Dirt-cheap DDoS: The rock-bottom cost of mounting crippling 400Gbps attacks

DDoS attackers seem to prefer to launch assaults at the weekend, but it turns out they aren't actually making that much money from selling their services.
Written by Liam Tung, Contributing Writer

'Booter' services run by cybercriminals let anyone with a gripe point a network of infected computers at a target.

Image: Timur Arbaev/iStock

You can hire Russian attackers to knock out a website for two days for just $173, according to new research by Arbor Networks.

'Booter' services run by cybercriminals have been on the security radar for a few years because they allow anyone with a gripe to point a network of infected computers at a target and knock it offline for hours, days, or weeks. Whatever suits the buyer's taste and budget.

Arbor Networks malware researcher Dennis Schwarz has probed one such service by a Russian-language operator, who goes by the name 'Forceful'. Schwarz demonstrates how cheap it is to rent a distributed-denial-of-service (DDoS) attack and how frequently it's deployed.

Forceful asks for $60 a day or $400 a week to deliver a claimed 270Gbps DDoS. The rates are consistent with previous research by Trend Micro on booter prices, which ranged between $13 per day to $200 per day in 2013.

Forceful came to the attention of researchers in July after he accidentally published the executable file for a 'cryptor' tool he employed to hide other malware from antivirus engines.

That sample is now widely detected by AV products and it also led Schwarz to Forceful's DDoS bot, called 'G-Bot', as well as its command-and-control domain 'kypitest[.]ru'. This allowed Arbor Networks to track the frequency, duration and type of DDoS attacks operated by Forceful .

According to Schwarz, it's been used against 108 targets since July, with individual attacks ranging from one hour to two weeks in duration.

Just under half have been against targets in Russia, with a quarter against US websites. However, he notes that some of the attacks of less than one hour could be tests since Forceful advertises a free five- to 10-minute test.

"In the end, the total estimated revenue for the 82 attacks from July 9, 2015 to October 18, 2015 was $5,408. The mean estimated revenue per attack was $66 and the mean estimated revenue per day was $54," Schwarz said.

It doesn't sound like a particularly large amount to earn, but new data from CloudFlare suggests that DDoS attacker is becoming a weekend job.

During February it observed a 15-fold increase in individual DDoS events.

"These new attacks are interesting for a couple of reasons. First, the spikes align with the weekends. It seems the attackers are busy with something else during the week," CloudFlare DDoS mitigation team member Marek Majkowski wrote.

"Second, they are targeting a couple of fairly benign websites. This demonstrates that anybody can become the target of a large attack. Third, the overall volume of the attack is enormous."

Most attacks during the month peaked at around 240Gbps, but the largest attack for the month peaked at 400Gbps.

While the booter advertisements offer a fairly reliable basis on which to estimate the cost of a purchasing a DDoS attack, the cost to victims is less precise.

Arbor Networks attempted to gauge the cost per minute that ISPs faced under a DDoS attack in its annual survey, but few people responded to the question. Still, of those who did, nearly two-thirds estimated that the cost exceeded $500 per minute.

More on security

Editorial standards