Why run a DDoS-for-hire service? Easy money

Who run so-called ‘booter’ services that are used to knock out websites and are sometimes used for extortion? Young males. Why? Easy money.

And do they feel guilty, knowing that their services support distributed denial of service (DDoS) attacks, which can cost businesses thousands of dollars and is illegal in many jurisdictions? Generally, no, according to a new study by Alice Hutchings and Richard Clayton, researchers at the Computer Laboratory, University of Cambridge.

That’s because most of the handful of operators that volunteered information for the study claimed they provided legitimate services.

Numerous studies have looked at how booter services operate at a technical level and how much money they can make, but not the motivations of those who operate them.

Booter services can technically be used by an organisation to stress test their own web server for its capacity to handle traffic, but are often used to bowl over a website.

The researchers said their main purpose was to understand the motivations of stresser operators, “their perceptions of the (il)legality, the market for their services and the economic benefits they might receive.”

They also wanted to find out how much time the operators invested into their operations, including site maintenance and managing partners.

The researchers explore a number of criminological theories to explain the behaviour of booter service operators, including that they just learnt it from others, or ‘neutralised’ or justified their actions by, for example, denying the possibility of their service could harm victims. Anther example of neutralisation would be blaming the victim for an attack.

Not surprisingly, few stresser service operators responded to requests by the researchers. After contacting 63 boot stresser sites, the researchers recruited 13 participants, two of which agreed to an online interactive survey and 11 that opted for an online survey. It does make for a small sample size, but one that comes from a small community of operators.

Responses indicated that all 11 participants were male and all below 34 years of age, with five from the North America, two from Europe, and the remainder from Asia, Africa and Australia. Eight were students while two claimed to work at a place of employment.

Interestingly, one of the respondents claimed to also provide DDoS protection service.

“I would rather not divulge the names of other companies I am involved in, however, I can say that I am involved in providing DDoS protection services, high availability web hosting, dedicated server hosting, and virtural server hosting,” one participant told the researchers.

Some of the respondents claimed to have been users of stresser services before beginning to offer these services themselves. Others integrated stresser services into existing products, such as web hosting for game servers, coding, web development and pen-testing services.

The researchers acknowledge that many questions were not answered by all participants however one question they did was: “What are your primary motivations for offering stressed services?”.

“The primary motivation, as claimed by eight participants, was the provision of services for the purpose of network testing,” the researchers wrote.

One participant, pressed for further detail, argued that his stresser service could assist a lot of data centres “prepare for an actual threatening attack that can cripple their networks for long periods of time resulting in financial loss, if they are prepared before an actual attack strikes, less damage will be done.”

Another said they couldn’t be held responsible for how their service was used, while another said he was acting lawfully because if law enforcement requested logs, he could and would provide them.

If you'd like further explanation, because it can assist a lot of data centers, server owners small and large prepare for an actual threatening attack that can cripple their networks for long periods of time resulting in financial loss, if they are prepared before an actual attack strikes, less damage will be done.

But these were justifications. One of the main reasons for operating a stresser service is easy money and respondents reported earning between US$300 to $500 a day. Three participants said the service accounts for up to 10 percent of their income, while two said it accounted for between 90 to 100 percent of their income.

Join the CSO newsletter!

Error: Please check your email address.

Tags easy moneycrimeWeb serversData Centertrafficstresser servicecyber securitythreatsDDoS attacks

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts