Inside Booters: an analysis on operational databases

José Jair Cardoso de Santanna; Romain Durban; Anna Sperotto; Aiko Pras

doi:10.1109/INM.2015.7140320

Inside Booters: an analysis on operational databases

José Jair Cardoso de Santanna, Romain Durban, Anna Sperotto, Aiko Pras

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

20 Citations (Scopus)

975 Downloads (Pure)

Abstract

Distributed Denial of Service (DDoS) attacks are an increasing threat on the Internet. One of the reasons is that Web sites selling attacks for prices starting from $1.00 are becoming popular. These Web sites, called Booters, facilitate attacks by making transparent the needed infrastructure to perform attacks and by lowering the knowledge to control it. As a consequence, any user on the Internet is able to launch attacks at any time. Although security experts and operators acknowledge the potential of Booters for DDoS attacks, little is known about Booters operational aspects in terms of users, attacks and infrastructure. The existing works that investigate this phenomenon are all restricted to the analysis of a single Booter and therefore provide a narrow overview of the phenomenon. In this paper we extend the existing work by providing an extensive analysis on 15 distinct Booters. We analyze their operational databases containing logs of users, attacks, and the infrastructure used to perform attacks. Among our findings we reveal that (i) some Booters have several database records completely equal, (ii) users that access Booters via proxies and VPNs performed much more attacks than those that accessed using a single IP address, and (iii) the infrastructure used to perform attacks is slightly different from what is known through existing work. The contribution of our work is to bring awareness of Booter characteristics facilitating future works to mitigate this phenomenon.

Original language	Undefined
Title of host publication	IFIP/IEEE International Symposium on Integrated Network Management (IM 2015)
Editors	Remi Badonnel, Jin Xiao, Shingo Ata, Filip De Turck, Voicu Groza, Carlos Raniery P. dos Santos
Place of Publication	USA
Publisher	IEEE
Pages	432-440
Number of pages	9
ISBN (Print)	978-3-901882-76-0
DOIs	https://doi.org/10.1109/INM.2015.7140320
Publication status	Published - 11 May 2015
Event	14th IFIP/IEEE International Symposium on Integrated Network Management, IM 2015: Integrated Management in the Age of Big Data - Shaw Centre, Ottawa, Canada Duration: 11 May 2015 → 15 May 2015 Conference number: 14 http://im2015.ieee-im.org/

Publication series

Name
Publisher	IEEE Computer Society

Conference

Conference	14th IFIP/IEEE International Symposium on Integrated Network Management, IM 2015
Abbreviated title	IM 2015
Country/Territory	Canada
City	Ottawa
Period	11/05/15 → 15/05/15
Internet address	http://im2015.ieee-im.org/

Keywords

EWI-26166
DACS: Booters
booter
METIS-312682
database analysis
DDoS
IR-96840
stresser

Access to Document

10.1109/INM.2015.7140320

Cite this

@inproceedings{d9a36b327d75437ca82c67d0c957f8c9,

title = "Inside Booters: an analysis on operational databases",

abstract = "Distributed Denial of Service (DDoS) attacks are an increasing threat on the Internet. One of the reasons is that Web sites selling attacks for prices starting from $1.00 are becoming popular. These Web sites, called Booters, facilitate attacks by making transparent the needed infrastructure to perform attacks and by lowering the knowledge to control it. As a consequence, any user on the Internet is able to launch attacks at any time. Although security experts and operators acknowledge the potential of Booters for DDoS attacks, little is known about Booters operational aspects in terms of users, attacks and infrastructure. The existing works that investigate this phenomenon are all restricted to the analysis of a single Booter and therefore provide a narrow overview of the phenomenon. In this paper we extend the existing work by providing an extensive analysis on 15 distinct Booters. We analyze their operational databases containing logs of users, attacks, and the infrastructure used to perform attacks. Among our findings we reveal that (i) some Booters have several database records completely equal, (ii) users that access Booters via proxies and VPNs performed much more attacks than those that accessed using a single IP address, and (iii) the infrastructure used to perform attacks is slightly different from what is known through existing work. The contribution of our work is to bring awareness of Booter characteristics facilitating future works to mitigate this phenomenon.",

keywords = "EWI-26166, DACS: Booters, booter, METIS-312682, database analysis, DDoS, IR-96840, stresser",

author = "{Cardoso de Santanna}, {Jos{\'e} Jair} and Romain Durban and Anna Sperotto and Aiko Pras",

note = "10.1109/INM.2015.7140320 ; 14th IFIP/IEEE International Symposium on Integrated Network Management, IM 2015 ; Conference date: 11-05-2015 Through 15-05-2015",

