You may have come across the term “booter services” in the past and wondered what it means. A booter service is an on-demand Distributed Denial-of-Service (DDoS) attack offered by cybercriminals. The attacks bring down websites or whole networks. A booter attack is an illegal use of an IP stresser.
These attacks often mask the identity of the attacker by using proxy servers. These proxies reroute online connections through other IPs to hide the original IP address of an attacker.
Booter services are commonly offered as Software-as-a-Service (SaaS) style bundles. These bundles come with tutorials and customer support. Attacks can be sold as a one-time service, as regular attacks over a set period. Some attackers also offer “lifetime” access where customers can request an attack whenever they want. Basic booter services packages are available for as low as $19.99 per month. You can pay for these services using cryptocurrency, credit cards, Skrill, and PayPal. Be careful using PayPal; however, as the service cancels payments and suspends accounts involved with malicious services like this.
What Are Amplification and Reflection Attacks?
Amplification and reflection attacks use legitimate traffic to overwhelm target networks and servers. The attacker forges the victim’s IP address and sends messages to third-party websites pretending to be the victim, an act known as IP address spoofing. Because third-parties cannot tell that the IP address has been spoofed, it responds to the victim. Both sides are unable to see the IP address of the attacker. This is a reflection attack.
Think of it like ordering pizza to someone else’s house while pretending to be them. The person has to pay for the pizza they didn’t order. In his case, the server has to deal with the traffic they never asked for.
A traffic amplification attack is when an attacker forces third-party servers to send responses to a victim containing as much data as possible. The difference between the request and the answer is the amplification factor of the attack. The more amplified the attack is, the greater the amount of potential disruption for victims. This attack also disrupts the third-party server because it has to process so many spoofed requests.
The most effective booter attacks employ some form of amplification or reflection. Attackers fake the target address and use it to message a third-party. The reply is sent to the target. The response is amplified and much bigger than the original message, leading to a more impactful attack.
To go back to our pizza comparison from earlier, each bot involved in the attack is like one malicious prankster calling a restaurant. They call the restaurant and order everything on the menu and request a callback confirming the order. The restaurant calls the victim and gives them a flood of information they never asked for or expected the more bots involved in the attack, the more significant the impact.
Why are Booter Attacks Difficult to Trace?
Booter services are difficult to trace because people buy them through fronted websites where they make payments and leave instructions. It is impossible to connect the attack to the request/payment, making it challenging to prove criminal intent. However, criminals can be tracked by following the paper trail and seeing where the money went.