An increase in Chinese websites offering online distributed denial of service (DDoS) capabilities was observed after a localized version of the source code of online booters was put up for sale, Talos reveals.
Because many of the websites were nearly identical, Talos security researchers initially believed that the same actor or group of actors was behind all of them. However, they discovered that multiple actors are operating them, and that they even launch attacks against one another.
The websites, most of which have been registered within the past six months, feature a simple interface where the user can select a target’s host, port, attack method, and duration of attack. The similarities emerge from the fact that the sites are based on the localized source code of an English-language DDoS platform that cybercriminals have been selling on hacker forums.
While both DDoS tools and services remain highly popular on the Chinese underground market, a shift to online DDoS platforms was recently observed, along with more frequent advertisements for such services. The available sites feature a nearly identical design and layout, displaying information on the number of active users, servers online, and the total number of attacks carried out, along with announcements from group administrators on recent updates, capabilities, and restrictions.
A sidebar allows users to “register an account, purchase an activation code to begin launching an attack, and then attack a target, either through the graphical interface set up on the website or through identical command line calls,” Talos explains.
The researchers discovered 32 nearly-identical Chinese online DDoS websites, most with the word “ddos” in their domain names (such as “shashenddos.club” or “87ddos.cc”), and the similarities between them suggested that a single actor could be responsible for all of them.
However, the researchers then discovered that the sites employed different third-party Chinese payment websites and different prices ranges, that different capabilities were advertised for the tools, and that the contact information and group chats for customer service were different on each site. Some services claimed 30-80 gigabit per second (Gbps) capabilities and others went up to 300 Gbps, while the difference in the number of attacks and users was vast as well.
The websites’ registration information also revealed key differences between actors. Although different names and emails were used for each of the analyzed websites, all “used Chinese registrars, the majority were registered in the past 3 months, and nearly all were registered in the past year.” Moreover, the researchers discovered that over half of the sites were hosted on Cloudflare IPs.
By following items spotted on a screenshot posted in a group chat run by a Chinese hacker group, the researchers discovered several forum posts offering the sale of source code for an online DDoS platform that was initially English-based but then translated into Chinese. Many of the postings were made in early 2017 or late 2016, and the images in said posts were identical to the websites observed.
“This is a foreign DDoS platform source code, it has already been Sinicized, everybody is welcome to test if they want to start a DDoS platform,” one of the forum ads reads, Talos says.
After obtaining a copy of the source code and analyzing it, the researchers concluded it corresponded to the DDoS websites observed, and that the platform relied on Bootstrap front-end design and Ajax to load content. They also linked the sites to Pixelcave, which offered Bootstrap-based website designs similar to the online Chinese DDoS websites (the company’s logo was present on many of the sites).
In addition to being able to pull information such as the amount and duration of attacks, or the number of concurrent attacks a user is allowed, the code shows that DDoS platforms allow customers to input a host, select an attack method, and duration. A blacklist for sites that cannot be attacked is also supported. Some even include a preloaded Terms of Service to absolve site admins from responsibility for the illegal use of the service.
“The code also allows administrators to monitor payments made, outstanding tickets, as well as an overview of the total amount of logins and attacks being contracted, and details about the attacks such as the host, duration of the attack, and which server is conducting the attack. The administrator can also set up an activation code system,” the researchers say.
While it’s clear that the source code was originally written in English and then modified so that the final platform would display Chinese language graphics, the researchers can’t establish where the original source code came from. They do point out, however, that there are several English language websites offering online DDoS services that have some similarities to the Chinese DDoS platforms.
“Online DDoS platforms remain popular because of their easy-to-use interfaces and the fact that they already provide all necessary infrastructure to the user, so there is no need to build a botnet or purchase additional services. Instead, the user purchases an activation code through a trusted payment site and then simply enters in their target. This serves the function of enabling even the most novice of actors the capability to launch powerful attacks, depending on the strength of the DDoS group’s backend infrastructure,” Talos concludes.