year = "2015",

month = may,

day = "11",

doi = "10.1109/INM.2015.7140320",

language = "Undefined",

isbn = "978-3-901882-76-0",

publisher = "IEEE",

pages = "432--440",

editor = "Remi Badonnel and Jin Xiao and Shingo Ata and {De Turck}, Filip and Voicu Groza and {dos Santos}, {Carlos Raniery P.}",

booktitle = "IFIP/IEEE International Symposium on Integrated Network Management (IM 2015)",

address = "United States",

url = "http://im2015.ieee-im.org/",

}

Cardoso de Santanna, JJ, Durban, R, Sperotto, A & Pras, A 2015, Inside Booters: an analysis on operational databases. in R Badonnel, J Xiao, S Ata, F De Turck, V Groza & CRP dos Santos (eds), IFIP/IEEE International Symposium on Integrated Network Management (IM 2015). IEEE, USA, pp. 432-440, 14th IFIP/IEEE International Symposium on Integrated Network Management, IM 2015, Ottawa, Ontario, Canada, 11/05/15. https://doi.org/10.1109/INM.2015.7140320

Inside Booters: an analysis on operational databases. / Cardoso de Santanna, José Jair; Durban, Romain; Sperotto, Anna et al.
IFIP/IEEE International Symposium on Integrated Network Management (IM 2015). ed. / Remi Badonnel; Jin Xiao; Shingo Ata; Filip De Turck; Voicu Groza; Carlos Raniery P. dos Santos. USA: IEEE, 2015. p. 432-440.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Inside Booters: an analysis on operational databases

AU - Cardoso de Santanna, José Jair

AU - Durban, Romain

AU - Sperotto, Anna

AU - Pras, Aiko

N1 - Conference code: 14

PY - 2015/5/11

Y1 - 2015/5/11

N2 - Distributed Denial of Service (DDoS) attacks are an increasing threat on the Internet. One of the reasons is that Web sites selling attacks for prices starting from $1.00 are becoming popular. These Web sites, called Booters, facilitate attacks by making transparent the needed infrastructure to perform attacks and by lowering the knowledge to control it. As a consequence, any user on the Internet is able to launch attacks at any time. Although security experts and operators acknowledge the potential of Booters for DDoS attacks, little is known about Booters operational aspects in terms of users, attacks and infrastructure. The existing works that investigate this phenomenon are all restricted to the analysis of a single Booter and therefore provide a narrow overview of the phenomenon. In this paper we extend the existing work by providing an extensive analysis on 15 distinct Booters. We analyze their operational databases containing logs of users, attacks, and the infrastructure used to perform attacks. Among our findings we reveal that (i) some Booters have several database records completely equal, (ii) users that access Booters via proxies and VPNs performed much more attacks than those that accessed using a single IP address, and (iii) the infrastructure used to perform attacks is slightly different from what is known through existing work. The contribution of our work is to bring awareness of Booter characteristics facilitating future works to mitigate this phenomenon.

AB - Distributed Denial of Service (DDoS) attacks are an increasing threat on the Internet. One of the reasons is that Web sites selling attacks for prices starting from $1.00 are becoming popular. These Web sites, called Booters, facilitate attacks by making transparent the needed infrastructure to perform attacks and by lowering the knowledge to control it. As a consequence, any user on the Internet is able to launch attacks at any time. Although security experts and operators acknowledge the potential of Booters for DDoS attacks, little is known about Booters operational aspects in terms of users, attacks and infrastructure. The existing works that investigate this phenomenon are all restricted to the analysis of a single Booter and therefore provide a narrow overview of the phenomenon. In this paper we extend the existing work by providing an extensive analysis on 15 distinct Booters. We analyze their operational databases containing logs of users, attacks, and the infrastructure used to perform attacks. Among our findings we reveal that (i) some Booters have several database records completely equal, (ii) users that access Booters via proxies and VPNs performed much more attacks than those that accessed using a single IP address, and (iii) the infrastructure used to perform attacks is slightly different from what is known through existing work. The contribution of our work is to bring awareness of Booter characteristics facilitating future works to mitigate this phenomenon.

KW - EWI-26166

KW - DACS: Booters

KW - booter

KW - METIS-312682

KW - database analysis

KW - DDoS

KW - IR-96840

KW - stresser

U2 - 10.1109/INM.2015.7140320

DO - 10.1109/INM.2015.7140320

M3 - Conference contribution

SN - 978-3-901882-76-0

SP - 432

EP - 440

BT - IFIP/IEEE International Symposium on Integrated Network Management (IM 2015)

A2 - Badonnel, Remi

A2 - Xiao, Jin

A2 - Ata, Shingo

A2 - De Turck, Filip

A2 - Groza, Voicu

A2 - dos Santos, Carlos Raniery P.

PB - IEEE

CY - USA

T2 - 14th IFIP/IEEE International Symposium on Integrated Network Management, IM 2015

Y2 - 11 May 2015 through 15 May 2015

ER -