What s a DDoS Booter or Stresser Service

In today’s current environment it is crucial that your DDoS protection provider operates in a proactive capacity rather than reactive. If 2021 was anything to go by it has demonstrated that being on the front foot is a MUST when it comes to network security.

A large part of what makes our DDoS protection at Global Secure Layer so effective is operating with a proactive approach rather than a reactive approach. Our SOC (Security Operation Centre) team implements a forward thinking process in regards to our network's security, constantly researching new vectors and staying on top of the latest attacks and trends.

Occasionally our SOC team ventures into some of the 'darker' sides of the internet, to see exactly how attacks are being launched as well as seeing how threat actors themselves operate. So this leads us to look at booter and stresser services.

So what exactly is a Booter or Stresser service?

A booter service is an on-demand DDoS attack service offered illegally in order to bring down websites and networks by overloading or "stressing" IP addresses with data traffic.

Booter services originally started out as basic websites where users could pay as little as $5 a month to launch an attack at the click of a button. These attacks can target any victim and can range in size depending on the amount of money paid. Attacks can vary in size from a few Gbit/s to hundreds of Gbit/s.

Booter services also offer the person paying for the service the ability to choose from multiple attack vectors depending on what website they are targeting. For example they might decide to use a Slowloris or HTTPS flood. These attacks can be particularly damaging for hosting providers and internet service providers due to the amount of downstream customers that can be impacted.

DDoS-for-hire services are now found all over the internet and are easily accessible. More recently our SOC team has identified a number of these services being run out of Discord servers and Telegram chat rooms. Chatbots are instead being used to initialise attacks, while Discord appears to be actively closing down these servers, while Telegram doesn't appear to be taking much action against them.

How did the name Booter or Stresser come about?

In an attempt to conduct illegal DDoS-as-a-service attacks in the open, these services are often given names such as stressers. This term is used to add a level of legitimacy to the service or to imply that "it is just a stress test".  

Booters on the other hand get their name from the terminology "I'm going to boot you offline". When it comes down to it, both of these DDoS-for-hire services are essentially the same.

Payments for services are usually in the form of cryptocurrency (Bitcoin), although some also accept anonymous gift cards such as, Steam, Amazon, Netflix as payment. This is clearly because any real payment gateway such as PayPal would instantly suspend their accounts. More recently there has been a large shift towards Bitcoin.

The typical life-cycle for most booter services is approximately 6 months or less before it's either closed down by law enforcement, taken out by a larger competitor or voluntarily closed down either because they made enough money or grew sick of running the service.

Who runs these services?

More often than not these services are usually run by younger individuals.

As for motive, it seems to be entirely for profit, with select individuals claiming to just be doing it for fun or because they were fed up with the unreliability of other sites.

You might be thinking the bar for entry in regards to running such a service is high and requires a deep level of technical know-how and the ability to remain untraceable. Well you're in for a shock... as it turns out most of these services are recycling the same code bases and website templates with slight alterations at most.

Some of these code-bases have been leaked over the years by competitors and people just decided to open-source everything. Due to this it is surprisingly easy to find a functional code base to create your own DDoS-as-a-service website online. A great example of this is Github. The most searched repositories for DDoS on Github are actually attack tools rather than mitigation techniques. Because these code-bases have been passed around so much there's often backdoors programmed into them by other threat actors.

There are many flaws in these open-source code bases and are commonly known amongst various threat actors - resulting in 100s of data breaches related to these services being posted online. It is alarming how easy it is to build your own front-end site that allows people to sign up, launch attacks and collect payments.

Who launches the attacks?

Something that may come as a surprise, is most of these websites actually pay another larger DDoS-as-a-service website to launch attacks for them.                                                                                                          

Some larger sites offer a reseller plan, allowing you to still host your own website and build your own customer base but any attacks launched by your service are actually being launched by another larger site via an API they provide you. Usually some agreement is reached such as a flat monthly fee or a cut of every subscription, which is a similar system that ransomware schemes use.

The majority of DDoS-as-a-service sites operate in this tiered reseller fashion and at any given time there may actually be less than 15 larger DDoS-as-a-service sites in operation providing the 100s of smaller sites attack power.

So looking back at the cost of a stresser or booter service, the set up of the front end, combined with the tiered reseller structure, the barrier for entry is actually very low considering the task wanting to be performed.

Side note - it is worth mentioning that it is not uncommon to find these front-end sites hosted on legitimate and traceable hosting platforms. With some even leveraging the same CDNs used to mitigate the very attacks they launch as shields to protect themselves from competitors in the DDoS-as-a-service space.

For any organisation that relies on the internet to operate, it is a necessity that you not only have DDoS protection but you have proactive, real-time protection.

Global Secure Layer provides real-time mitigation solutions against DDoS attacks. Our protection is built inline and surgically removes threats at the edge before reaching customer services.

To know more about our DDoS protection, find out more information here.