Security Experts:

DDoS-for-Hire Services Cheap But Effective

Distributed denial-of-service attackers are making it relatively cheap to disrupt targeted sites, according to a new report from Verisign. 

According to Verisign's latest Distributed Denial of Service Trends report, attacks can cost between $5 (USD) per hour or as low as $2 (USD) an hour. In addition, massive and longstanding attacks can be launched for as little as $800 a month.

"Since their inception in 2010, DDoS-for-hire capabilities have advanced in success, services and popularity, but what’s most unnerving is booters have been remarkably skilled at working under the radar," according to the report. "Given the ready availability of DDoS-as-a-service offerings and the increasing affordability of such services, organizations of all sizes and industries are at a greater risk than ever of falling victim to a DDoS attack that can cripple network availability and productivity."

Some of the more brazen attackers advertize relatively openly. For example, the operators of the Gwapo DDoS service used YouTube and posted videos that featured actors reading a script explaining the DDoS service and asking potential buyers to contact the operators via email. In the case of that group, the cost of DDoS attacks ranged from $2 per hour for one to four hours to $1,000 for a month-long attack, the report notes.

"One of the more high-profile advertising efforts for a DDoS service in 2014 came from the DDoS group Lizard Squad," according to the report. "Since August 2014, the group has claimed responsibility for attacks against multiple online gaming services, including those for Sony Corp.’s PlayStation Network (PSN) and Microsoft Inc.’s Xbox Live. PSN and Xbox Live were both taken offline for significant amounts of time by DDoS attacks on Dec. 25, 2014. Following the successful Christmas attacks, Lizard Squad began advertising the operation of its very own LizardStresser DDoS service, which costs from $5.99 to $119.99 USD per month to employ."

In its Q4 2014 State of the Internet report, Akamai's Prolexic Security Engineering and Research Team (PLXsert) blamed DDoS-for-hire services for the rise in reflection-based DDoS attacks. According to Akamai, nearly 40 percent of all DDoS attacks during the quarter used reflection techniques, which rely on Internet protocols that respond with more traffic than they receive and do not need an attacker to gain control over the server or the device.

"DoS attacks are a global threat and not limited to any specific industry vertical, but the information technology and cloud verticals are prime targets because these services are used by multiple customers across both the private and public sectors," said Ramakant Pandrangi, the vice president of technology at Verisign. "That makes it appealing to cybercriminals."

"During Q4 2014, Verisign’s IT/Cloud Services/SaaS customers experienced the largest volume of attacks, representing one third of all attacks and peaking in size at just over 60 Gbps for more than 24 hours," he added. "We expect the trend in attacks against the IT Services/Cloud/SaaS industry to continue as these organizations migrate IP assets to cloud-based services and infrastructure, effectively expanding their attack surface across on-premise devices, and public and private clouds."

Verisign's report found that during the fourth quarter of 2014, the most common attack vector the company observed continued to be UDP amplification attacks leveraging the Network Time Protocol (NTP).

"NTP is a UDP-based protocol used to synchronize clocks over a computer network," Pandrangi said. "Any UDP-based service including DNS, SNMP, NTP, chargen, and RADIUS is a potential vector for DDoS attacks because the protocol is connectionless and source IP addresses can be spoofed by attackers who have control of compromised or ‘botted’ hosts residing on networks which have not implemented basic anti-spoofing measures. Many organizations do not use or trust external systems for their NTP, so in this case the solution can be as easy as restricting or rate-limiting NTP ports inbound and outbound to only authenticated, known hosts."

The full report can be read here.

view counter