Interested in denying someone access to the Internet? Ten dollars provides a very nice DDoS (Distributed Denial of Service) platform, featuring one 60-second long attack that can be used as often as needed for an entire month. For those wanting more, 169 dollars provides the ultimate DDoS, three two-hour long attacks, also rentable by the month.

Bewildered by all the different suppliers? This forum reviewed the major cloud-based DDoS platforms, coming up with these favorites.

top10Booters 2.jpg

Notice the slide’s title refers to Booters; the industry calls for-hire DDoS attacks booters when they have an online customer interface. The slide also refers to stressers [sic]. That’s an attempt to align with legitimate businesses that stress-test websites on how well they handle large volumes of incoming traffic.

I first became aware of booters when my friend and security blogger, Brian Krebs, reported in this post that someone initiated a Booter DDoS attack against his blog site. After reading Brian’s post, I realized DDoS attacks were no longer just in the realm of experienced and knowledgeable hackers. For a nominal fee, anyone can easily wreak havoc on someone else’s Internet experience.

Wanting to learn more, I did some digging: coming across an interesting paper by Mohammad Karami and Damon McCoy of George Mason University, “Understanding the Emerging Threat of DDoS-As-a-Service.”

Mohammad and Damon start out by mentioning that researchers know little about the operation, effectiveness, and economics of Booters. A fortunate event changed that. It seems the operations database for one specific Booter — twBooter— became public, allowing Mohammad and Damon to gain significant insight into the inner workings, including:

  • The attack infrastructure
  • Details on service subscribers
  • Information on the targets

In an interesting departure from typical DDoS operations, Mohammad and Damon noticed Booter developers prefer to rent servers instead of compromising individual PCs: “Compared to clients, servers utilized for this purpose could be much more effective as they typically have much higher computational and bandwidth capacities, making them more capable of starving bandwidth or other resources of a targeted system.”

Next, Mohammad and Damon were able to piece together twBooter’s two main components: the attack infrastructure and the user interface (shown below).


twBooters 5.jpg

The user interface slide has a window showing the different available attack techniques. Using the database, Mohammad and Damon isolated the most popular attacks:


[T]wBooter employs a broad range of different techniques for performing DDoS attacks. This includes generic attack types such as SYN flood, UDP flood, and amplification attacks; HTTP-based attacks including HTTP POST/GET/HEAD and RUDY (R-U-Dead-Yet); and application-specific attacks, such as slowloris, that targets Apache web servers with a specific misconfiguration.

The gentlemen mentioned the above DDoS techniques accounted for more than 90 percent of the twBooter attacks. To determine the effectiveness of twBooter, Mohammad and Damon subscribed to twBooter, and set about attacking their own server. First up, the UDP attack: “The UDP flood used a DNS reflection and amplification attack to generate 827 MBit/sec of DNS query response traffic directed at our server by sending out large numbers of forged DNS request queries that included our server’s IP address as the IP source address.”

Next, the SYN attack: “For the SYN flood, we observed 93,750 TCP SYN requests per second with randomly spoofed IP addresses and port numbers directed at our server in an attempt to utilize all of its memory by forcing it to allocate memory for a huge number of half-open TCP connections.”

The following slide provides details.


table.Booters 6.jpg

To recap, twBooter exemplifies the new trend in DDoS platforms: a reasonably-priced, user-friendly DDoS platform fully capable of bringing down websites, even those with significant bandwidth accommodations.

Something else I found interesting, even though twBooter did not make the Top 10 (maybe the data leak had something to do with it), Mohammad and Damon determined twBooter earned its owners in excess of 7,000 dollars a month. That amount resulted from customers launching over 48,000 DDoS attacks against 11,000 separate victims.


Final thoughts

Oddly enough, booters started out filling a niche, one that allowed online gamers to momentarily knock opponents out of the game, gaining themselves a distinct, albeit unfair, advantage. Other enterprising underworld individuals decided to repurpose booters into powerful DDoS platforms for hire — simple, yet effective.


