New tools and services have emerged in the underground market for distributed denial of service (DDoS) products. These offer would-be attackers easy-to-use — and sometimes free — tools to amplify attacks using distributed reflection DDoS (DrDoS) attack techniques. As DrDoS attack suites leak into the public realm, tools developers make use of publicly circulating code to create competing attack kits and services, fueling tool availability.
One type of newly available DDoS tools are scanners that can test broad IP address ranges, revealing vulnerable servers that can be used to amplify DDoS attacks. While IP address scanner tools had been found, previously, for sale on private underground forums, not only are the new scanners available publicly, some are free.
Alternatively, ready-to-use lists from the output of the IP address scanners are also available for sale, simplifying matters for attackers who don’t want to make their own lists. Prolexic anticipates that this could affect the underground market for scanner tools, because compilations of server IP addresses that are vulnerable to attack may reduce the demand for private scanners, allowing attackers to save time, effort and money by acquiring ready-made lists.
The Prolexic Security Engineering and Response Team (PLXsert) has been tracking the emerging DDoS trend towards powerful DrDoS reflection attacks, which are being used more frequently. As part of a public education effort, PLXsert released a five-part DrDoS white paper series earlier this year.
In addition to scanners and lists, the underground marketplace offers many DDoS-as-a-service tools that use reflection techniques, some for as little as $45 per month. One high-profile example of an attack suite is the RAGE booter, which has been hacked and leaked into the public realm numerous times, attracting mainstream media attention.
Payment for new DrDoS tools and services can be as simple as PayPal, which suggests a low-level of sophistication on the part of the vendors of these new tools, since more experienced DDoS tools developers would use lesser-known underground payment methods. Not surprisingly, DDoS tools and services vendors change names and locations often to avoid detection by authorities, following the pattern set by fraudulent e-Commerce sites.
Although lists of vulnerable servers have long been a commodity on the underground market, the surge in availability and demand for lists of servers specifically vulnerable to reflection attacks is unique to Q3, as reported in the Q3 2013 Prolexic Global Attack Report. DrDoS scanner tools had not been widely available previously.
Who buys DrDoS reflection attack tools and services? Customers range from legitimate webmasters and system administrators who want to stress-test their own infrastructure to inexperienced script kiddies, sophisticated hackers looking to thwart and overtake rival services, and even state-sponsored malicious actors with ample resources.
More information on this emerging area of the DDoS threatscape can be found in the case study DrDoS Reflection Services within the Underground Marketplace which is available at no charge in Prolexic’s Q3 2013 Global Attack Report.