USENIX: Gamers use DDoS as a service to cheat -- a lot

Cheating gamers pay as little as $10 per month to launch denial of service attacks against their opponents as a tactical advantage using commercial providers that walk the line between being legitimate businesses that stress-test their customers' networks and purveyors of DDoS as a service, researchers at USENIX Security 2013 say.

Gamers attacking each other as well as gaming Web sites accounted for 180 out of 277 customers of twBooter, which says it helps to see how well sites withstand DDoS attacks, according to researchers Mohammad Karami and Damon McCoy of George Mason University who presented a paper on the subject this week in Boston. The service was used in some cases to knock government Web sites offline, they say.

TwBooter launched nearly 50,000 attacks during two months earlier this year charging a bargain price of about $15,000 total, the researchers say. Some of the attacks could generate 827M bit/sec in traffic against a single Internet connection, enough to swamp the personal links of Internet gamers or midsize Web sites.

[FLIP SIDE:Start-up Defense.Net debuts with anti-DDoS service]

The USENIX paper is based on about two months of SQL dumps from the company's severs that are publicly available on the Internet, the researchers say.

Conventional DDoS attacks rely on vast numbers of compromised computers organized as a botnet, which are expensive to create and manage. But twBooter launches its attacks from 15 servers, two of them in the U.S. and the rest in the Netherlands and charges $10 to $200 per month.

[MORE FROM USENIX:New security scheme whacks text spammers in hours]

The service employed a dozen different types of DDoS attacks, but just eight - SYN flood, UDP flood, amplification attacks, HTTP POST, HTTP GET, HTTP HEAD, RUDY (R-U-Dead-Yet) and slowloris -- account for 96% of the twBooter attacks recorded for the period Jan. 23 to March 15.

During that time 277 customers launched 48,884 attacks against 11,304 targets, either Web URLs or IP addresses. TwBooter gives customers the option to launch attacks that last anywhere from a minute to two hours, with the price adjusted according to the duration. About 65% of customers called for attacks lasting 10 minutes or less. They can pay more to launch up to three concurrent attacks, but 74% chose to launch just one attack at a time.

Most gamers are connected to the Internet via residential broadband connections, so they are readily overwhelmed.

[STILL MORE USENIX:Researchers propose security that adapts to combat malware that morphs]

The 15% of users who bought attacks lasting an hour or more were likely targeting Web sites, not gamers, the researchers say.

Just six users accounted for about half of the attack time over the period examined. That represented the top 2% of users who launched concurrent attacks for more than an hour in duration against Web sites, not individual user Internet access lines.

To hide their true identities, the servers spoofed their source addresses and employed proxies to deliver attack packets.

Tim Greene covers Microsoft and unified communications for Network World and writes the  Mostly Microsoft blog. Reach him at and follow him on Twitter@Tim_Greene.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags IDS/IPSUSENIXIDSsecurityddosIPSWide Area NetworkTwBooter

More about Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place