Booter and Stresser Services Increase the Scale and Frequency of Distributed Denial of Service Attacks
Criminal actors offer distributed denial of service (DDoS)-for-hire services in criminal forums and marketplaces. These DDoS-for-hire services, also known as booters or stressers, are leveraged by malicious cyber actors, pranksters, and/or hacktivists to conduct largescale cyber attacks designed to prevent access to U.S. company and government Web sites. The FBI investigates these services as a crime if they are used against a Web site without the owner’s permission (such as for a legitimate stress test).
DDoS attacks are costly to victims and render targeted Web sites slow or inaccessible. These attacks prevent people from accessing online accounts, disrupt business activities, and induce significant remediation costs on victim companies. They also can cause businesses impacted by DDoS attacks to lose customers.
For example, in October 2016, one of the largest DDoS attacks to date targeted a domain name service (DNS) provider and impacted more than 80 Web sites primarily in the United States and Europe, causing them to become inaccessible to the public. The attack used a booter service and was attributed to infected Internet of Things (IoT) devices like routers, digital video recorders, and Webcams/security cameras to execute the DDoS attack.1 Open source reports estimate the DNS provider lost approximately eight percent of its customers following the attack.
What Are Booter And Stresser Services?
Booter and stresser services are a form of DDoS-for-hire — advertised in forum communications and available on Dark Web marketplaces — offering malicious actors the ability to anonymously attack any Internet-connected target. These services are obtained through a monetary transaction, usually in the form of online payment services and virtual currency. Criminal actors running booter and stresser services sell access to DDoS botnets, a network of malware-infected computers exploited to make a victim server or network resource unavailable by overloading the device with massive amounts of fake or illegitimate traffic.
These services can be used legitimately to test the resilience of a network; however, criminal actors use this capability to take down Web sites. Established booter and stresser services offer a convenient means for malicious actors to conduct DDoS attacks by allowing such actors to pay for an existing network of infected devices, rather than creating their own. Booter and stresser services may also obscure attribution of DDoS activity.
Regardless of whether someone launches a DDoS attack using their own command-and-control infrastructure (e.g., a botnet) or hires a booter and stresser service to conduct an attack, their transmission of a program, information, code, or command to a protected computer2 may result in criminal charges.
Consequences Of Participating In These Schemes
The use of booter and stresser services to conduct a DDoS attack is punishable under the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in any one or a combination of the following consequences:
- Seizure of computers and other electronic devices
- Arrest and criminal prosecution
- Significant prison sentence
- Penalty or fine
How And What To Report
The FBI requests DDoS victims contact their local FBI field office and/or file a complaint with the Internet Crime Complaint Center (IC3), regardless of dollar loss or timing of incident. Field office contacts can be identified at www.fbi.gov/contact-us/field. IC3 complaints should be filed at www.ic3.gov with the following details (if applicable):
-
Traffic protocol used by the DDoS (DNS, NTP, SYN flood, etc)
- Attempt to preserve netflow and/or packet capture of the attack
-
Any extortion/threats pertaining to the DDoS attack
- Save any such correspondence in its original, unforwarded format
- Victim information
- Overall losses associated with the DDoS attack
- If a ransom associated with the attack was paid, provide transaction details, the subject’s email address, and/or crypto currency wallet address
- Victim impact statement (e.g., impacted services/operations)
- IP addresses used in the DDoS attack