As anyone who has ever taken a look at a single comment section knows, the internet is full of people who like to lash out anonymously. Whether it’s on Reddit, in forums, on social media, in Yelp reviews or on your aunt’s knitting blog, people are out there just letting the rest of the world have it.
It makes perfect sense, then, that a service that allows virtually anyone to immediately and anonymously launch a cyberattack to take a website offline for a cost of just a few dollars has turned into a booming business. There is no grievance too petty or reasoning too flimsy for a DDoS for hire service, and that is precisely why you need to get informed on these assault-spitting services posthaste. Here are five things you truly need to know about DDoS for hire services.
Almost anyone can use them
Assembling and running a botnet in order to mount DDoS or distributed denial of service attacks requires a tremendous amount of technical know-how. Using a DDoS-for-hire service, otherwise known as a booter or stresser, does not. All it basically takes is an internet connection, basic browsing capabilities, at least $4, and the URL that’s being targeted. Combine it all with the tap of a finger on a smartphone and a DDoS attack capable of taking a website offline and frustrating users of that website to the point that user loyalty may sustain long-term damage has been launched. That’s all it takes.
They’re behind the biggest trend in DDoS attacks
Attacks from DDoS for hire services are so prevalent that their attack type has been significantly impacting DDoS trends for the last few years, and that impact has only strengthened in 2017. Attacks from your run of the mill DDoS for hire service that can be made possible for just a few dollars don’t pack a tremendous, lasting punch of malicious traffic. Instead, they’re low-volume attacks that don’t tend to last long.
According to the 2017 Q1 DDoS Threat Landscape Report from DDoS mitigation provider Incapsula, booters & stressers are the source of so many attacks that 80% of all distributed denial of service attacks were over within under one hour. Network layer assaults clocked in even shorter, with 90% lasting fewer than 30 minutes. For network layer assaults this is an increase of almost 12% since the fourth quarter of 2016. It’s hard to assign a number to exactly how many DDoS for hire attacks are flying around the internet, but the fact that they could so significantly impact attack patterns is telling.
Smaller businesses and websites are definitely targets
The typical DDoS for hire attack (remember the word typical) isn’t exactly designed to bring a major corporation to its knees.
Those short-burst, low-volume attacks aren’t likely to overwhelm professional DDoS mitigation appliances or services, but what they are likely to do is take smaller websites or businesses offline, ones that perhaps thought (or hoped) that they weren’t big enough targets to warrant an investment in professional protection.
This makes a DDoS for hire service an excellent vehicle for settling grudges, messing with websites just for fun or for making a fast few dollars from sending out DDoS ransom notes. What booters and stressers have essentially done is made virtually every website on the internet a potential DDoS target.
Big businesses and websites are also definitely targets
Not all DDoS for hire services cost less than ten dollars or dole out short burst, low volume attacks, and we have the Internet of Things to thank for that. The lax security on so many IoT devices has allowed botnet builders to easily assemble botnets consisting of hundreds of thousands of hijacked devices, which in turn has allowed for massive attacks to be mounted – for the right price. For instance, the 400,000-device botnet behind the record setting attack on the Dyn DNS server last fall is reportedly available for rent for figures numbering in the thousands.
With booters capable of sending real DDoS firepower out into the internet, sites and businesses that figured they didn’t have to be concerned with these for-hire services suddenly have to be looking over their shoulder because many advanced mitigation configurations will struggle with the malicious traffic flowing from botnets of that size.
Even if you don’t have a business or website, you still have to care
If you don’t have a website or a business or a bunch of users to keep happy you might think distributed denial of service attacks are delightfully not your problem. You’re correct when it comes to the consequences of the attacks, if you don’t count all the times you’ve been unable to access a website or use an online service because of the downtime caused by a DDoS attack, but what should concern you is all those hijacked devices – IoT, mobile phones and personal computers – that have gone into building DDoS botnets.
These devices are often hijacked remotely without the owners ever knowing it, and if devices are vulnerable to botnet builders, they’re also vulnerable to hackers and other cybercriminals with malicious intent. By ensuring your devices are secure you not only do your small part to aid in the fight against DDoS attacks, but you can also keep your devices from being hacked and your personal data from being compromised, a necessity in this age where every kind of personal information has a price tag on the internet’s black market.
Bad news botnets
What it all boils down to, unfortunately, is that DDoS for hire services are bad news for just about everyone who uses the internet. Website and business owners in particular need to take a closer look at their DDoS mitigation strategy, if it even exists, and strongly consider a managed DDoS mitigation service that can scrub attack traffic before it reaches the network and impacts users.
We as an online society may not be able to do much about the internet’s vitriolic arguments over everything from gun control to children’s TV shows, but keeping these services from gaining success will go a long way towards taking some of the power away from angry, anonymous internet users. Until they find their next outlet, at least.