IP Booters: Taking DDoS Attacks To New Levels
Distributed denial of service attacks have been around since the early days of the Internet. The first known attack happened way back in 1995 with activists targeting French nuclear policy; the first large-scale attack occurred in 1999 against systems at the University of Minnesota. The next year huge websites like Amazon, eBay and Yahoo were hit by DDoS attacks and the genie was truly out of the bottle.
Assaults on organizations and corporations, either for the purpose of gaining notoriety or demanding ransoms, continued with increasing severity. But it was a while before the term “DDoS attack” started appearing with regularity in mainstream headlines, largely due to the “hacktivist” assaults by the group Anonymous on major financial institutions and processors. By now, DDoS attacks are so commonplace that they’re in the news as much for their unprecedented size as for the companies, government agencies or organizations they target.
Why are those seeking to bring down computer systems with DDoS attacks now able to launch so many attacks with such ferocity? One major reason is the development and widespread availability of IP stressers, also known as booters. In this article we’ll first take an in-depth look at why IP booters have been such an important change in DDoS methodology, and then at how they actually work.
DDoS Methods Employed by Booters
Early distributed denial of service attacks were launched in one of two ways. One was through the use of botnets, the other was through direct hacking of servers. Both are still seen today, but have been largely surpassed by newer methods.
Botnets are ad-hoc networks of computers which have been “taken over” by malware, for the purpose of remotely using the computers to participate in an attack. (There are many other uses for botnets as well, but we’re simply looking at them here as used for DDoS purposes.) When the thousands, hundreds of thousands or millions of computers in a botnet all send data requests to the same target server at the same time, the target is likely to be overwhelmed by the sudden influx of traffic. The result is either extremely slow performance by the server or its complete inaccessibility to legitimate traffic. And since the traffic is coming from so many diverse IPs, it’s impossible to know who is behind the attack.
Server hacking is a different approach with the same goal. Once a server is breached, a shell is uploaded without the knowledge of the owner; that shell is then used to launch attacks against a target server. Again, the aim is to overwhelm the target with traffic coming from sources which can’t be traced back to the originating organization.
Each of those approaches has become more difficult to pull off than in the past. Large botnets are more difficult to build than they used to be, due to greater user awareness of the dangers of malware and more effective anti-virus software. Similarly, servers are more difficult to hack than they once were due to stronger server protection and monitoring.
However, the growing use of an alternative approach has made DDoSing easier than ever. It’s the use of IP booters.
So, What Exactly Is a Booter?
First, a clarification before we tackle this subject: the terms “booter”, “IP booter”, “stresser” and “IP stresser” are used interchangeably. Some people prefer the word stresser for reasons we’ll get into shortly, but when we use any of those terms, we’re referring to the same thing.
A booter is simply a web-based method of using a computer service to launch a DDoS attack. Some stresser services are operated through companies who don’t care what a customer does with space on their servers as long as the customer pays his bills, or by firms who purposely lease server space to clients who will be initiating attacks. Other IP booter services essentially use mainstream server accounts as a middle layer of protection; control panels and ordering processes are hosted on innocuous websites without the ISP knowing what the sites are being used for, while the actual attacks are launched from other servers or from shells previously placed on hacked websites.
In effect, a stresser works almost the same way as the earlier method for DDoSing a target; a server or large numbers of individual machines are used to launch multiple, simultaneous data requests to a target in an attempt to overwhelm it. Since a web server can send one thousand times the number of data requests that a home or office computer can (or even more), it’s the most efficient way to attack a target.
Stressers are also much quicker to use than going through the process of hacking computers or creating and maintaining a botnet, since the IP booter infrastructure is already in place and clients can sign up and start a DDoS attack in a matter of minutes; all they need to know is the target IP (and applicable port number, if possible). There are dozens of IP stresser services operating at any one time (whenever one is taken down, another quickly takes its place) and the names and URLs of stresser services are shared on hacker sites and ICQ chats. They all accept payment via PayPal, which has proven itself unable to police the many ways payments are made for booter services.
There’s still one potential issue for users of IP booters: keeping their identities completely anonymous. This is usually handled by routing their access through a Virtual Private Network, often used by businesses to secure and encrypt transmissions but also handy for hiding your identity online. VPNs are often used by people who are working on an unfamiliar network (whose security isn’t known), downloaders (who don’t want anyone to know if they access copyrighted music or programs), security buffs (who don’t anyone to know anything about them) – and most definitely, hackers. A VPN will even hide someone’s identity from the stresser service they’re using.
So booters are an easily accessible, fast, and inexpensive (purchasing several hours of a DDoS, for example, can cost less than going out to dinner) way to launch an attack. Can’t web hosts and ISPs fight them? We’ll look at that, after we take care of one piece of unfinished business.
We mentioned earlier that many people prefer to call this service “stressers” or “IP stressers”, and there’s a simple reason why. A “real” IP stresser is actually a legitimate business service, provided for the purpose of testing web servers to determine what type of incoming loads they can handle. Those who prefer to use booters for DDoS attacks feel there’s a certain legitimacy conveyed to their operation by calling them stressers instead.
