Rent a denial-of-service booter for $60, wreak $720k in damage

Or $7.2 million a day, by some measures

Criminals can pay distributed-denial-of-service attackers less than US$60 to inflict as much as US$720,000 in damage to an organisation per day, researcher Dennis Schwarz says.

The so-called booter or stresser services are commonly sold as would-be legitimate tools for security professionals. These tools are supposedly used to test the resilience of corporate networks by flooding them offline with junk network traffic.

But in reality many booters are used for illegal DDoS and use hacked and stolen router and machine resources to power the attacks.

Schwarz examined one booter service sold on a Russian crime forum by a user known as Forceful comparing the cost to rent per day with the average damage of DDoS and analysing an acquired malware binary.

"In this marketplace, it almost always starts with an advertisement for a DDoS booter service on one of the many public Russian language forums," Schwarz says.

"The reason people buy a booter service is people getting upset with other gamers, robbery, and anti-competition in businesses, ransom … and possibly diversion while carrying out other attacks."

DDoS damage per minute

DDoS damage per minute.

Abor says in its Worldwide Infrastructure Security Report [PDF] that the average cost is US$500 per minute largely due to downtime and reputational damage, and the price of remediation.

About a third of the 354 respondents to that research survey reports DDoS attacks cost up to $5,000 a minute.

Extrapolating that figure could mean a booter attack could cause US$7.2 million (£6.6 million, A$9.8 million) in damages a day, however it is likely those organisations would have robust DDoS defence and response mechanisms.

Schwarz says the imbalance between the rental price of attacks and the cost of damage to targets "highlights both the extreme asymmetry of the economics of DDoS attackers" and the need for DDoS defenses.

Forceful charges US$60 a day to rent their booter, or US$400 a week, with free five to 10 minute tests.

Arbor Network's BladeRunner monitored the attacks and found from July to October the booter bot was rented for 82 attacks equaling US$5,408. ®

The number of DDoS attacks are on the rise. In the dying months of last year attacks jumped 149 percent compared to the same period in 2014 according to Akamai.

Youtube Video

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading

Biting the hand that feeds IT © 1998–2022