Understanding and Undermining the Business of DDoS Booter Services

Distributed Denial of Service (DDoS) attacks are becoming a commoditized service operated by profit-motivated adversaries. While having control over a large number of compromised hosts was traditionally required for an adversary to be able to launch successful DDoS attacks, the emergence of DDoS as a service phenomenon in recent years has made DDoS infrastructure conveniently accessible to a wide range of malicious actors for a minimal cost. This in turn has contributed to the proliferation of DDoS attacks in recent years.;The evolution of underground forums and marketplaces in the last decade has facilitated access to a more robust, effective and easy-to-manage attack infrastructure for the operators of DDoS for hire services. Underground markets offer a diverse range of abusive services and tools for purchase. Among other things, it includes hosting solutions that are IP spoofing friendly and allow malicious DDoS traffic to be transferred, malicious scripts that can be used for initiating DDoS attacks, and lists of publicly accessible misconfigured servers that can be abused to amplify DDoS attack traffic. The dynamics of the modern underground markets have significantly lowered the technical barriers for malicious actors to build DDoS infrastructure and lease it for a small monthly fee, typically ranging from ;While we are aware of the existence of an underground economy revolving DDoS for hire, we do not have much insight into the structure of such services and the supporting technical and business infrastructure they rely on. A deeper understanding of the operational internals of these abusive services is the first step towards exploring effective methods for undermining these abusive services.;In this dissertation, we investigate the phenomenon of low cost DDoS as a service better known as booter services in underground markets. We set to understand these DDoS booter services from both a technical and business perspective with the goal of identifying weak points in these services that can be effectively leveraged to undermine them. In the first part of the dissertation, we explore the technical infrastructure of booter services and point out methods of identifying and potentially undermining key pieces.;Research efforts on defending DDoS attacks can be broadly classified to attack prevention or reduction of attacks, identification of attack sources, and detection of attacks as they occur.;During our study, we find booter services to be heavily dependent on convenient payment methods, such as PayPal for selling subscriptions to their customers. While a significant challenge to find effective solutions to completely prevent DDoS attacks launched by booter services, we collaborate with PayPal to conduct a large-scale payment intervention that shows such efforts can be effective in reducing the scale of booter operations and the attacks that they launch.;Next, we build a classifier based on features extracted from a victim's network traces to attribute amplification DDoS attacks to the booter services responsible for launching them. Our experimental results show a promising level of accuracy for attribution of attack instances to booter services.;Due to their effectiveness, volumetric amplification attacks are the primary attack mechanism employed by booter services to deliver their ordered attacks. However, the characteristics of the malicious traffic generated by such attacks is essentially the same whether the attack has been launched by a booter service or not, and detection of amplified volume-based attacks has been extensively studied in the past. We instead consider detection of a more subtle and recent variation of DDoS attack known as Economical Denial of Sustainability (EDoS). An EDoS attack can be considered as a much more subtle variation of a DDoS attack where the attacker's goal is to disrupt the economical sustainability of a victim cloud consumer by inflicting cost through fraudulent consumption of billable cloud resources. We propose a method for detection of malicious sources engaged in EDoS attacks and experimentally evaluate the performance of the proposed method.