When Booters Attack
Needless to say, ISPs and web hosts are constantly improving their defenses against DDoS attacks. Many now provide what they call “DDoS mitigation services” which are designed to constantly and proactively monitor the source of incoming traffic to deny suspicious data requests, and spread server loads throughout their server farms or through the cloud.
Also needless to say, stresser operators have stepped up their game. Many now offer both of the most popular types of DDoS attacks, level 4 and level 7.
A layer 4 attack is most effective when launched against web servers which haven’t been hardened against DDoS invasions with protection like HyperFilter, Incapsula or CloudFlare, or against home or small business computer installations which are ripe for exploitation. These attacks, available with all IP booters, usually take advantage of the TCP connections on computers which allow two-way data exchanges. It’s possible to launch layer 4 IP stresser attacks ranging from 10 Mpbs to 200 Gbps, depending on server capacity, attack methods available, and the quality of the amplification list being used. Most common services average around 20 gigs per attack. A savvy ISP or webhost can detect layer 4 DDoS attacks but will sometimes be caught asleep at the switch. Layer 4 attacks will usually be quite effective against lesser installations.
Layer 7 attacks, only available with some booter services, are application-layer methods which are much more difficult to detect. That’s because the DDoS traffic often looks legitimate – at least, until it takes down a server. Layer 7 attacks can often pass right through CloudFlare-type protection and crash machines by the sheer volume of the data requests they make, even if the servers have been hardened against DDoS attacks.Here is a rundown of the types of DDoS attacks that stressers can launch, depending on their capabilities:
- UDP Flood Attacks
A large number of UDP (user datagram protocol) packets are sent (often from spoofed IPs) by the IP booter simultaneously, to random ports on the target machine. When the host finds that there are no applications listening for the data, it sends out “destination unreachable” responses. At some point, the back-and-forth makes the target unreachable. Many operating systems limit the rate at which responses are sent in order to prevent UDP floods, so another type of attack, UDP Lag, sends its packets in bursts rather than continuously to try to bypass this safeguard.
- SYN Flood Attacks
This takes advantage of the normal “handshake” between client and server when a connection is established. In a nutshell, the client first sends a SYN (synchronize) request, the server responds, and the client acknowledges the connection. In a SYN attack, however, the IP stresser uses spoofed IPs to send multiple requests to every port on the server, the server responds to all of them, and the clients never respond – leading the server to wait for acknowledgements. All of those potential connections remain open, while the attacker repeats the process over and over again. All of the “half open” connections overload the server and eventually take it down. More advanced mitigation techniques are required to fight SYN attacks. These are sometimes called SSYN or ESSYN attacks.
- DNS Attacks
Some DNS (domain name system) servers are vulnerable to exploitation because they don’t refuse multiple inquiries from the same IP, and amplification techniques can be used to launch DDoS attacks through them. The booter sends large numbers of continuous lookup requests to the DNS server (often in combination with a botnet which sends the requests), spoofing them so they all appear to come from the target machine’s IP. All of the responses are sent to the target machine, overwhelming it. This is a much more sophisticated version of a UDP attack, and can take a target computer quite a while to realize what’s going on, even if it has robust mitigation procedures in place. Similar techniques include NTP (taking advantage of network time protocol servers), CHARGEN (using character generation protocol services) and SNMP (sending queries to network devices using the simple network management protocol) attacks. All take advantage of amplification and can be devastating over the short term.
- XML-RPC Attacks
These take advantage of a vulnerability in many legitimate WordPress installs, with stressers using the XML-RPC function normally used to send pingbacks. When enabled, the function can be used on multiple sites to send hundreds or thousands of requests per second to a target site, or to make internal requests to take down a site. The vulnerability exists on hundreds of thousands, or even millions of sites; the only way to prevent its exploit is for XML-RPC to be disabled.
- HTTP GET/POST Attacks
Whenever an online client communicates with a server most requests come in the form of either GET or POST requests, either to fetch information (display of a photo or page, for instance) or to submit information (for example, when a web form is filled out). IP booters create large number of requests for large data files in order to overwhelm a web server in a DDoS attack; some prefer GET requests because they seem more legitimate, while others choose POST attacks because they require the server to perform numerous and more complex operations to deal with multiple parameters.
- SLOWLORIS Attacks
This is a complicated and highly-effective DDoS technique which IP stressers employ to use one server against another. Multiple HTTP headers are sent to the target but the requests are never completed, so the target keeps all of the connections open while waiting for the remainder of the requests. This causes the target server to use up all of the concurrent connections which are allowed, and all other legitimate requests are denied. SLOWLORIS is most effective against Apache servers, the most common web servers in use today. There’s an Apache module written to prevent these attacks, but it is often not enabled. Similar methods also exist for other types of web servers.
Stressers and booters are often used by “kiddies” to kick users off of video game systems, but they’re much more powerful when used in large scale DDoS attacks. The widespread availability of IP stressers and IP booters has given many attackers the upper hand in the tug of war with companies and organizations operating mission-critical servers.