Most people think you must be a hacker to participate in cyberattacks. However, as the last year has shown, downloading specific software or paying money is sometimes enough. Moreover, with the advent of DDoS-for-hire, you don’t need a PC to carry out cyberattacks since remote specially created servers are used for this purpose. But why are DDoS attacks so popular?
What is DDoS Attack?
In short, DDoS attacks are malicious attempts to disrupt the normal functioning of a network, service, or website by overwhelming it with a flood of traffic from multiple sources. A DDoS attack aims to exhaust the target’s resources, such as bandwidth, processing power, or memory, rendering it inaccessible to legitimate users. In a DDoS attack, the attacker typically controls a network of compromised computers and is called a botnet. Its compromised machines, often infected with malware, are used to launch coordinated attacks on the target. The attacker commands the botnet to send a massive volume of traffic to the target, overwhelming its capacity to handle requests and causing it to slow down or crash. First of all, it doesn’t take much. A DDoS attack can be launched by anyone with a computer and the Internet. Secondly, in the case of a botnet, the victim’s devices can participate in attacks, and their owners may not even be aware of it.
Hacktivism and DDoS Attacks
The reason for the recent uprising of DDoS attack and, particularly, DDoS-for-hire services, is hacktivists activity. Hacktivism has evolved from loosely structured groups to a more mature ecosystem with diverse motivations and sources. It got a massive punch particularly after the beginning of the Russia-Ukrainian war. As a result, hacktivist groups have become more organized and conduct military-like operations with precise positioning and clear objectives. Although there are different tools for hacktivists, as the practice has shown, they often use DDoS.
In general, the topic of DDoS is very popular among hacktivists, and for good reason. In most cases, to take part in a DDoS attack, you have to type a couple of commands into a terminal or download and run a utility. The application will do the rest, and the user only needs to provide the resources of his device. However, DDoS-for-hire services, which provide massive power for some money and do not require the provision of your machine resources or the installation of anything in return, are becoming increasingly popular. In other words, the user pays money to the service and gives the address of the server/site to be attacked. As result, the service does everything without the user’s intervention. Next, we will examine the most popular DDoS services among hacktivists over the last year.
DDoS-for-hire tools and services used during 2023
DDoS-for-hire, also known as DDoS booter or stresser services, refer to renting out or purchasing DDoS attack services from cybercriminals. These services allow individuals or organizations to launch powerful Distributed Denial of Service (DDoS) attacks against targeted websites or online services. These services typically utilize botnets and networks of compromised computers to generate attack traffic and overwhelm the target’s resources. Here are DDoS tools and DDoS-for-hire services used by attackers and hacktivist groups in 2023 for their malicious campaigns against the government and individuals.
Stressbot.io DDoS Panel
Stressbot is a website that offers DDoS-for-hire services starting from $30 per month. It is operated by Aleksey Chekaldin, who also runs a Telegram channel promoting the service. The DDoS attack methods offered include layer 4 and layer 7 attacks. According to research evidence of the pro-Pakistani hacktivist group Team_insane_pk using Stressbot to target India and Israel. The group is allegedly led by ‘xxINSANExx’ and shares a link to a status-check website as Proof of Compromise.
Ziyaettin DDoS Botnet
Ziyaettin is a Telegram-based DDoS bot service that offers various attack methods, including layer 4 and 7 attacks. Their owner operates a public Telegram channel with over 1,500 subscribers. They recently launched a browser plugin for easy attacks with a 20-30K RPS capability. The service has been endorsed by hacktivist groups in Telegram channels.
A DDoS botnet, Tesla, has been active since April 28, 2023, with services starting at USD 50 per month. The pro-Russian threat actor Radis operates the Telegram channel promoting their tool and two other channels for buyers to post reviews. They specialize in DDoS attacks on onion websites with their private method called ‘TOR-KILLER’. However, Tesla Bot offers other DDoS attack methods, such as MACAN-TLS, HTTP-FLOOD, and SMYKL-FLOOD. The TA recently launched a browser plugin feature and has targeted the United States Department of Defense websites, a Russian financial services provider, and the Central Intelligence Agency.
RedStress.io DDoS Panel
RedStress is a web-based IP stresser service that allows users to launch anonymous DDoS attacks on a target server/website/IP. The service is operated by the threat actor Mercado and offers three pricing packages, starting from USD 35 per month. They claim to have 40 dedicated servers to support their methods. In addition to paid subscriptions, RedStress also offers a free method called ‘HTTP-Killer’ for threat actors to target small home networks or unsecured websites. The service has attracted over 21,000 registered users and launched over 1.2 million attacks. The DDoS attack methods include amplification attacks, layer 4 and 7 attacks, bypass, and private methods. The operators of RedStress have previously targeted game streaming services and cryptocurrency websites to demonstrate their capabilities.
Neferian Empire DDoS Botnet
Neferian Empire is offering a command line-based DDoS tool that claims to bypass DDoS attack protection services provided by top companies. The tool can launch 50 million requests per second for a Layer 7 attack and up to 1.2 terabytes per second for a Layer 4 attack. They have marketed this tool on their Telegram channel, offering other malicious tools. To promote their tool, the group has shown live attacks on high-value organizations, including Interpol and the US Department of Defense.
A DDoS bot called SkyElite-Net was launched on May 8, 2023, by the TA skyzz. They have two Telegram channels, one for private DDoS methods and services and the other for posting reviews. On May 22, they launched a new method called ‘Sky-Bypass’ that claims to bypass OVH and Cloudflare DDoS protection. The TA skyzz746 is also a member of the Khalifah cyber community.
Artemis C2 DDoS Botnet
Artemis C2 is a DDoS botnet, operating since May 1, 2023, with services starting at USD 15 per month. It specializes in launching DDoS attacks on Rainbow Six Siege and Minecraft servers. The botnet is maintained by cryptopsycho and ritz, who promote it on a Telegram channel with 141 subscribers. They plan to launch a Discord server, an Onion website, and a store on Sellix. Artemis offers amplification, layer 4, layer 7, and private DDoS attack methods. Team_insane_pk, a pro-Pakistani hacktivist group, has promoted Artemis for their DDoS campaigns targeting India. Still, sources suggest no links with the developer.
NoName057(16) created DDosia, which uses Windows bots to perform DDoS attacks on those who support Ukraine. Volunteers download the bot and register at a cryptocurrency wallet for monetary benefits later. Then, the bot registers with the group’s command-and-control infrastructure and launches attacks on specified targets. The group also targets adversaries with Android devices and has two Telegram channels with thousands of subscribers.
DDoS Protection Recommendations
To prevent and minimize the impact of DDoS attacks, it’s essential to have a business continuity and disaster recovery plan ready. In addition, you should analyze your network’s daily traffic, monitor network activities and logs, and preserve attack logs. Also, employ multiple defense strategies, deploy appropriate DDoS prevention systems, scan for vulnerabilities, and patch them. Maintain contact with ISPs and vendors, implement filtering and bogon blocking, and allocate traffic to unaffected network paths. In case of an attack, block the attack sources, disable non-essential ports/services, and periodically check the integrity of critical application files.