Denial of Service (DoS) attacks have come a long way since the days of LOIC and other GUI-based tools. Today, potential hackers do not have to know the first thing about conducting such an attack. They can simply purchase attack services to carry one out for them. Just a few years ago, attackers would have had to download simple GUI-based tool to launch a DoS attack. As time moved on, hackers started to combine their efforts and tools in distributed group attacks. Today, attackers are now abandoning GUI and script tools and opting to pay for attack services via stresser services.
Basic DoS tools are easy to defend against and have left attackers wanting more power. With this demand came a supply of new attack tools and services that will quickly test the limits of most defensive systems. But this new demand was not created out of the good nature of a hacker’s heart. It was fueled by profits and has now created a blooming industry around DDoS-as-a-service.
These new, off-the-shelf attack services are commoditizing the art of hacking, making it possible for novice hackers with little know-how to launch attacks via affordable tools that are available on the Darknet and the Clearnet. To add humor into the situation, most DDoS-as-a-service websites use DDoS mitigation companies to prevent their competition from taking them offline.
Figure: zStress attack panel
Many notorious DDoS groups like Lizard Squad, Poodle Corp, New World Hackers and others have all entered the DDoS-as-a-service business, monetizing their capabilities in peace-time by renting out their powerful stresser services. The high demand for DDoSaaS makes it a very profitable business and can generate thousands of dollars a week for operators. The entry level continues to decrease, allowing novice attackers the ability to carry out larger and more sophisticated attacks then just a few years ago. For as little as $19.99 a month an attacker can run 20 minute bursts for 30 days, utilizing a number of attack vectors like DNS, SNMP, SSYN and slow GET/POST application layer DoS attacks. All an attacker has to do is create an account, select a plan, pay in Bitcoin and access the attack hub where they can target the victim by port, time and method.
|Booters and Stresser (Low end)|
These services offer multiple attack vectors, allowing the attacker to directly target their victim’s network with accuracy and power. Some of the most common attack vectors found on these sites are DNS, NTP, SSDP, Chargen, SSYN, ACK, XMLRPC, Portmap and Joomla.
For more about attack vectors, check out our recentERT Alert.
Due to their effectiveness, amplification-based attacks are the default attack technique offered by most booters services. These attacks are easy to conduct and rely on misconfigured services. The attacker sends a spoofed packet with the victim’s IP to the service, resulting in a response from the server sent to the victim’s IP. Attackers will also use reflection-based attacks by misusing popular content management systems (CMS) like WordPress and Joomla to generate HTTP requests to target web servers. They will also abuse gaming consoles and routers in an attempt to generate larger attacks. By using reflection and amplification, attackers are able to mask their origin and turn a tiny amount of bandwidth into a much larger scale assault.
In addition to these vectors, a number of services also offer tools on their website like resolvers, IP loggers, geo-location, ping and VPN detectors.