Over the last two years corporations, independents researchers and law enforcement agencies around the world have attempted to curb the growth of the DDoS-for-Hire industry through a series of takedowns and arrests. Despite global efforts, the illicit industry continues to grow, utilizing new attack vectors and producing largescale, record-breaking DDoS attacks.
Arrests and Takedowns Have Little Impact
Traditionally, takedowns and arrest are effective forms of control over criminal activity. They serve as an applicable way to remove known threats and send a clear message to criminal operators. The problem is that the booter and stresser industry is complicated, dynamic and a profitable venture for cybercriminals. If you remove one threat, dozens of other criminals will seize the opportunity to fill the void.
For example, over the last two years we have seen several notable takedowns related to botnet activity. At the end of 2018,
the FBI seized the domains of 15 booters services that were known to represent some of the world’s leading DDoS-for-hire services. In October 2019, Dutch police
seized servers from bulletproof hosting provider K.V. Solutions. These servers where known to be malicious, hosting several command and control servers for IoT botnets. In April, 2020, Dutch police working with hosting services, registrars international police force, Europol, Interpol and the FBI,
took down another 15 unnamed booters.
One would assume this would have put a noticeable dent in the overall booter and stresser industry. And while some have reported minor decreases in DDoS-related activity after the arrests and takedowns, overall, these actions were ineffective. In fact, in 2019, a white paper titled
DDoS Hide & Seek: On the Effectiveness of a Booter Service Takedown, reviewed the 2018 takedown by the FBI and determined that these activities lead to a temporary reduction in attack traffic. Criminals were quick to replace those that have been removed.
The Advertisement Problem
Just like any other industry, legal or illegal, criminal booters must find a way to distinguish themselves and advertise their services. In the past, groups like Lizard Squad would engage in "stunt hacking." This involved launching largescale DDoS attacks and using Twitter to post about the outage as a form of advertising.
Today, things are different. We no longer have notorious DDoS groups roaming social media or launching attacks. The landscape seems quiet, but that is not the case. Raging underground is a scene overpopulated with script amateurs looking to impress their friends, cause outages and turn a profit.
One of the reasons for this growth is due to the accessibility of open source code used to build IoT botnets. The booter and stresser industry have grown so much it has left law enforcement agencies around the world wondering how they can get a grip on a problem that is spiraling out of control. In the United Kingdom, Britain’s National Crime Agency
(NCA), NCA, decided to advertise the legal consequences of launching DDoS attacks thru Google Ads.