Law enforcement shut down DDoS booters ahead of annual Christmas DDoS attacks

Law enforcement launch preemptive strike to shut down some of the DDoS services that may be abused to attack gaming services over the Christmas holiday.
Written by Catalin Cimpanu, Contributor
Image: NCA, Politie, DOJ

Law enforcement from the US, the UK, and the Netherlands, have seized the domains of 15 DDoS-for-hire services, ZDNet has learned.

The domain seizures come days before the Christmas holiday, a period of the year when hacker groups have historically targeted gaming providers with DDoS attacks.

The tradition started in 2013, with DerpTrolling's attacks, and then continued the following years. Lizard Squad launched DDoS attacks on Christmas in 2014, a group called Phantom Squad did the same in 2015, R.I.U. Star Patrol in 2016, and several lone hackers last year, in 2017, but with less success than the previous years.

These attacks usually targeted services like the PlayStation Network, Xbox, Steam, Blizzard, or EA Online. The purpose of these attacks, as expressed by the hacker groups, was to ruin people's Christmas or make gamers spend time with their families.

Today's DDoS-for-hire domain takedowns come as a preemptive strike from law enforcement's side. It is unclear if law enforcement acted at the behest or following a complaint from gaming companies, or if they took action on their own.

Xbox and Sony did not return a request for comment. The US Department of Justice is expected to issue a press release later today.

Sources in the infosec industry to which ZDNet spoke believe the takedowns will soon be followed by arrests if they haven't taken place already.

ZDNet's source has compiled a list of DDoS-for-hire domains that have been taken down today.

  • anonsecurityteam.com
  • booter.ninja
  • bullstresser.net
  • critical-boot.com
  • defcon.pro
  • defianceprotocol.com
  • downthem.org
  • layer7-stresser.xyz
  • netstress.org
  • quantumstress.net
  • ragebooter.com
  • request.rip
  • str3ssed.me
  • torsecurityteam.org
  • vbooter.org

Earlier this year in April, Europol shut down the internet's largest DDoS-for-hire service, named WebStresser.

Despite today's intervention, there are many other DDoS booters (an alternative name for a DDoS-for-hire service) that are still available online. Many of these new arrivals on the DDoS-for-hire landscape are based in China, far outside the FBI and Europol's jurisdiction.

UPDATE December 20, 15:00 ET: A Department of Justice official has confirmed today's takedown. According to a seizure warrant, the 15 domains listed above are the ones that US and international authorities seized today.

In addition, US officials charged David Bukoski, 23, of Hanover Township, Pennsylvania, for operating the Quantum Stresser service. The charging documents allege that Bukoski operated Quantum Stresser, one of the longest-running DDoS services in operation. As of late last month, Quantum had over 80,000 customer subscriptions dating back to its launch in 2012. In 2018 alone, Quantum was used to launch over 50,000 actual or attempted DDoS attacks targeting victims worldwide, including victims in Alaska and California.

Authorities also charged two more suspects in a separate case. The suspects are Matthew Gatrel, 30, of St. Charles, Illinois, and Juan Martinez, 25, of Pasadena, California. US officials say Gatrel ran the Downthem service, while Martinez operated Ampnode. Investigators said that Downthem had over 2,000 customer subscriptions, and had been used to conduct, or attempt to conduct, over 200,000 DDoS attacks between October 2014 and November 2018.

Ampnode is not listed in the list of DDoS stressers, but DOJ officials said the service offered technical assistance and resources designed to facilitate the creation of standalone DDoS services by customers.

Cybercrime and malware, 2019 predictions

More cybersecurity coverage:

Editorial standards