Abstract

Distributed Denial of Service (DDoS) attacks are an increasing threat on the Internet. One of the reasons is that Web sites selling attacks for prices starting from $1.00 are becoming popular. These Web sites, called Booters, facilitate attacks by making transparent the needed infrastructure to perform attacks and by lowering the knowledge to control it. As a consequence, any user on the Internet is able to launch attacks at any time. Although security experts and operators acknowledge the potential of Booters for DDoS attacks, little is known about Booters operational aspects in terms of users, attacks and infrastructure. The existing works that investigate this phenomenon are all restricted to the analysis of a single Booter and therefore provide a narrow overview of the phenomenon. In this paper we extend the existing work by providing an extensive analysis on 15 distinct Booters. We analyze their operational databases containing logs of users, attacks, and the infrastructure used to perform attacks. Among our findings we reveal that (i) some Booters have several database records completely equal, (ii) users that access Booters via proxies and VPNs performed much more attacks than those that accessed using a single IP address, and (iii) the infrastructure used to perform attacks is slightly different from what is known through existing work. The contribution of our work is to bring awareness of Booter characteristics facilitating future works to mitigate this phenomenon.
Original languageUndefined
Title of host publicationIFIP/IEEE International Symposium on Integrated Network Management (IM 2015)
EditorsRemi Badonnel, Jin Xiao, Shingo Ata, Filip De Turck, Voicu Groza, Carlos Raniery P. dos Santos
Place of PublicationUSA
PublisherIEEE Computer Society
Pages432-440
Number of pages9
ISBN (Print)978-3-901882-76-0
DOIs
StatePublished - 11 May 2015

Publication series

Name
PublisherIEEE Computer Society

Fingerprint

Websites
Internet
Denial-of-service attack
Sales

Keywords

  • EWI-26166
  • DACS: Booters
  • booter
  • METIS-312682
  • database analysis
  • DDoS
  • IR-96840
  • stresser

Cite this

Cardoso de Santanna, J. J., Durban, R., Sperotto, A., & Pras, A. (2015). Inside Booters: an analysis on operational databases. In R. Badonnel, J. Xiao, S. Ata, F. De Turck, V. Groza, & C. R. P. dos Santos (Eds.), IFIP/IEEE International Symposium on Integrated Network Management (IM 2015) (pp. 432-440). USA: IEEE Computer Society. DOI: 10.1109/INM.2015.7140320

Cardoso de Santanna, José Jair; Durban, Romain; Sperotto, Anna; Pras, Aiko / Inside Booters: an analysis on operational databases.

IFIP/IEEE International Symposium on Integrated Network Management (IM 2015). ed. / Remi Badonnel; Jin Xiao; Shingo Ata; Filip De Turck; Voicu Groza; Carlos Raniery P. dos Santos. USA : IEEE Computer Society, 2015. p. 432-440.

Research output: Scientific - peer-reviewConference contribution

@inbook{d9a36b327d75437ca82c67d0c957f8c9,
title = "Inside Booters: an analysis on operational databases",
abstract = "Distributed Denial of Service (DDoS) attacks are an increasing threat on the Internet. One of the reasons is that Web sites selling attacks for prices starting from $1.00 are becoming popular. These Web sites, called Booters, facilitate attacks by making transparent the needed infrastructure to perform attacks and by lowering the knowledge to control it. As a consequence, any user on the Internet is able to launch attacks at any time. Although security experts and operators acknowledge the potential of Booters for DDoS attacks, little is known about Booters operational aspects in terms of users, attacks and infrastructure. The existing works that investigate this phenomenon are all restricted to the analysis of a single Booter and therefore provide a narrow overview of the phenomenon. In this paper we extend the existing work by providing an extensive analysis on 15 distinct Booters. We analyze their operational databases containing logs of users, attacks, and the infrastructure used to perform attacks. Among our findings we reveal that (i) some Booters have several database records completely equal, (ii) users that access Booters via proxies and VPNs performed much more attacks than those that accessed using a single IP address, and (iii) the infrastructure used to perform attacks is slightly different from what is known through existing work. The contribution of our work is to bring awareness of Booter characteristics facilitating future works to mitigate this phenomenon.",
keywords = "EWI-26166, DACS: Booters, booter, METIS-312682, database analysis, DDoS, IR-96840, stresser",
author = "{Cardoso de Santanna}, {José Jair} and Romain Durban and Anna Sperotto and Aiko Pras",
note = "10.1109/INM.2015.7140320",
year = "2015",
month = "5",
doi = "10.1109/INM.2015.7140320",
isbn = "978-3-901882-76-0",
publisher = "IEEE Computer Society",
pages = "432--440",
editor = "Remi Badonnel and Jin Xiao and Shingo Ata and {De Turck}, Filip and Voicu Groza and {dos Santos}, {Carlos Raniery P.}",
booktitle = "IFIP/IEEE International Symposium on Integrated Network Management (IM 2015)",
address = "United States",

