Analysis of Communication Systems (DACS)
University of Twente
Enschede, The Netherlands
{j.j.santanna,a.sperotto}@utwente.nl
The Marketing of Booters
1. INTRODUCTION
Distributed Denial of Service (DDoS) is a type of network
attack that aims to make a target system unreachable by
overloading its network resources. To understand the dam-
age of those attacks consider when your Internet connection
is down specially when you most need of it, or when the
conference paper registration system is not reachable (in a
deadline day), or even when an e-commerce company is not
(closer to the Christmas period). In other words,
millions in revenue losses, reputation
to companies. Although a
perform DDoS
ks,
2. BOOTER LIST
The first requirement to perform any research on Boot-
ers is to select which one(s) is/are intended to investigate.
In general, existent researches focus their analysis on a few
specific Booters. The reason for that is usually a punctual
involvement of Booters on attacks [ref], the discovering of
a hacked Booter’s database [ref], or the absence of a com-
prehensive Booter list that they can base their research. In-
spired by the works performed in [?] and [?], we decide to
collect the most extensive list of Booters. It is also our goal
to keep such list weekly updated, and make it available to
all researches that want to investigate this phenomenon
1 . In
this section we describe the steps to generate such compre-
sive Booter list, Figure 1 summarizes our workflow.
Automatically added
Booters under Protection
1. INTRODUCTION
Distributed Denial of Service (DDoS) is a type of network
attack that aims to make a target system unreachable by
overloading its network resources. To understand the dam-
age of those attacks consider when your Internet connection
is down specially when you most need of it, or when the
conference paper registration system is not reachable (in a
deadline day), or even when an e-commerce company is not
accessible (closer to the Christmas period). In other words,
DDoS attacks causes millions in revenue losses, reputation
nd customer attrition to companies. Although a
is usually needed to perform DDoS
to perform such attacks,
2. BOOTER LIST
The first requirement to perform any research on Boot-
ers is to select which one(s) is/are intended to investigate.
In general, existent researches focus their analysis on a few
specific Booters. The reason for that is usually a punctual
involvement of Booters on attacks [ref], the discovering of
a hacked Booter’s database [ref], or the absence of a com-
prehensive Booter list that they can base their research. In-
spired by the works performed in [?] and [?], we decide to
collect the most extensive list of Booters. It is also our goal
to keep such list weekly updated, and make it available to
all researches that want to investigate this phenomenon
1 . In
this section we describe the steps to generate such compre-
hensive Booter list, Figure 1 summarizes our workflow.
Literature
Automatically added
dress match
Defending against Booters
Best practices and Advices
José Jair Santanna
University of Twente
j.j.santanna@utwente.nl
Anna Sperotto
University of Twente
a.sperotto@utwente.nl
Aiko Pras
University of Twente
a.pras@utwente.nl
1. METHODOLOGY
The main goal of this investigation is to fingerprint
Booters by analyzing systems used by them to perform
need at least two samples of a same type of attack
in di↵erent moments. However, those two sam-
ple can be di↵erent in terms of days, hours, sec-
For less than USD 5 anyone can perform 7Gbps
attacks during 3 months.
They offer 11 different attack types.
Booters make almost USD 10k monthly.
They have all types of customers.
Booters against Booters! Potential for more than 400Gbps.](https://image.slidesharecdn.com/20150311bitmodule7tbkbitlecture-160316135548/85/20150311-bit-module7_tbk_bit_lecture-21-320.jpg)
![0
1.5
3
4.5
6
7.5
0 20 40 60 80 100
Trafficrate[Gbps]
Time [s]
CharGen-based attacks DNS-based attacks
0
0.4
0.8
1.2
1.6
2
0 20 40 60 80 100
Trafficrate[Gbps]
Time [s]
NTP
CharGen
SSDP
Quake P.
Steam P.
