{
	"id": "541d9172-6f68-47c0-8654-609dffe4ca8b",
	"created_at": "2026-04-06T00:22:09.800778Z",
	"updated_at": "2026-04-10T03:22:00.749087Z",
	"deleted_at": null,
	"sha1_hash": "3ce42aa8a77efcbffee3c0d5bf7b63dcb01b3a07",
	"title": "Are the Days of “Booter” Services Numbered?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 599321,
	"plain_text": "Are the Days of “Booter” Services Numbered?\r\nPublished: 2016-10-27 · Archived: 2026-04-05 19:23:05 UTC\r\nIt may soon become easier for Internet service providers to anticipate and block certain types of online assaults\r\nlaunched by Web-based attack-for-hire services known as “booter” or “stresser” services, new research released\r\ntoday suggests.\r\nThe findings come from researchers in Germany who’ve been studying patterns that emerge when miscreants\r\nattempt to mass-scan the entire Internet looking for systems useful for launching these digital sieges — known as\r\n“distributed denial-of-service” or DDoS attacks.\r\nTo understand the significance of their research, it may help to briefly examine how DDoS attacks have evolved.\r\nNot long ago, if one wanted to take down large Web site, one had to build and maintain a large robot network, or\r\n“botnet,” of hacked computers — which is a fairly time intensive, risky and technical endeavor.\r\nThese days, however, even the least sophisticated Internet user can launch relatively large DDoS attacks just by\r\npaying a few bucks for a subscription to one of dozens of booter or stresser services, some of which even accept\r\ncredit cards and PayPal payments.\r\nThese Web-based DDoS-for-hire services don’t run on botnets: They generally employ a handful of powerful\r\nservers that are rented from some dodgy “bulletproof” hosting provider. The booter service accepts payment and\r\nattack instructions via a front end Web site that is hidden behind Cloudflare (a free DDoS protection service).\r\nBut the back end of the booter service is where the really interesting stuff happens. Virtually all of the most\r\npowerful and effective attack types used by booter services rely on a technique called traffic amplification and\r\nhttps://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/\r\nPage 1 of 5\n\nreflection, in which the attacker can reflect or “spoof” his traffic from one or more third-party machines toward\r\nthe intended target.\r\nIn this type of assault, the attacker sends a message to a third party, while spoofing the Internet address of the\r\nvictim. When the third party replies to the message, the reply is sent to the victim — and the reply is much larger\r\nthan the original message, thereby amplifying the size of the attack.\r\nTo find vulnerable systems that can be leveraged this way, booters employ large-scale Internet scanning services\r\nthat constantly seek to refresh the list of systems that can be used for amplification and reflection attacks. They do\r\nthis because, as research has shown (PDF), anywhere from 40-50 percent of the amplifiers vanish or are\r\nreassigned new Internet addresses after one week.\r\nEnter researchers from Saarland University in Germany, as well as the Yokohama National University and\r\nNational Institute of Information and Communications Technology — both in Japan. In a years-long project\r\nfirst detailed in 2015, the researchers looked for scanning that appeared to be kicked off by ne’er-do-wells running\r\nbooter services.\r\nTo accomplish this, the research team built a kind of distributed “honeypot” system — which they dubbed\r\n“AmpPot” — designed to mimic services known to be vulnerable to amplification attacks, such as DNS and\r\nNTP floods.\r\n“To make them attractive to attackers, our honeypots send back legitimate responses,” the researchers wrote in a\r\n2015 paper (PDF). “Attackers, in turn, will abuse these honeypots as amplifiers, which allows us to observe\r\nongoing attacks, their victims, and the DDoS techniques. To prevent damage caused by our honeypots, we limit\r\nthe response rate. This way, while attackers can still find these ratelimited honeypots, the honeypots stop replying\r\nin the face of attacks.”\r\nIn that 2015 paper, the researchers said they deployed 21 globally-distributed AmpPot instances, which observed\r\nmore than 1.5 million attacks between February and May 2015. Analyzing the attacks more closely, they found\r\nthat more than 96% of the attacks stem from single sources, such as booter services.