Understanding the Emerging Threat of DDoS-as-a-Service

A denial-of-service (DoS) attack refers to an explicit attempt by a malicious party to deny legitimate users of a service from accessing the service. A distributed denial-of-service (DDoS) attack has the exact same goal but multiple distributed resources are utilized for a more devastating effect.

While access to a large number of compromised hosts was traditionally required for launching successful DDoS attacks, the emergence of DDoS-As-a-Service in recent years have made DDoS infrastructure capable of generating over 800 MBit/s of traffic accessible to a wide range of malicious actors for a cost as low as $10/month.

In this paper, we investigate the phenomenon of low-cost DDoS-As-a-Service also known as Booter services. While we are aware of the existence of the underground economy of Booters, we do not have much insight into their internal operations, including the users of such services, the usage patterns, the attack infrastructure, and the victims. In this paper, we present a brief analysis on the operations of a Booter known as TwBooter based on a publicly-leaked dump of their operational database. This data includes the attack infrastructure used for mounting attacks, details on service subscribers, and the targets of attacks. Our analysis reveals that this service earned over $7,500 a month and was used to launch over 48,000 DDoS attacks against 11,000 distinct victims including government websites and news sites in less than two months of operation.