QOTD
BitTorrent
Kad
NetBIOS
SNMP
DNS
556.9x358.8x
108x](https://image.slidesharecdn.com/20150311bitmodule7tbkbitlecture-160316135548/85/20150311-bit-module7_tbk_bit_lecture-24-320.jpg)
![Booter Type of Attack
Avg Traffic Rate
[Gbps]
N° Misused
systems
B1 DNS-based 0.7 4486
B2 DNS-based 0.25 78
B3 DNS-based 0.33 54
B4 DNS-based 1.19 2970
B5 DNS-based 0.006 8281
B6 DNS-based 0.15 7379
B7 DNS-based 0.32 6075
B8 CharGen-based 0.99 281
B9 CharGen-based 5.48 3779
29x](https://image.slidesharecdn.com/20150311bitmodule7tbkbitlecture-160316135548/85/20150311-bit-module7_tbk_bit_lecture-26-320.jpg)
![Booter Type of Attack
Avg Traffic Rate
[Gbps]
N° Misused
systems
B1 DNS-based 0.7 4486
B2 DNS-based 0.25 78
B3 DNS-based 0.33 54
B4 DNS-based 1.19 2970
B5 DNS-based 0.006 8281
B6 DNS-based 0.15 7379
B7 DNS-based 0.32 6075
B8 CharGen-based 0.99 281
B9 CharGen-based 5.48 3779
9427x](https://image.slidesharecdn.com/20150311bitmodule7tbkbitlecture-160316135548/85/20150311-bit-module7_tbk_bit_lecture-27-320.jpg)
![0
100
200
300
400
500
0 2 4 6 8 10 12
Price[USD]
Package expiration time [month]
∞
0
100
200
300
400
500
0 2 4 6 8 10 12
Price[USD]
0
2.5
5
7.5
0 2.5 5 7.510
[min]
Price[USD]
Attack duration [hour]
0
5
10
15
20
25
PaypalBitcoinCreditCard
G
oogleW
allet
W
ebM
oney
SkrillRsgpPerfM
oney
PayzaLitecoinCashUM
oneypak
Booters](https://image.slidesharecdn.com/20150311bitmodule7tbkbitlecture-160316135548/85/20150311-bit-module7_tbk_bit_lecture-31-320.jpg)
20150311 bit module7_tbk_bit_lecture
- 4. 1969
- 5. Soul Sacrifice [Santana] e Star-Spangled Banner [Jimi Hendrix]
- 7. 1979
- 8. Another brick in the wall [Pink Floyd]
- 10. 2015
- 11. 1969 1979 2015
- 14. If…
- 17. No more opponents!! No more ONLINE exams!! Economic Impact!! More attention to your presentation!!!
- 19. Did you understand? DDoS Attacks? Amplification? Reflection?
- 20. Front-end C&C Attack Sources DDoS Protection Companies $$
- 21. Fingerprinting Booters Understanding Who Is Behind Attacks José Jair Santanna University of Twente j.j.santanna@utwente.nl Anna Sperotto University of Twente a.sperotto@utwente.nl Aiko Pras University of Twente a.pras@utwente.nl ODOLOGY igation is to fingerprint perform need at least two samples of a same type of attack in di↵erent moments. However, those two sam- ple can be di↵erent in terms of days, hours, sec- onds, and so on. Therefore by considering a huge er of combinations, we simplify our measure- al weeks. In the first week, ents, which we Booters - An Analysis of DDoS-as-a-Service Attacks Jos´e Jair Santanna⇤ , Roland van Rijswijk-Deij⇤† , Rick Hofstede⇤ , Anna Sperotto⇤ , Mark Wierbosch⇤ , Lisandro Zambenedetti Granville‡ , Aiko Pras⇤ ⇤ University of Twente, The Netherlands {j.j.santanna, r.m.vanrijswijk, r.j.hofstede, a.sperotto, a.pras}@utwente.nl m.b.wierbosch@student.utwente.nl † SURFnet bv, The Netherlands roland.vanrijswijk@surfnet.nl ‡ Federal University of Rio Grande do Sul, Brazil granville@inf.ufrgs.br Abstract—In 2012, the Dutch National Research and Edu- cation Network, SURFnet, observed a multitude of Distributed Denial of Service (DDoS) attacks against educational institutions. These attacks were effective enough to cause the online exams of hundreds of students to be cancelled. Surprisingly, these attacks were purchased by students from websites, known as Booters. These sites provide DDoS attacks as a paid service (DDoS-as-a- Service) at costs starting from 1 USD. Since this problem was identified by SURFnet, Booters have been used repeatedly ks on schools in SURFnet’s constituency. Very out the characteristics of Booters, structure. This is vital his paper we e about the characteristics of the attacks that they perform, which is essential knowledge for mitigating their attacks. The goal of this paper is to create awareness around Booter attacks. In our study, we investigate the characteristics of Booter attacks in terms of the volume of generated traffic as well as the service and networking infrastructure used by Booters. Finally, based on our measurements, we discuss possi- ble defense mechanisms and the relationship between Booters and DDoS protection services. We performed measurements to analyze the attacks generated by Booters on our own infrastructure. We investigated more than 250 GB of traffic. We intend to make all data acquired during our experiments ilable to interested researchers. a vast amount of literature on DDoS s [5], [6], [7], [8], [9], this first to present ers. Inside Booters: An Analysis on Operational Databases Jos´e Jair Santanna University of Twente j.j.santanna@utwente.nl Romain Durban INSA of Toulouse romain.durban@gmail.com Anna Sperotto University of Twente a.sperotto@utwente.nl Aiko Pras University of Twente a.pras@utwente.nl Abstract—Distributed Denial of Service (DDoS) attacks are an increasing threat on the Internet. One of the reasons is that websites selling attacks for prices starting from $1.00 are becom- ing popular. These websites, called Booters, facilitate attacks by making transparent the needed infrastructure to perform attacks and by lowering the knowledge to control it. As a consequence, any user on the Internet is able to launch attacks at any time. Although security experts and operators acknowledge the poten- tial of Booters for DDoS attacks, little is known about Booters spects in terms of users, attacks and infrastructure. investigate this phenomenon