DDoS Hide & Seek: On the Effectiveness of a Booter Services Takedown

TL;DR

This study evaluates the impact of an FBI takedown of 15 booter websites on DDoS attack traffic, revealing only a temporary reduction and the quick resurgence of some services through domain changes.

Contribution

It provides an empirical analysis of booter-based DDoS attacks and assesses the short-term effectiveness of law enforcement takedowns in disrupting these services.

Findings

Takedown caused only a temporary decrease in attack traffic.

Some booters quickly resumed operations using new domains.

DDoS attack properties vary across different booter services.

Abstract

Booter services continue to provide popular DDoS-as-a-service platforms and enable anyone irrespective of their technical ability, to execute DDoS attacks with devastating impact. Since booters are a serious threat to Internet operations and can cause significant financial and reputational damage, they also draw the attention of law enforcement agencies and related counter activities. In this paper, we investigate booter-based DDoS attacks in the wild and the impact of an FBI takedown targeting 15 booter websites in December 2018 from the perspective of a major IXP and two ISPs. We study and compare attack properties of multiple booter services by launching Gbps-level attacks against our own infrastructure. To understand spatial and temporal trends of the DDoS traffic originating from booters we scrutinize 5 months, worth of inter-domain traffic. We observe that the takedown only leads to a temporary reduction in attack traffic. Additionally, one booter was found to quickly continue operation by using a new domain for its website.