Understanding DDoS internals: Measuring booter services

DDoS attack_news image

DDoS attacks are omnipresent, and members of Internet exchanges are effected on a daily basis. Industry white papers report that the number and frequency of DDoS attacks are increasing annually: dizzyingly high volumetric attacks peaked at 1.7 Tbps in 2018. Booters are  DDoS-as-a-service offers and come at affordable price points, and thus, developed to be a thriving business nowadays. In order to learn more about those attacks, the DE-CIX Research Team built a dedicated measurement system to record DDoS attacks and utilized booter services to target their own honeypot system. 

DDoS with an invoice

DE-CIX’s Daniel Kopp presented preliminary results at the RIPE77 meeting in Amsterdam last week. He demonstrated how we used booter services, and explained how, while some of the orders had no effect at all, others resulted in DDoS attacks that we measured. We observed many different attack types and patterns, with prices ranging from $20 up to $200 for attack rates of up to 20 Gbits, and we learned that booter services provide a flat rate for DDoS attacks. 

Designing mitigation strategies

Based on individual examples, we understood that for NTP reflected attacks the top 3 ASes were responsible for 23% of the traffic, coming from China, Taiwan, and Hungary, whereas memchached attacks mainly originated in Europe. The future work will focus on designing more effective mitigation strategies and on better understanding the anatomy of such attacks in an Internet Exchange context.

Daniel’s presentation is available online and can be downloaded here.