Booting the booter

DoS (Denial of service) is an attack in which the perpetrator generates a large amount of traffic to overwhelm end-users or web service and prevent some or all legitimate requests from being fulfilled. Booter’ or ‘stresser’ services provide DoS attacks as-a-service. Booter operators can advertise their service and individuals can set up accounts and order attacks and pay through PayPal or transfers of cryptocurrency.

Operating a booter service or purchasing a DoS attack is illegal in most jurisdictions. Thus, a number of police actions have taken place in recent years to fight booter provision or usage.

In this paper, Brian Collier and his colleagues evaluated the effects of different interventions (high profile court cases and sentencing of booter providers, arrests, takedowns of booter websites, and messaging campaigns targeted at users) on booters’ number of attacks using two datasets. The first is a dataset of a victims of UDP amplification attack  – a technique used by booter to amplify DoS attacks. The second dataset is of self-reported DoS attack numbers (i.e. attacks claimed by offender) collected from booter websites.

Even though the authors noted flaws in their dataset, their analysis provided an approximation of levels of attacks and the effects which different interventions have on them. They noticed that there is consistency between the type of intervention and the effect it produces and the extent to which they produce three primary outcomes – dissuading providers (reducing supply), dissuading users (reducing demand), and producing structural changes to the market.

  • High profile court case: Media coverage of the prosecution or sentencing of booter providers appears to have no consistent effect on the number of attacks observed.

 

  • Taking down individual booter: The takedown of the Webstresser, the biggest booter at the time of its shutdown, had a deep but short-term effect on the market for booter services. A number of smaller booters disappeared, but they made little contribution to overall attack totals.
  • Wide-ranging interventions: Wide-ranging takedowns had a much longer and lasting effect. These takedowns affected the structure of the market, causing a number of booters to leave the market permanently. The authors also noticed the disappearance of user demand for services.

 

  • Targeted messaging campaigns: The campaign targeting potential booter users in the UK appears to be correlated with a striking change in UK attacks. This suggests that the campaign may have had the effect of dissuading new users from becoming involved.
  • Displacement and deterrence: While displacement to alternative booter providers when takedowns occur can be observed, this is often time-limited for smaller providers as the influx of users can overwhelm them and lead to their services stopping working effectively.

The authors concluded that there are three mechanisms underlying the effects seen in their data: 1) messaging campaigns appear to suppress user demand for services by undermining the widespread perception in the booter community that their activity is low-harm and essentially legal; 2) there appears to be a destabilising effect of website takedowns, which dissuade booter providers and reduce the accessibility of these services; and 3) wide-ranging website takedowns appear to have a structural effect on the market for booter services, concentrating them around particular providers.

 

Cite: Collier, B., Clayton, R., Thomas, D. R. and Hutchings, A. (2019). Booting the Booters: Evaluating the Effects of Police Interventions in the Market for Denial-of-Service Attacks. IMC ’19 Proceedings of the Internet Measurement Conference, 50-64.