DDoS attack-for-hire services thriving on Dark Web and cyber criminal forums

Demand for and availability of DDoS-for-hire tools is increasing despite significant platform takedowns

Add bookmark

Michael Hill
12/04/2023

Distributed denial-of-service (DDoS) attack-for-hire services on offer on dark web and cyber criminal forums are “flourishing”, despite coordinated efforts from international law enforcement agencies to tackle such tools. That’s according to new research from analysts at cyber security company Searchlight Cyber which revealed an increase in the availability and interested buyers of “stressers” and “boosters” that help less sophisticated criminals launch DDoS attacks.

DDoS-for-hire demand increasing despite significant platform takedowns

DDoS attack stressers are thriving on cyber criminal forums and Telegram channels, the researchers wrote. This is despite Operation Power OFF which recently took down several notable attack-for-hire platforms, including some that had been active for more than a decade, and led to arrests in numerous countries.

Hacktivists, financially motivated, state-backed and “script kiddy” threat actors all display interest in purchasing DDoS attack-for-hire platforms with the criminal market showing little sign of slowing, the analysts stated. In fact, the group NoName057(16) – a Russian-affiliated hacktivist gang that actively targets the government institutions and critical infrastructure of western countries – has developed the proprietary tool dubbed DDoSia, encouraging followers to use it and creating a dedicated Telegram support group.

What’s more, early indications suggest developers are looking to innovate further, with discussion of combining DDoS attacks with other types of activity such as ransomware using the “threat-as-a-service” business model, they added.

Cyber analysts found that the most discussed stressers with a web-based application generally resolved to either Russia-based or US-based IPs. “Noteworthy, many Russia-based stressers used the same IP range, meaning they likely share similar infrastructure.”

Analyzing DDoS attack-for-hire platforms

The researchers gained access to several of the DDoS-for-hire platforms currently available on the cyber criminal underground and analyzed their features.

Nightmare DDoS Stresser active since 2020

One is the Nightmare Stresser – a DDoS-enabling platform that has been active since at least 2020. “According to the information available, there are more than 566,000 registered users, and 52 servers ready to conduct the attacks via 28 different methods,” the analysts wrote. The attack methods are split based on their type, with three main categories: OSI model Layer 4 (Transport) UDP, Layer 4 (Transport) TCP and Layer 7 (Application), they added.

Attackers can choose the components of an attack based on their preference, with options including IP or URL to be targeted, the attack time and number of concurrent attacks. “The cheapest subscription allows for an attack time of 1,800 seconds and one concurrent attack, while the most expensive option allows for an attack time of 86,400 seconds and 400 concurrent attacks. The maximum attack power appears to be limited to 200 Gbps,” the analysts said.

Stressthem DDoS stresser one of the most powerful

Another of the tools analyzed is Stressthem, which claims to be one of the most powerful stressers on the market with an attack power of up to 1,000 Gbps. “As with most other tools of this type, it employs the DDoS-as-a-Service business model, with subscription prices ranging from US $30 monthly up to $18,000 quarterly,” according to the research. The most expensive option offers unlimited attacks per day, attack times of up to 2 hours and 100 concurrent attacks.

This platform also allows the user to select from multiple attack options and input the victim’s details. “What differentiates this stresser from others is that it also offers a free package, allowing attackers to test the service before purchasing.”

SirMoustache for-fire tool not hosted on a website

Threat actor SirMoustache, a member of the Cracked cybercrime forum, recently advertised an attack-for-hire tool that could be used for conducting distributed DDoS attacks. “What makes this stresser stand apart from other tools is the fact that it’s not hosted on a website. The actor who developed Paper Stresser claims this is a no-download tool which appears to be operated via the command line interface of PuTTY,” the researchers said.

Based on the actor’s description, it appears that the stresser uses 12,000 bots to conduct the attacks and has a power of up to 700 GB/s. This stresser is offered with four different monthly subscriptions ranging from $30 to $125, promising attack times of up to 500 seconds and offering 18 types of attack methods.

Krypton Networks DDoS tool has 2100 followers on Telegram

Lastly, the administrator of Krypton Networks, a DDoS tool that appears to require installation, claims that an internet-of-things (IoT) botnet is used to attack victims via Layer 4 (Transport) and private servers are employed when conducting attacks against Layer 7 (Application), the analysts wrote. “This service offers an attack power of up to 1.5 Tbps with prices starting at $15 for a seven-day subscription and up to $1,000 for 16 days for a “private” subscription.”

Krypton Networks now has 2100 followers on Telegram, with the actor behind it posting almost-daily updates, added features, increased power and shared screenshots of endorsements from buyers constantly. It also has dedicated language posts targeted at Russian and Chinese speakers, making it easy for those who do not speak English to deploy their attacks, they added.

Largest ever DDoS attack occurred this year

In October, Google Cloud, Cloudflare and Amazon Web Services reported the largest ever DDoS attack with requests per second (rps) peaking at over 398 million. This was equivalent to “more requests than the total number of article views reported by Wikipedia during the entire month of September 2023,” Google said. The attack was part of a mass exploit of a zero-day vulnerability.

Companies were forced to execute DDoS mitigation techniques to minimize service disruption, including load-balancing. Multiple internet infrastructure companies formed a partnership to mitigate the overall impact of the attack on the internet at large, which prevented outages from occurring.