are all ter and therefore provide er we extend limited to a same database (i.e., booter.tw). Therefore, aspects that vary between Booters cannot be observed and a general overview is missing. For example, Booters can use different infrastructures types to trigger attacks [9]. Our goal is to provide a comprehensive overview on the operational side of Booters. To do so, we analyze 15 MySQL databases of Booters, found on the Internet, in terms of users, attacks, and infrastructure used to trigger attacks. Our main contributions are (i) to reveal characteristics of Booter users responsible for ordering attacks, (ii) give awareness about the characteristics of attacks ordered by users, and (iii) to shed light on the infrastructure used by Booters to trigger DDoS s. We believe that an in-depth understanding of how ered can help to carry on mitigation tasks. r with advices, based on our ated. Booter websites characterization: Towards a list of threats Justyna Joanna Chromik, Jos´e Jair Santanna, Anna Sperotto, and Aiko Pras 1 University of Twente - The Nederlands Design and Analysis of Communication Systems (DACS) j.j.chromik@student.utwente.nl,{j.j.santanna,a.sperotto,a.pras}@utwente.nl Abstract. Distributed Denial of Service (DDoS) attacks mean millions in rev- enue losses to many industries, such e-commerce and online financial services. of reported DDoS attacks has increased with 47% compared to for this increase is the availability and ease of ac- DoS attacks as a paid service, called lable, current researches k traffic or Characterizing and Mitigating The DDoS-as-a-Service Phenomenon Jair Santanna and Anna Sperotto Design and Analysis of Communication Systems (DACS) University of Twente Enschede, The Netherlands {j.j.santanna,a.sperotto}@utwente.nl The Marketing of Booters 1. INTRODUCTION Distributed Denial of Service (DDoS) is a type of network attack that aims to make a target system unreachable by overloading its network resources. To understand the dam- age of those attacks consider when your Internet connection is down specially when you most need of it, or when the conference paper registration system is not reachable (in a deadline day), or even when an e-commerce company is not (closer to the Christmas period). In other words, millions in revenue losses, reputation to companies. Although a perform DDoS ks, 2. BOOTER LIST The first requirement to perform any research on Boot- ers is to select which one(s) is/are intended to investigate. In general, existent researches focus their analysis on a few specific Booters. The reason for that is usually a punctual involvement of Booters on attacks [ref], the discovering of a hacked Booter’s database [ref], or the absence of a com- prehensive Booter list that they can base their research. In- spired by the works performed in [?] and [?], we decide to collect the most extensive list of Booters. It is also our goal to keep such list weekly updated, and make it available to all researches that want to investigate this phenomenon 1 . In this section we describe the steps to generate such compre- sive Booter list, Figure 1 summarizes our workflow. Automatically added Booters under Protection 1. INTRODUCTION Distributed Denial of Service (DDoS) is a type of network attack that aims to make a target system unreachable by overloading its network resources. To understand the dam- age of those attacks consider when your Internet connection is down specially when you most need of it, or when the conference paper registration system is not reachable (in a deadline day), or even when an e-commerce company is not accessible (closer to the Christmas period). In other words, DDoS attacks causes millions in revenue losses, reputation nd customer attrition to companies. Although a is usually needed to perform DDoS to perform such attacks, 2. BOOTER LIST The first requirement to perform any research on Boot- ers is to select which one(s) is/are intended to investigate. In general, existent researches focus their analysis on a few specific Booters. The reason for that is usually a punctual involvement of Booters on attacks [ref], the discovering of a hacked Booter’s database [ref], or the absence of a com- prehensive Booter list that they can base their research. In- spired by the works performed in [?] and [?], we decide to collect the most extensive list of Booters. It is also our goal to keep such list weekly updated, and make it available to all researches that want to investigate this phenomenon 1 . In this section we describe the steps to generate such compre- hensive Booter list, Figure 1 summarizes our workflow. Literature Automatically added dress match Defending against Booters Best practices and Advices José Jair Santanna University of Twente j.j.santanna@utwente.nl Anna Sperotto University of Twente a.sperotto@utwente.nl Aiko Pras University of Twente a.pras@utwente.nl 1. METHODOLOGY The main goal of this investigation is to fingerprint Booters by analyzing systems used by them to perform need at least two samples of a same type of attack in di↵erent moments. However, those two sam- ple can be di↵erent in terms of days, hours, sec- For less than USD 5 anyone can perform 7Gbps attacks during 3 months. They offer 11 different attack types. Booters make almost USD 10k monthly. They have all types of customers. Booters against Booters! Potential for more than 400Gbps.
