Attack-For-Hire Services: The Evolution of DDoS

ddos stands the test of time

Distributed denial-of-service (DDoS) attacks are one of the few attack methods to stand the test of time, having been used since the mid 1990s. Effectively DDoS involves a criminal overloading network resources and making them unavailable for a limited amount of time. This disrupts normal services, whether they’re being used by the organization, their customers, or other users.

Over the last two decades defense methods employed by administrators to protect their online products have become better and better, forcing threat actors to evolve their methods. However, those who don’t have the knowledge or resources to conduct more sophisticated attacks now have another option as, in recent years, a multitude of “stressers” and “booters” have surfaced on the web. These attack-for-hire platforms are as easy to use as any other e-commerce website and allow anyone with the money (in some cases quite small amounts of money!) to launch powerful DDoS attacks against the target of their choice.

According to our data set, stressers have been available on cybercrime forums for at least 10 years but there has recently been an uptick in interested buyers. This trend was confirmed by international law enforcement agencies with the coordinated Operation PowerOFF, in which several attack-for-hire platforms have been taken down, including some that had been active for more than a decade. However, this has not completely eradicated the phenomenon, with stressers still flourishing on cybercriminal forums and Telegram channels..

Our threat intelligence team gained access to a number of these platforms and analyzed their features:

1. Nightmare stresser

The Nightmare Stresser is a DDoS-enabling platform that has been active since at least 2020. According to the information available, there are more than 566,000 registered users, and 52 servers ready to conduct the attacks via 28 different methods. The attack methods are split based on their type, with three main categories: OSI model Layer 4 (Transport) UDP, Layer 4 (Transport) TCP, and Layer 7 (Application). The panel allows the attacker to choose the IP or URL to be targeted as well as the port number. After selecting the number of concurrent attacks, the flood can be launched.

Based on the subscription package chosen, an attacker would be paying between EUR 25 and EUR 19,999 with the main difference between subscriptions being the attack time and number of concurrent attacks offered. The cheapest subscription allows for an attack time of 1,800 seconds and one concurrent attack, while the most expensive option allows for an attack time of 86,400 seconds and 400 concurrent attacks. The maximum attack power appears to be limited to 200 Gbps.

2. STressthem

Stressthem claims to be one of the most powerful stressers on the market with an attack power of up to 1,000 Gbps.

As with most other tools of this type, it employs the DDoS-as-a-Service business model, with subscription prices ranging from US $30 monthly up to US $18,000 quarterly. The most expensive option offers unlimited attacks per day, attack times of up to 2 hours, and 100 concurrent attacks. This platform’s panel also allows the user to select from multiple attack options and input the victim’s details. What differentiates this stresser from others is that it also offers a free package, allowing attackers to test the service before purchasing.

3. paper stresser

The actor SirMoustache, a member of the Cracked cybercrime forum, recently advertised an attack-for-hire tool that could be used for conducting distributed DDoS attacks. What makes this stresser stand apart from other tools is the fact that it’s not hosted on a website. The actor who developed Paper Stresser claims this is a no-download tool which appears to be operated via the command line interface of PuTTY.

Based on the actor’s description, it appears that the stresser uses 12,000 bots to conduct the attacks and has a power of up to 700 GB/s. Bots (also known as “zombies”) are devices with an active internet connection that have been infected with malware and are controlled by an attacker. These zombies can be commanded to all send requests to a chosen target, overwhelming it and temporarily making it unresponsive. This stresser is offered with four different monthly subscriptions ranging from US $30 to US $125, promising attack times of up to 500 seconds. The actor stated that the tool offers 18 types of attack methods, but did not elaborate.

4. KRYPTON NETWORKS

Apart from being actively offered on cybercrime forums, some developers chose to advertise their DDoS tools on Telegram. The administrator of Krypton Networks, a DDoS tool that appears to require installation, claims that an internet-of-things (IoT) botnet is used to attack victims via Layer 4 (Transport) and private servers are employed when conducting attacks against Layer 7 (Application). This service offers an attack power of up to 1.5 Tbps with prices starting at US $15 for a seven day subscription and up to US $1,000 for 16 days for a “Private” subscription. It is noteworthy that this service also has dedicated language posts targeted at Russian and Chinese speakers, making it easy for those who do not speak English to deploy their attacks.

Who’s Buying DDoS-as-a-Service Tools?

DDoS attacks are leveraged by threat actors across a wide spectrum of motivations. Financially motivated, hacktivists, state-backed, script kiddies, they all have been and will likely continue to conduct such attacks. But why? Financially motivated actors may look to target competitor services with DDoS attacks in order to disrupt their service and attract customers to their own services. Furthermore, DDoS attacks can be launched in combination with a blackmail attempt to extort funds from the victim.

Hacktivists have been openly using DDoS services to disrupt services of those who do not share the same political, religious or general values. Some hacktivists have even developed their own DDoS tools and shared it with the community to encourage further attacks by followers and volunteers. For example, the group NoName057(16) – a Russian-affiliated hacktivist gang that actively targets the government institutions and critical infrastructure of western countries – has developed the proprietary tool dubbed DDoSia. The gang encourages followers to use it and has created a dedicated Telegram group to offer support for the tool.

State-sponsored attacks carried out by hacking groups financed by some governments to disrupt the use of critical infrastructure in other countries have also been observed as a component of the wider cyber warfare. Last but not least, script kiddies and opportunistic actors rent out DDoS-enabling infrastructure to target web-resources that seem vulnerable, usually belonging to small companies and services, where even a minor disruption can have major financial implications.

Looking into the top most discussed stressers with a web-based application, we found that they generally resolved to either Russia-based or U.S.-based IPs. Noteworthy, many Russia-based stressers used the same IP range, meaning they likely share the similar infrastructure. However, this does not mean that the developers and administrators are based in those countries. During the recent PowerOFF operation, law enforcement made arrests in several countries, including the UK, Canada, Croatia, Poland and others.

The Future of DDoS-as-a-Service

Perhaps one of the most pervasive attack techniques, DDoS will always remain popular with the cybercriminal ecosystem and the market for attack-for-hire platforms shows no sign of slowing. Indeed, as Operation PowerOff brought many stressers offline, many similar services emerged to refill the market.

Early indications show that developers are looking to innovate further, with discussion of combining DDoS attacks with other types of activity such as ransomware, using the “threat-as-a-service” business model. It is critical that the security community monitors the development and sale of these tools on hacking forums and markets in order to prepare their defenses for the latest innovations in cybercriminal activity.