Years ago, you needed access to complicated infrastructure, wads of cash, technical skill, hacked servers or massive botnets of residential and commercial sectors in order to take down home connections and internet facing servers.
Today, you would need what is traditionally known amongst game server operators, script kiddies, netsec professionals and sysadmins, as the infamous “$5 booter”. To be put simply, a small balance on a PayPal account could effectively grant anybody access to an inexpensive service nicknamed a “booter” and advertised as a “Server Stress Tester”.
Booters basically do as their name implies: they boot things off the internet by launching DDoS (Distributed Denial of Service) attacks, typically NTP/CHARGEN/DNS amplification attacks. For those who have no idea what a Distributed Denial of Service Attack is, imagine a house with a doorbell. Normally, there would be a manageable amount of visitors to this home, from door to door salesmen to those coming for high tea. One day, someone decides to tell 500 of their friends to come and ring the doorbell with him separately. The home (probably) no longer has the capacity to handle visitors, legitimate and illegitimate, and is overwhelmed. Those who live in the house are most definitely pissed off.
These booters are typically run on bulletproof hosting that allows for IP spoofing, and it’s web frontends usually hide behind reverse proxy services like Cloudflare.
The majority of smaller to mid-sized websites and servers lack the capacity to protect themselves against DDOS attacks. Almost all home connections lack any kind of protection and are the most vulnerable.
These booters can start as cheap as a dollar and work their price upwards dependent on how long a customer wants to be able to “boot” for. On the other hand, DDOS protection can cost upwards from being complimentary (OVH, GINERNET), to $3/month (BuyVM), to thousands (BlackLotus).
For example, this popular booter advertises bang-for-the-buck packages. Access to booting things off the internet can be obtained for close to a dollar, assuming the customer is happy with being able to boot for 5 minutes. Packages work their way upwards to $25/month for a 2 hour boot. It advertises Layer 4 and 7 attacks, and Skype resolvers capable of obtaining IP addresses from Skype usernames.
It’s well acclaimed amongst it’s users.
Without DDoS protection, the damage from a booter can be extraordinary. Commercial sectors can lose out on millions of dollars of profit, game live streamers can lose their livelihoods and ordinary people can lose their internet access for long periods of time, a hindrance or a death sentence. Vulnerable connections are at the mercy of these booters.
However, Booter Operators and their users are rarely ever prosecuted for their actions, unless if they participate in high-profile attacks against major commercial services and government entities. In one instance, a London teenager was arrested for operating a booter used to DDoS Activision’s Call of Duty servers. Many of the targets for these booters are petty and not in the interests of law enforcement officials in any country. Instead of booters being shut down, the market for these services have grown exponentially with roots tracing back to at least 2012. With the emergence of the monlist vulnerability in NTP servers, booters will only become more prevalent for several more months, if not years, to come.
Booters are usually used for removing players they dislike from online games (Xbox Live), revenge, general mischief, and fun. Booter operators base their operations off profit, infamy points, and learning experiences. The usual target audience of are script kiddies, teenagers, students and low-level intermediate hackers, or realistically, anybody with access to $5.
This issue has also been covered by security journalists like Brian Krebs to a greater extent focusing on specific booters, for those looking for in-depth analysis, as this post is mostly aimed towards the general audience of normal people.
As well, for any Minecraft server owners, Andy Huang (chiisana.net) has an excellent write up for DDoS protection for Minecraft servers. For individuals, there is an entry on Gamepedia on preventing DDoS attacks. It isn’t my favourite guide, but it’ll work until I write a better version.