\r\n“When focusing on amplification DDoS attacks, we find that almost all of them (\u003e96%) are caused by single\r\nsources (e.g. booters), and not botnets,” the team concluded. “However, we sadly do not have the numbers to\r\ncompare this [to] DoS attacks in general.”\r\nMany large-scale Internet scans like the ones the researchers sought to measure are launched by security firms and\r\nother researchers, so the team needed a way to differentiate between scans launched by booter services and those\r\nconducted for research or other benign purposes.\r\n“To distinguish between scans performed by researchers and scans performed with malicious intent we relied on a\r\nsimple assumption: That no attack would be based on the results of a scan performed by (ethical) researchers,”\r\nsaid Johannes Krupp, one of the main authors of the report. “In fact, thanks to our methodology, we do not have\r\nto make this distinction upfront, but we can rather look at the results and say: ‘We found attacks linked to this\r\nscanner, therefore this scanner must have been malicious.’ If a scan was truly performed by benign parties, we will\r\nnot find attacks linked to it.”\r\nhttps://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/\r\nPage 2 of 5\n\nSECRET IDENTIFIERS\r\nWhat’s new in the paper being released today by students at Saarland University’s Center for IT-Security, Privacy\r\nand Accountability (CISPA) is the method by which the researchers were able to link these mass-scans to the very\r\namplification attacks that follow soon after.\r\nThe researchers worked out a way to encode a secret identifier into the set of AmpPot honeypots that any\r\nsubsequent attack will use, which varies per scan source. They then tested to see if the scan infrastructure was also\r\nused to actually launch (and not just to prepare) the attacks.\r\nTheir scheme was based in part on the idea that similar traffic sources should have to travel similar Internet\r\ndistances to reach the globally-distributed AmpPot sensors. To do this, they looked at the number of “hops” or\r\nInternet network segments that each scan and attack had to traverse.\r\nUsing trilateration –the process of determining absolute or relative locations of points by measurement of\r\ndistances — the research team was able to link scanners to attack origins based on hop counts.\r\nThese methods revealed some 286 scanners that are used by booter services in preparation for launching\r\namplification attacks. Further, they discovered that roughly 75 percent of those scanners are located in the United\r\nStates.\r\nThe researchers say they were able to confirm that many of the same networks that host scanners are also being\r\nused to launch the attacks. More significantly, they were able to attribute approximately one-third of the attacks\r\nback to their origin.\r\n“This is an impressive result, given that the spoofed source of amplification attacks usually remains hidden,” said\r\nChristian Rossow of Saarland University.\r\nRosso said the team hopes to conduct further research on their methods to more definitively tie scanning and\r\nattack activity to specific booter services by name. The group is already offering a service to hosting providers and\r\nISPs to share information about incidents (such as attack start and end times). Providers can then use the attack\r\ninformation to inform their customers or to filter attack traffic.\r\n“We have shared our findings with law enforcement agencies — in particular, Europol and the FBI — and a\r\nclosed circle of tier-1 network providers that use our insights on an operational basis,” the researchers wrote. “Our\r\noutput can be used as forensic evidence both in legal complaints and in ways to add social pressure against\r\nspoofing sources.”\r\nANALYSIS\r\nEven if these newly-described discovery methods were broadly deployed today, it’s unlikely that booter services\r\nwould be going away anytime soon. But this research certainly holds the promise that booter service owners will\r\nbe able to hide the true location of their operations less successfully going forward. and that perhaps more of them\r\nwill be held accountable for their crimes.\r\nhttps://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/\r\nPage 3 of 5\n\nEfforts by other researchers have made it more difficult for booter and stresser services to accept PayPal\r\npayments, forcing more booters to rely more on Bitcoin.