FBI clampdown reins in global DDoS-for-hire market

Closing the floodgates… temporarily, at least

The FBI was able to cut the number of distributed denial-of-service attacks worldwide by 11% after shutting down just 15 of the most prolific DDoS-for-hire websites during the last quarter.

Following the seizures, according to the Nexusguard Q4 2018 DDoS Threat Report (registration required), the average size of DDoS attacks fell by 85% and the maximum attack size by 24%.

In fact, most attacks reported during the quarter were small, with more than 90% tapping out at less than 1 Gbps in magnitude.

There was, however, a growing number of so-called “bit-and-piece” attacks. These can evade detection thresholds, as the targeted IP address receives only a small number of responses in each campaign, leaving little or no trace.

The most popular type of bit-and-piece attack – Simple Service Discovery Protocol Amplification attacks – increased by a staggering 3,122% year on year, accounting for 48% of the total attack traffic.

User Datagram Protocol (UDP) and HTTPS Flood attacks accounted for 14% and 9%, respectively.

Meanwhile, attackers became more persistent, with one month-long campaign seeing the target site hit by as many as 13 attacks a day through most days in December.

In terms of the sources of attacks, China – as usual – led the field, accounting for 22% of DDoS assaults, followed by the US (18%), France (7%), and Russia (4%).

The FBI website seizures last December included Quantum Stresser, one of the longest-running DDoS-for-hire services in operation.

Quantum had over 80,000 customer subscriptions since its launch in 2012. In 2018 alone, the service was used to launch over 50,000 actual or attempted DDoS attacks worldwide.

Other ethically challenged services included Downthem, Ampnode, critical-boot.com and ragebooter.com.

Last April Europol took down Webstresser.org – the world’s largest marketplace for DDoS attacks.

Despite the dip in DDoS traffic in the fourth quarter, Nexusguard researchers warned that so-called ‘booter’ or ‘stresser’ websites are set to make a comeback, thanks to a growing number of botnets and huge demand.

They cite the spread of the source code of Mirai, malware that turns networked devices running Linux into bots, saying this fueled “exponential” growth in botnets.

The team also believes that the FBI raids only scratched the surface of the problem, with a call for law enforcement bodies to improve their intelligence sharing.

“For the novice, carrying out a DDoS attack no longer requires coding or hacking skills; it’s now just a few clicks away,” the researchers warn.

“More bandwidth, faster connection speeds, and unpatched and unknown hardware/software vulnerabilities will continue to make DDoS attacks a persistent headache – despite the best efforts of law enforcement agencies.”