Feds Disrupt Top Stresser/Booter ServicesDDoS-as-a-Service Providers Targeted by Arrests and Takedowns
Fifteen of the world's biggest "stresser/booter" services, designed to enable users to launch distributed denial-of-service attacks against sites on demand, have been shut down, and three men who allegedly ran such services have been charged.
The Los Angeles U.S. Attorney's Office recently charged Matthew Gatrel, 30, of St. Charles, Illinois, and Juan Martinez, 25, of Pasadena, California, with conspiring to violate the Computer Fraud and Abuse Act by operating two stresser/booter sites: Downthem and Ampnode.
The Downthem site was used to launch more than 200,000 DDoS attacks since 2014; it had more than 2,000 registered users. Ampnode enabled customers to create their own DDoS services, according to the criminal complaint.
Using seizure warrants issued by the U.S. District Court for the Central District of California, the FBI, together with law enforcement agencies in the Netherlands and U.K., collectively seized 15 alleged stresser/booter service domains, including critical-boot.com, ragebooter.com, downthem.org and quantumstress.net.
"The action against the DDoS services comes the week before the Christmas holiday, a period historically plagued by prolific DDoS attacks in the gaming world," the Justice Department said.
"The attack-for-hire websites targeted in this investigation offered customers the ability to disrupt computer networks on a massive scale, undermining the internet infrastructure on which we all rely," U.S. Attorney Nicola T. Hanna of the Central District of California said in a statement.
As part of the crackdown, the Alaska U.S. Attorney's Office recently charged David Bukoski, 23, of Hanover Township, Pennsylvania, with aiding and abetting computer intrusions by running a stresser/booter service.
Bukoski has been accused of running Quantum Stresser, one of the world's largest and longest-running DDoS services in operation. First launched in March 2011, Quantum Stresser counted a total of more than 80,000 registered users by last month. Looking just at this year, the site was to launch more than 50,000 actual or attempted DDoS attacks targeting victims worldwide, authorities say.
Downthem and Ampnode
As part of its Downthem and Ampnode investigation, meanwhile, the FBI first interviewed Gatrel on Nov. 19, according to a criminal complaint written by FBI Special Agent Elliott Peterson, who works in the bureau's Alaska Counter Intelligence/Cyber Squad.
During the course of the interview, Gatrel admitted to being an administrator of both the Downthem and Ampnode sites, saying he'd first registered them using Cloudflare, which provides anti-DDoS services, according to the complaint.
Gatrel also said that another individual, who he named only as "Severon," helped to administer Downthem, the FBI's Peterson wrote in the complaint.
Tracing a Gmail address that Gatrel used to communicate with Severon, the FBI says that it then interviewed Martinez on Dec. 17, when he admitted to using the email as well as helping to administer the Downthem site, according to the complaint.
Stresser/Booter Services Remain Illegal
Stresser/booter services have long marketed themselves as a way to stress test websites by flooding them with packets. But such tests, unless carried out by a site's owners, are illegal.
"Whether you launch the DDoS attack or hire a DDoS service to do it for you, the FBI considers it criminal activity," says Matthew Gorham, the assistant director of the FBI's Cyber Division, in a statement.
Law enforcement agencies have regularly disrupted stresser/booter services and arrested their alleged administrators (see: DDoS for Hire: Israel Arrests Two Suspects).
Such moves have not gone unnoticed by the hacking community. In 2016, the notorious Hack Forums, a site that caters to script kiddies and cybercrime wannabes, announced that it had shuttered its Server Stress Testing forum, on which stresser/booter services had long been advertised (see: DDoS Stresser/Booter Services Feel the Heat).
In April, police physically seized servers in multiple countries that were used to provide Webstresser.org, which at the time was reputed to be the world's largest stresser/booter service.
Webstresser offered on-demand DDoS disruption for as little as $14.99 per month, authorities say, allowing anyone - no technical knowledge required - to disrupt sites. The site had 136 million registered users and had launched more than 4 million attacks against websites - ranging from banks and government agencies to police forces and gaming sites - said Europol, the EU's law enforcement intelligence agency (see: Police Seize Webstresser.org, Bust 6 Suspected Admins).
Security experts, however, say rival stresser/booter services quickly moved to fill the gap (see: Life After Webstresser Disruption: No DDoS Holiday).
Gaming Community Ties
The debut of new stresser/booter services is driven, in part, by individuals - often teenagers - with ties to the gaming community.
"There is a definite link between the online gaming community and the use of DDoS attacks," John Fokker, head of cyber investigations for McAfee's Advanced Threat Research group, said in a blog post earlier this year.
"How would someone with only marginal technical knowledge go about knocking off websites? All it takes is simple search on one of the entry-level hacker forums," says Fokker, who notes that many specifically discuss techniques for taking down gaming servers.
For example, in 2017, Adam Mudd in Britain pleaded guilty to developing and selling "Titanium Stresser," a DDoS attack tool that was tied to strikes against organizations such as Microsoft and Sony, which respectively offer Xbox and PlayStation online gaming services. Mudd first built the site when he was 16, and prosecutors say he was trying to cultivate his status with other members of the gaming community (see: Teen Hacker Sentenced Over 'Titanium Stresser' Attacks).
Individuals seeking a way to knock rival gaming sites offline via stresser/booter services have contributed to some of the biggest DDoS attacks in history, including attacks launched by the Mirai botnet in 2016.
Mirai was built to infect internet of things devices by targeting 64 default or hard-coded credentials built into dozens of internet-connected devices, including inexpensive, widely used digital video recorders, wireless cameras and routers (see: Can't Stop the Mirai Malware).
As security journalist Brian Krebs first reported, the original developers of the Mirai botnet, who called themselves Poodlecorp, used it as a tool for disrupting online gaming. The tool was used, in part, to target operators of lucrative Minecraft servers, which could earn their operators $50,000 per month from players renting space to build virtual worlds, Krebs reported.
As Mirai quickly spread, however, compromising hundreds of thousands of devices, the three men who comprised Poodlecorp - Paras Jha of New Jersey, Josiah White of Pennsylvania and Dalton Norman of Louisiana - dumped the Mirai source code online, enabling others to launch subsequent waves of DDoS disruptions, authorities have said (see: Mirai Co-Author Gets House Arrest, $8.6 Million Fine).
Despite this month's takedowns and arrests, it's appears likely that new stresser/booter services will continue to debut.
"While this ... crackdown will have a significant impact on this burgeoning criminal industry, there are other sites offering these services - and we will continue our efforts to rid the internet of these websites," says U.S. Attorney Hanna. "We are committed to seeing the internet remain a forum for the free and unfettered exchange of information."