How Do Booters Work? Inside a DDoS for Hire Attack
A security researcher speaking at the Black Hat conference last week has exposed the malicious underworld of Booter services that offers paying customers distributed denial of service (DDoS) attack capabilities on demand.
Lance James, chief scientist at Vigilant, explained to eWEEK that he got pulled into an investigation into the world of Booter services by his friend, security blogger Brian Krebs. Krebs had been the victim of a Booter service attack and was looking for some answers.
"Basically a Booter is a Web-based service that does DDoS for hire at very low prices and is very hard to take down," James said. "They are marketed toward script kiddies, and many DDoS attacks that have been in the news have been done via these services."
James was able to identify the suspected Booter site via Website log files and began to trace the activity of the individual who specifically attacked Krebs. Further investigation revealed that the same individual was also attacking other sites, including whitehouse.gov and the Ars Technica Website.
After James was able to identify the Booter service and directly connect it to the attacks against Krebs, the two were able to help shut down the Booter service itself.
James said the data was handed off to law enforcement, and the specific Booter service that initially attacked Krebs was shut down within a short period of time. The timing challenge in taking down the Booter service has to do with the fact that the Internet service provider (ISP) that the service looks like it is being hosted from is not where the Booter service actually is located.
"There is a service in the middle that protects the Booter sites with turnkey Web security routing," James explained. "In that case, they operate similar to the legal confines of Facebook and Twitter, and they require subpoenas and warrants to shut it all down."
How Booter Services Work
The challenge in locating the root source of the Booter service is also to due to the operational complexity of how the Booter works.
Booter services typically have a Web front end, where the end user who wants to target a given site is provided with an interface. James explained that the Web front end is just the control panel, while the underlying back end with the hosts that execute the DDoS attack is located elsewhere.
"So to the underlying ISP that is involved, it doesn't look like anything that is malicious," James said. "There is no DDoS traffic coming directly from the ISP."
The DDoS traffic comes from a separate infrastructure that includes data servers all over the world that the Booter services connect to via proxies.
"So when you actually request a Booter service takedown, it's very difficult because the ISP on which the site is hosted has plausible deniability," James said. "They can say, 'We haven't seen them do anything illegal from our site,' so you really need to prove that."
Follow the Money
One of the ways that James was able to help track down the individual behind the Booter service was via the PayPal email address the person was using to get paid for his services. James' investigation ended up looking at over 40 Booter services, and all of them used PayPal as their payment mechanism.
"A lot of the times to disrupt something, the economic structure has to be disrupted," James said. "If you look at the motivation—and the motivation is money—you need to disrupt what they are seeking."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.