A team of Dutch and German academics has studied the aftermath of a major crackdown against DDoS providers and concluded that law enforcement takedowns are largely ineffective, recommending that authorities rather focus on patching the vulnerable systems that are abused for the DDoS attacks in the first place.
The study, published last year on paper-hosting service arXiv, analyzed how the DDoS-for-hire market was impacted after US and European law enforcement shut down 15 major DDoS-for-hire (aka DDoS booter, DDoS stresser) services in December 2018.
The research team said it analyzed DDoS attack traffic observed at the level of three different major networks — a tier-1 internet service provider, a tier-2 internet service provider, and a major IXP (internet exchange point).
“The takedown immediately reduced the DDoS amplification traffic to reflectors,” the research team said. “However, it did not have any significant effect on DDoS traffic hitting victims or on the number of attacks observed.”
By reflectors, the research team is referring to vulnerable servers abused during a DDoS attack.
As their name implies, these servers “reflect” traffic from the attacker to the victim. In case the servers run a vulnerable protocol that can also amplify the attacker’s traffic, they are also called amplifiers.
Image via “TFTP DDoS amplification attack” by Buchanan et al.
Academics say their study revealed there was an overabundance of DDoS-for-hire services that were oversaturating DDoS reflectors (vulnerable servers).
After the takedown, there were fewer DDoS gangs fighting for the reflector’s bandwidth, but the volume of DDoS traffic hitting victims remained the same.
While the takedown attempt served its purpose to thin the herd in terms of DDoS-for-hire gangs, academics argue that a better solution to reduce the number of DDoS attacks would be to reduce the number of available reflectors (vulnerable servers).
“Our study aims to inform network operators to better understand the current threat-level, but also law enforcement agencies to recognize the need of additional efforts to shut down or block open reflectors,” academics said.
Furthermore, the study also made an interesting observation when it also analyzed the number of DDoS-for-hire domains available in the Alexa Top 1 Million traffic rank.
Rhe research team said the takedown barely scraped the surface when it came to the number of DDoS-for-hire services available online, with the number of DDoS booter domains going up after the December 2018 takedown.
Image: Kopp et al.
The full study, titled “DDoS Hide & Seek: On the Effectiveness of a Booter Services Takedown,” is also available for download.