When hackers take down a website, their weapon of choice is often a less-than-subtle technique known as a denial of service attack, which merely overwhelms a site’ servers with junk traffic. But the trick that the hacker group known as the Syrian Electronic Army pulled against the New York Times, Twitter, and the Huffington Post UK Tuesday seems to have been very different–and potentially far more invasive.

On Tuesday evening, Australian domain registrar Melbourne IT confirmed the security community’s suspicions that it was the weak link that allowed the outages of the Times’ website, and very likely the attacks on Twitter and the Huffington Post as well. Melbourne IT, like other domain registrars, serves as an authority for the Web’s domain name system, (DNS) telling DNS servers how to translate the domain names users type into their browsers or click on into the numerical IP addresses of the servers that host those websites. According to Melbourne IT, one of its resellers’ accounts was compromised, giving the attackers the ability to change which DNS servers resolve their clients’ sites, essentially hijacking the sites’ traffic potentially including all web traffic and email. (The battle for control of the domains still continues for the Times– remained offline as of Wednesday night.)

“We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies,” Melbourne IT’s head of corporate communications wrote to me in an emailed statement.

The pro-Syrian government provocateur hackers known as the Syrian Electronic Army, however, haven’t left the attack’s source to the imagination. “Hi @Twitter, look at your domain, its owned by #SEA :)” the group tweeted Tuesday afternoon, along with the link to Twitter’s domain information, showing that they had changed it to the SEA’s. The group also temporarily replaced the Times’ site with a page showing their logo, and a message that read “Hacked by Syrian Electronic Army.”

That level of takeover is far more serious than merely knocking a site offline or defacing it, points out David Ulevitch, who runs the DNS service OpenDNS and monitored the day’s hijinks. “This isn’t just an embarrassment for the New York Times, but a serious security threat,” he says. He suggests that confidential emails–say, from sensitive sources in Syria–could have been compromised, too. “If email could be redirected and captured by the Syrian Electronic Army, you’ve blown your confidential status.”

Worse yet, an attacker could use the trick to set up a fake version of the site, complete with a seemingly valid SSL encryption certificate, and siphon users’ credentials, suggests HD Moore, chief research officer at the security firm Rapid7. “You wouldn’t have to man-in-the-middle a site for very long to get a crapload of credentials,” he says. “They could have harvested for 15 minutes and gotten 10,000 passwords.”

I’ve reached out to the New York Times and Twitter for more information about the extent of these potential breaches, and I’ll update this post if I hear back from them.

Update: Twitter security spokesperson Jim Prosser writes back that the Melbourne IT attackers had only limited access to its domain registration details and couldn’t have pulled off the scenario that Moore describes, only changed the “Whois” details. “The perpetrators weren’t able to change the actual DNS address of the domain — just the written registration details,” writes Prosser. He declined to comment further on the record, and referred me to Twitter’s official statement on the hack, which states that “no Twitter user information was affected by this incident.”

Moore points out that Melbourne IT may have been lucky that its Syrian attackers limited their attack to Twitter, the Times, and the Huffington Post UK. In fact, 26 of the top 250 sites on the Web based on Alexa rankings use Melbourne IT as a domain registrar, including,,,, and It’s not clear why the hackers didn’t use their access to go after more of those high-profile sites. “Someone could have gone much further with this and had a much more devastating impact,” he says.

In its statement, Melbourne IT says that some of its clients were protected by a “registry lock” feature that would require further verification for any changes to a domain registry. “For mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain name registries including .com,” the statement reads. “Some of the domain names targeted on the reseller account had these lock features active and were thus not affected.”

But Moore says he checked’s domain registration as the attack took place and could see that it had implemented what looked like that “lock” safeguard, which seems to have failed to prevent the domain hijacking. “Whatever Twitter did, it didn’t make a difference,” he says. (Update: As I noted above, Twitter disputes this.)