}

Cardoso de Santanna, JJ, Durban, R, Sperotto, A & Pras, A 2015, Inside Booters: an analysis on operational databases. in R Badonnel, J Xiao, S Ata, F De Turck, V Groza & CRP dos Santos (eds), IFIP/IEEE International Symposium on Integrated Network Management (IM 2015). IEEE Computer Society, USA, pp. 432-440. DOI: 10.1109/INM.2015.7140320

Inside Booters: an analysis on operational databases. / Cardoso de Santanna, José Jair; Durban, Romain; Sperotto, Anna; Pras, Aiko.

IFIP/IEEE International Symposium on Integrated Network Management (IM 2015). ed. / Remi Badonnel; Jin Xiao; Shingo Ata; Filip De Turck; Voicu Groza; Carlos Raniery P. dos Santos. USA : IEEE Computer Society, 2015. p. 432-440.

Research output: Scientific - peer-reviewConference contribution

TY - CHAP

T1 - Inside Booters: an analysis on operational databases

AU - Cardoso de Santanna,José Jair

AU - Durban,Romain

AU - Sperotto,Anna

AU - Pras,Aiko

N1 - 10.1109/INM.2015.7140320

PY - 2015/5/11

Y1 - 2015/5/11

N2 - Distributed Denial of Service (DDoS) attacks are an increasing threat on the Internet. One of the reasons is that Web sites selling attacks for prices starting from $1.00 are becoming popular. These Web sites, called Booters, facilitate attacks by making transparent the needed infrastructure to perform attacks and by lowering the knowledge to control it. As a consequence, any user on the Internet is able to launch attacks at any time. Although security experts and operators acknowledge the potential of Booters for DDoS attacks, little is known about Booters operational aspects in terms of users, attacks and infrastructure. The existing works that investigate this phenomenon are all restricted to the analysis of a single Booter and therefore provide a narrow overview of the phenomenon. In this paper we extend the existing work by providing an extensive analysis on 15 distinct Booters. We analyze their operational databases containing logs of users, attacks, and the infrastructure used to perform attacks. Among our findings we reveal that (i) some Booters have several database records completely equal, (ii) users that access Booters via proxies and VPNs performed much more attacks than those that accessed using a single IP address, and (iii) the infrastructure used to perform attacks is slightly different from what is known through existing work. The contribution of our work is to bring awareness of Booter characteristics facilitating future works to mitigate this phenomenon.

AB - Distributed Denial of Service (DDoS) attacks are an increasing threat on the Internet. One of the reasons is that Web sites selling attacks for prices starting from $1.00 are becoming popular. These Web sites, called Booters, facilitate attacks by making transparent the needed infrastructure to perform attacks and by lowering the knowledge to control it. As a consequence, any user on the Internet is able to launch attacks at any time. Although security experts and operators acknowledge the potential of Booters for DDoS attacks, little is known about Booters operational aspects in terms of users, attacks and infrastructure. The existing works that investigate this phenomenon are all restricted to the analysis of a single Booter and therefore provide a narrow overview of the phenomenon. In this paper we extend the existing work by providing an extensive analysis on 15 distinct Booters. We analyze their operational databases containing logs of users, attacks, and the infrastructure used to perform attacks. Among our findings we reveal that (i) some Booters have several database records completely equal, (ii) users that access Booters via proxies and VPNs performed much more attacks than those that accessed using a single IP address, and (iii) the infrastructure used to perform attacks is slightly different from what is known through existing work. The contribution of our work is to bring awareness of Booter characteristics facilitating future works to mitigate this phenomenon.

KW - EWI-26166

KW - DACS: Booters

KW - booter

KW - METIS-312682

KW - database analysis

KW - DDoS

KW - IR-96840

KW - stresser

U2 - 10.1109/INM.2015.7140320

DO - 10.1109/INM.2015.7140320

M3 - Conference contribution

SN - 978-3-901882-76-0

SP - 432

EP - 440

BT - IFIP/IEEE International Symposium on Integrated Network Management (IM 2015)

PB - IEEE Computer Society

ER -

Cardoso de Santanna JJ, Durban R, Sperotto A, Pras A. Inside Booters: an analysis on operational databases. In Badonnel R, Xiao J, Ata S, De Turck F, Groza V, dos Santos CRP, editors, IFIP/IEEE International Symposium on Integrated Network Management (IM 2015). USA: IEEE Computer Society. 2015. p. 432-440. Available from, DOI: 10.1109/INM.2015.7140320