\r\nAlso, there are a number of initiatives that seek to identify a handful of booter services which resell their\r\ninfrastructure to other services who brand and market them as their own. Case in point, in September 2016 I\r\npublished an expose on vDOS, a booter service that earned (conservatively) $600,000 over two years helping to\r\nlaunch more than 150,000 DDoS attacks.\r\nTurns out, vDOS’s infrastructure was used by more than a half-dozen other booter services, and shortly after\r\nvDOS was taken offline most of those services went dark or were dismantled as well.\r\nOne major shift that could help to lessen the appeal of booter services — both for the profit-seeking booter\r\nproprietors and their customers — is a clear sign from law enforcement officials that this activity is in fact illegal\r\nand punishable by real jail time. So far, many booter service owners have been operating under the delusion or\r\nrationalization that their services are intended solely for Web site owners to test the ability of their sites to\r\nwithstand data deluges. The recent arrest of two alleged Lizard Squad members who resold vDOS services\r\nthrough their own “PoodleStresser” service is a good start.\r\nMany booter operators apparently believe (or at least hide behind) a wordy “terms of service” agreement that all\r\ncustomers must acknowledge somehow absolves them of any sort of liability for how their customers use the\r\nservice — regardless of how much hand-holding and technical support they offer those customers.\r\nIndeed, the proprietors of vDOS — who were arrested shortly after my story about them — told the Wall Street\r\nJournal through their attorneys that, “If I was to buy a gun and shoot something, is the person that invents the gun\r\nguilty?”\r\nThe alleged proprietors of vDOS — 18-year-old Israelis Yarden Bidani and Itay Huri — were released from\r\nhouse arrest roughly ten days after their initial arrest. To date, no charges have been filed against either men, but I\r\nhave reason to believe that may not be the case for long.\r\nMeanwhile, changes may be afoot for booter services advertised at Hackforums[dot]net, probably the biggest\r\nopen-air online marketplace where booter services are advertised, compared and rated (hat tip to\r\n@MalwareTechblog). Earlier this week, Hackforums administrator Jesse “Omniscient” LaBrocca began\r\nrestricting access to its “stressers” subsection of the sprawling forum, and barring forum members from\r\nadvertising booter services in their user profiles.\r\n“I can absolutely see a day when it’s removed entirely,” LaBrocca said in a post explaining his actions. “Could be\r\nvery soon too.”\r\nhttps://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/\r\nPage 4 of 5\n\nHackforums administrator Jesse “Omniscient” LaBrocca explaining a decision to restrict access to the “stressers”\r\nportion of the Hackforums marketplace.\r\nMy worry is that we may soon see a pendulum shift in the way that many booter services operate. For now, the\r\nsize of attacks launched by booter services is somewhat dependent on the number and power of the back-end\r\nservers used to initiate amplification and reflection attacks.\r\nHowever, I could see a day in the not-too-distant future in which booter service operators start earning most of\r\ntheir money by reselling far more powerful attacks launched by actual botnets made from large networks of\r\nhacked Internet of Things (IoT) devices — such as poorly-secured CCTV cameras and digital video recorders\r\n(DVRs).\r\nIn some ways this has already happened, as I detailed in my January 2015 story, Lizard Stresser Runs on Hacked\r\nHome Routers. But with the now public release of the source code for the Mirai botnet — the same malware strain\r\nthat was used in the record 620 Gbps DDoS on my site last month and in the widespread Internet outage last week\r\ncaused by an attack against infrastructure provider Dyn — far more powerful and scalable attacks are now\r\navailable for resale.\r\nA copy of the paper released today at the ACM CSS conference in Vienna is available here (PDF).\r\nSource: https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/\r\nhttps://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/"
	],
	"report_names": [
		"are-the-days-of-booter-services-numbered"
	],
	"threat_actors": [],
	"ts_created_at": 1775434929,
	"ts_updated_at": 1775791320,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3ce42aa8a77efcbffee3c0d5bf7b63dcb01b3a07.pdf",
		"text": "https://archive.orkl.eu/3ce42aa8a77efcbffee3c0d5bf7b63dcb01b3a07.txt",
		"img": "https://archive.orkl.eu/3ce42aa8a77efcbffee3c0d5bf7b63dcb01b3a07.jpg"
	}
}