The Syrian Electronic Army, which supports Syrian dictator Bashar Al-Assad’s regime in the country’s widening civil war, has emerged over the last year as a frequent disruptive force online. Using phishing attacks, it’s hijacked the Twitter feeds of Justin Bieber, Angelina Jolie, the BBC, CBS, NPR, and even the Onion. In April, it used the AP feed to deliver false news that President Obama had been injured in an explosion at the White House, causing a temporary 150 point dive in the stock market’s Dow Jones Industrial Average.

Though the Times continues to battle its Syrian foes, Moore argues that the SEA could have used its Melbourne IT attack to inflict far more serious damage than any of those previous hacks. “This comes off as kind of clumsy and a waste of a serious bug,” he says. “It could have gone a whole lot worse.”






China’s Internet was taken down in an attack on Sunday that could have been perpetrated by sophisticated hackers or an individual, security experts say.

According to The Wall Street Journal, which earlier reported on the outage, China on Sunday was hit with what the government has called the biggest distributed denial-of-service attack ever to rock its “.cn” sites. The attack, which lasted up to four hours, according to security company CloudFlare, left many sites with the .cn extension down. According to the Journal, parts of the affected sites were still accessible during the outage, due mainly to site owners storing parts of their pages in cache.

In a statement on the matter, the government-run China Internet Network Information Center confirmed the attack, saying that it was indeed the largest the country has experienced. The center said it is gradually restoring services and will work to improve the top-level domain’s security to safeguard against similar attacks.

It’s not currently known who attacked the Chinese domain. However, in a statement on the matter, CloudFlare CEO Matthew Prince said that while it’s possible a sophisticated group of hackers took .cn down, “it may have well been a single individual.”


Early Sunday morning, part of the Chinese Internet went down in what the government is calling the largest denial-of-service attack it has ever faced. According to the China Internet Network Information Center, the attack began at 2 a.m. Sunday morning and was followed by an even more intense attack at 4 a.m. The attack was aimed at the registry that allows users to access sites with the extension “.cn,”. As originally reported by the Wall Street Journal, the attack is perhaps more an indicator of just how susceptible the global Internet infrastructure is to these types of attacks.

China has one of the most sophisticated filtering systems in the world, period. Furthermore, China’s government is rated by analysts as having one of the highest abilities to carry out cyber attacks. Despite both of these points, China is not capable of defending itself from an attack.

DOS (Denial of Service) or DDoS (Distributed Denial of Service) attacks are the single largest threat to our Internet and the Internet of Things. The more our world becomes connected and dependent on the Internet, the more opportunities there are to thwart everyday lifestyle necessities in our IoT. Here are some of the more recent examples:

Latest DOS attacks around the world


  • Anonymous Demands Recognition of DDoS as a Legal Form of Protest

We all know that how annoying DDoS is, and just how inconvenient it becomes to access a much-needed site. While we may curse the people behind DDoS attacks, the renowned hacktivist Anonymous group is looking to get such attacks the status of legal protest.

According to Anonymous, DDoS is done to send a message to the affected party, which is why they’ve petitioned the Obama administration to recognize DDoS as a legal form of protest. In the petition, the Anonymous group also demanded that anyone who has been jailed for participating in a DDoS attack should be immediately released, and anything related to the attack should be wiped from their criminal records.

  • FBI Enlists US Bank’s Help To Head Off Iranian Cyber Attacks

In order to combat a wave of cyberattacks that have rattled the US banking industry since last year, the FBI has given certain banking executives extensive briefings of their classified investigations. The collaboration is part of a new policy being initiated by the FBI to try and foster closer cooperation between authorities and the private sector.

  • Did Hackers Take Down NASDAQ?

News emerged that a significant disruption caused the NASDAQ trading market to shut down for more than three hours starting at 9:20am PST on August 22nd. The problem manifested itself in the quote processing system, prompting the first awareness of the issue.

