What Is a DDoS Booter?

A distributed denial-of-service (DDoS) booter is an on-demand IP stresser service offered by cybercriminals. DDoS booters are essentially software as a service (SaaS) offerings that allow virtually anyone to launch a denial-of-service attack against targeted networks, websites, or servers. According to the FBI, the term “booter” was originally used by online gamers who knocked or “booted” opponents offline after a loss.

A distributed denial-of-service attack is designed to overwhelm a targeted device, website, service, or network with malicious traffic, rendering it unavailable to legitimate users and services. DDoS attacks are carried out by a botnet comprising thousands or millions of devices infected with malware that enables attackers to control them remotely. By directing devices to flood a target with illegitimate traffic, a DDoS attack exhausts the target’s resources for handling traffic, causing it to slow down or crash. Because they use so many devices, DDoS attacks can be difficult to detect and mitigate.

An IP stresser is a service that performs a stress test to gauge the resilience of a network or server by mimicking a DDoS attack. When used for legitimate purposes, IP stressors help IT teams determine how well a system can handle the additional load or stress of an attack. Since IP stresser services in of themselves are not illegal, cybercriminals often disguise their DDoS booter services as IP stresser services offered online.

Providing illegitimate use of an IP stresser, DDoS booters are DDoS-for-hire services that can be rented on the dark web by individuals with little to no experience in launching cyberattacks. Compared to the cost of setting up a botnet with thousands or millions of malware-infected devices, renting a DDoS booter is incredibly inexpensive. Services may cost less than $25 a month, typically payable via PayPal, or cryptocurrencies, and some stressor sites allow a “trial” which gives the user access to a limited function of attack size, duration, and vectors selected. Booter sites may package their services as subscriptions that include tutorials and user support. For this reason, DDoS booters are popular with cybercriminals in training, known as “script kiddies” or “skiddies,” who are beginning to explore how cybercrime works. DDoS booters are also used by seasoned hackers who use DDoS attacks as a cover or entry point for launching more devastating attacks designed to gain access to a network to steal data or money.

Botnets are a collection of malware-infected or exploited devices that can be used to carry out DDoS attacks or other types of cyberthreats. DDoS booters offer DDoS attacks as an on-demand service, using either a botnet or an attacker’s own collection of more powerful servers.

Hackers may rent booters to execute a wide range of DDoS attacks.

• Volumetric attacks. These attacks aim to flood a target with high volumes of traffic to consume its available bandwidth, exhausting resources and making the network or website unavailable.
• TCP out-of-state, aka state-exhaustion, attacks. These attacks overwhelm a target’s resources by exploiting the stateful nature of TCP (Transmission Control Protocol) to exhaust available connections and consume system or network resources.
• Application-layer attacks. These include Slowloris attacks and other HTTP floods that exhaust a server or API resources. DNS pseudo-random subdomain (PRSD) attacks are a form of application attacks, but focus on the DNS protocol (vs. HTTP protocols, which are more traditional application attacks).
• Fragmentation attacks. These attacks send fragmented IP packets that must be reassembled, consuming a large amount of the target’s resources and exhausting its ability to handle additional requests.
• DNS reflection or amplification attacks. These attacks amplify an attacker’s efforts by exploiting vulnerabilities in DNS servers. Attackers send requests to DNS servers that prompt responses containing large amounts of information to overwhelm a targeted IP address.
• IoT-based attacks. Attackers may compromise vulnerabilities in Internet of Things (IoT) devices to create botnets for launching DDoS attacks that can create massive amounts of traffic.

Providing or renting DDoS booters is illegal. Law enforcement, including the U.S. Department of Justice (DOJ) and international law enforcement agencies, are actively working to take down booter sites and arrest the people who offer and use them (Operation PowerOFF , for example).

Organizations can defend against DDoS booter services with the same multilayered cybersecurity measures they use to mitigate DDoS attacks. Best practices for DDoS protection include:

• Use a DDoS mitigation service. A reliable DDoS mitigation provider can help to detect and filter out malicious traffic during a DDoS attack, preventing traffic from reaching servers while ensuring legitimate users can still reach a network or website. Cloud DDoS scrubbing services are a strategy commonly deployed.
• Monitor traffic for anomalies. Monitoring tools that detect and analyze traffic patterns can help to identify what normal traffic looks like and detect abnormal traffic that may be part of a DDoS attack.
• Deploy rate limiting. Rate-limiting tools minimize the impact of a DDoS attack by restricting the number of requests from a single IP address or blocking traffic from IP addresses that are known to be malicious.
• Increase capacity. Scaling up bandwidth, adding load-balancing capabilities, and increasing redundant systems can help to absorb the sudden spike of traffic during a DDoS attack.
• Use a content delivery network (CDN). CDNs help distribute traffic geographically across multiple servers and data centers, providing additional network capacity that can absorb and mitigate DDoS attacks.
• Deploy firewalls and IPS. Firewalls and intrusion prevention systems (IPS) that are updated with the latest threat intelligence can filter out malicious traffic and block suspicious IP addresses.