- 22. DDoS Attack The DDoS-as-a-Service Phenomenon Less than 5 Dollars to attack everyone
- 24. 0 1.5 3 4.5 6 7.5 0 20 40 60 80 100 Trafficrate[Gbps] Time [s] CharGen-based attacks DNS-based attacks 0 0.4 0.8 1.2 1.6 2 0 20 40 60 80 100 Trafficrate[Gbps] Time [s] NTP CharGen SSDP Quake P. Steam P. QOTD BitTorrent Kad NetBIOS SNMP DNS 556.9x358.8x 108x
- 25. Booter Type of Attack N° Misused systems B1 DNS-based 4486 B2 DNS-based 78 B3 DNS-based 54 B4 DNS-based 2970 B5 DNS-based 8281 B6 DNS-based 7379 B7 DNS-based 6075 B8 CharGen-based 281 B9 CharGen-based 3779
- 26. Booter Type of Attack Avg Traffic Rate [Gbps] N° Misused systems B1 DNS-based 0.7 4486 B2 DNS-based 0.25 78 B3 DNS-based 0.33 54 B4 DNS-based 1.19 2970 B5 DNS-based 0.006 8281 B6 DNS-based 0.15 7379 B7 DNS-based 0.32 6075 B8 CharGen-based 0.99 281 B9 CharGen-based 5.48 3779 29x
- 27. Booter Type of Attack Avg Traffic Rate [Gbps] N° Misused systems B1 DNS-based 0.7 4486 B2 DNS-based 0.25 78 B3 DNS-based 0.33 54 B4 DNS-based 1.19 2970 B5 DNS-based 0.006 8281 B6 DNS-based 0.15 7379 B7 DNS-based 0.32 6075 B8 CharGen-based 0.99 281 B9 CharGen-based 5.48 3779 9427x
- 29. CN US KR RU IN TR UA FR TH DE Top 10 1755 630 275 192 105 81 76 56 55 530 1755 US JP DE RU CN NL GB CA FR TW 5822 1986 1909 1871 825 731 716 603 561 459 Top 10 0 5822 0 20 40 60 80 100 B1 B2 B3 B4 B5 B6 B7 B8 B9 Percentage Booter Europe North-America Asia Others CharGen-based attacks DNS-based attacks
- 31. 0 100 200 300 400 500 0 2 4 6 8 10 12 Price[USD] Package expiration time [month] ∞ 0 100 200 300 400 500 0 2 4 6 8 10 12 Price[USD] 0 2.5 5 7.5 0 2.5 5 7.510 [min] Price[USD] Attack duration [hour] 0 5 10 15 20 25 PaypalBitcoinCreditCard G oogleW allet W ebM oney SkrillRsgpPerfM oney PayzaLitecoinCashUM oneypak Booters
- 32. Attacks(k) Type of Attacks 0 5 10 15 20 25 30 35 40 45 50 U D P CH A RG EN D RD O SLA G N TP SY N TCPA M PTCP RU D Y SLO W LO RIS H TTPG ETH TTPH EA D H TTPPO ST A RM E UDP-based (56%) TCP-based (29%) Application-layer (14%) 0 20 40 60 80 100 0 60 180 300 50%: 4min20s 70%: 10min 8333 0 20 40 60 80 100 0 50 100 150 200 250 51%: 2 attacks 90%: 13 attacks 38%: 1 attack