This seems eerily reminiscent of another NASDAQ incident in May 2013 during which Facebook’s IPO was bungled due to a “software glitch”. That incident prompted a $10 million fine for NASDAQ, but more importantly a rising lack of confidence has emerged in investor sentiment surrounding the technical elements of today’s trading systems. People have questioned whether the structure itself is flawed, and whether there is an overabundance of dependence on technology baked into both trading strategies and automated trading systems.

  • CyberBunker Launches “World’s Largest” DDoS Attack, Slows Down The Entire Internet

A massive cyberattack launched by the Dutch web hosting company CyberBunker has caused global disruption of the web, slowing down internet speeds for millions of users across the world, according to a BBC report. CyberBunker launched an all-out assault, described by the BBC as the world’s biggest ever cyberattack, on the self-appointed spam-fighting company Spamhaus, which maintains a blacklist used by email providers to filter out spam.

  • Bitcoin Under Attack? Dwolla & Mt. Gox Both Hit With DDoS Attacks Overnight

Another day, another DDoS attack. This time round, it’s the turn of alternative online payments provider Dwolla, which saw its website taken offline for a brief period of time. The site has since come back online, but the company said in a statement that the some users may still experience issues as the attack remains ongoing.


A security researcher picks apart the shady world of Booter services that offer distributed denial of service attacks as a service.

A security researcher speaking at the Black Hat conference last week has exposed the malicious underworld of Booter services that offers paying customers distributed denial of service (DDoS) attack capabilities on demand.
Lance James, chief scientist at Vigilant, explained to eWEEK that he got pulled into an investigation into the world of Booter services by his friend, security blogger Brian Krebs. Krebs had been the victim of a Booter service attack and was looking for some answers.
“Basically a Booter is a Web-based service that does DDoS for hire at very low prices and is very hard to take down,” James said. “They are marketed toward script kiddies, and many DDoS attacks that have been in the news have been done via these services.”
James was able to identify the suspected Booter site via Website log files and began to trace the activity of the individual who specifically attacked Krebs. Further investigation revealed that the same individual was also attacking other sites, including and the Ars Technica Website.
After James was able to identify the Booter service and directly connect it to the attacks against Krebs, the two were able to help shut down the Booter service itself.
James said the data was handed off to law enforcement, and the specific Booter service that initially attacked Krebs was shut down within a short period of time. The timing challenge in taking down the Booter service has to do with the fact that the Internet service provider (ISP) that the service looks like it is being hosted from is not where the Booter service actually is located.
“There is a service in the middle that protects the Booter sites with turnkey Web security routing,” James explained. “In that case, they operate similar to the legal confines of Facebook and Twitter, and they require subpoenas and warrants to shut it all down.”
How Booter Services Work
The challenge in locating the root source of the Booter service is also to due to the operational complexity of how the Booter works.
Booter services typically have a Web front end, where the end user who wants to target a given site is provided with an interface. James explained that the Web front end is just the control panel, while the underlying back end with the hosts that execute the DDoS attack is located elsewhere.
“So to the underlying ISP that is involved, it doesn’t look like anything that is malicious,” James said. “There is no DDoS traffic coming directly from the ISP.”
The DDoS traffic comes from a separate infrastructure that includes data servers all over the world that the Booter services connect to via proxies.
“So when you actually request a Booter service takedown, it’s very difficult because the ISP on which the site is hosted has plausible deniability,” James said. “They can say, ‘We haven’t seen them do anything illegal from our site,’ so you really need to prove that.”
Follow the Money
One of the ways that James was able to help track down the individual behind the Booter service was via the PayPal email address the person was using to get paid for his services. James’ investigation ended up looking at over 40 Booter services, and all of them used PayPal as their payment mechanism.
“A lot of the times to disrupt something, the economic structure has to be disrupted,” James said. “If you look at the motivation—and the motivation is money—you need to disrupt what they are seeking.”