New DDoS-for-Hire Platform Advertised on Multiple Cybercrime Forums

Summary

A stress testing service for simulating DDoS attacks on websites and servers. Threat actors can misuse such DDoS-for-hire services to target domains using unauthorized attacks.
Category: Adversary Intelligence Industry: Multiple Motivation: Financial Region: Global Source*: F3

Executive Summary

THREAT IMPACT MITIGATION
  • A stress testing service for simulating DDoS attacks on websites and servers.
  • Threat actors can misuse such DDoS-for-hire services to target domains using unauthorized attacks.
  • Implement anti-DDoS protection on the server.
  • Use IP geo-blocking in case of an attack.

Analysis and Attribution

Information from the Post

  • CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising a stress testing service that can be used for websites/servers.
  • The post mentions the list of arguments differentiating this service from their competitors:
    • Technical support is always available
    • Convenient auto-pay system
    • Looking to improve methods daily
Advertisement observed on a cybercrime forum
Advertisement observed on a cybercrime forum
 
Also read Raven Storm, the Multi-Threading Tool Employed by Hacktivists for DDoS Attacks

About Stress Testing

  • Stress Testing is a software testing activity that determines the robustness of software by testing beyond its limits of normal operation. This is to ensure that software can run anywhere, with fewer preset requirements, and under any condition.
  • Directing heavy and simulated traffic on domains as part of the testing process can give an idea of how long it can endure the request load, before collapsing.
  • Cloudflare provides DDoS protection services for websites capable of withstanding heavy traffic directed to them via botnets operated by cybercriminals or dedicated servers.

Features of the service

  • It is a DDoS-for-hire platform, where an attacker can launch DDoS attacks on websites that are unauthorized in nature.
  • It is an online service platform, with no installations required.
  • Supports both Layer 4 and Layer 7 protocols.
  • Ability to generate up to 600,000 requests/second, which can effectively DDoS the target website.
  • Supports multiple requests per IP (1-64).
  • 5 attack methods are available (1 for L4 , 3 for L7).
  • API Key to launch attacks.
  • Supports 4 concurrent connections.
  • 2,400 seconds booting time (maximum duration for DDoS'ed website downtime).

Technical Aspect

  • DDoS attacks carried out by threat actors particularly target the following 2 layers of the OSI (Open Systems Interconnection) model:
    • Layer 4 (Transport Layer) - where data transmission (packet transmission and packet assembly) takes place between two systems, using TCP and UDP protocols.
    • Layer 7 (Application Layer) - where applications interact with network services. For example, web browsers make use of this layer to provide meaningful content to users on websites.
  • Attacks via the platform can be carried out by buying API Keys.
  • The table below mentions the types of DDoS attacks which can be performed on each layer
Layer Attacks Targeting the Layer
Layer 4
  • AMP - Asynchronous Messaging Protocol
  • TCP - Transmission Control Protocol
  • UDP - User Datagram Protocol
Layer 7
  • Freeflood - Simple flooding attack (20,000 requests per second).
  • H-Captcha - Method with average power. Bypasses CloudFlare protection (including hCaptcha Challenge). Runs with a delay of up to 2 minutes.
  • H-Flood - Method with high power, providing bypass of all simple protections.

Attack Manager Panel

Upon signing up on the website, the cybercriminal is able to access a panel titled “Attack Manager”. This panel allows an attacker to carry out DDoS attacks, based on the following specifics:
  • Attack Method (different for each OSI layer, as mentioned above)
  • Target - The provision for carrying out the attack is as follows:
    • Layer 4 - Provide the IP Address & the port (default is port 80 - HTTP)
    • Layer 7 - Provide the domain name
  • Boot Time - A predefined field containing the min and max time, ranging from 0 to 2,400s, for conducting the attack.
  • Request Type - GET or POST (only for Layer 7 attacks)
  • Concurrents - Number of concurrent sessions (from dedicated servers (zombies)) that will attack the targeted domain / IP at a given time. At a time, 4 concurrent connections are supported. More the concurrent sessions, more the power of the DDoS attack.

Dedicated Servers

  • To facilitate DDoS attacks, there are servers that are readily available to carry out different types of attacks. The specifics of the servers are:
    • Layer 4 - 1 server with 3 DDoS attack slots that can be used concurrently.
    • Layer 7 - 3 servers with 10 DDoS attack slots that can be used concurrently.

A Simulated DDoS Attack

The actor has provided the following graph as an example of the DDoS attack simulated by the service.
Graph depicting requests per second in the DDoS attack
Graph depicting requests per second in the DDoS attack
  The following can be inferred by the information in the above graph:
  • The request rate peaked at 79,074 requests per second in this DDoS attack.
  • The attack method followed here is HCaptcha, with no direct evidence that the HCaptcha mechanism was bypassed.
  • Upon conducting HUMINT, it was discovered that the cybercriminals had mentioned dedicated servers to carry out attacks.
  • The maximum number of requests that can be carried out are 600,000. This count was independently verified using the DSTAT tool.

Pricing Structure

  • The website provides a free plan for users availing services without commission.
  • The website also has a uniform pricing structure for its paid users, i.e, Regular and Premium.
  • The price ranges from USD 10 to USD 850 monthly with testing specifications varying for each pricing bracket.

Information from Cybercrime Forum

  • These websites have been advertised on other DDoS-for-hire websites.
  • The use of these websites was widespread during the infancy of the Russia-Ukraine war.
  • The service was primarily used for conducting DDoS attacks against Russian websites.
  • User reviews indicate that the service is gaining traction among the average internet user.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since August 2022
Reputation Low (Multiple complaints and concerns on the forum)
Current Status Active
History Unknown
Rating F3 (F: Reliability Unknown; 3: Possibly true)
Also Read How to bypass CAPTCHAs easily using Python and other methods

Impact & Mitigation

Impact Mitigation
  • Cybercriminals can make use of these to launch sophisticated unauthorized attacks on domains.
  • Significant amount of downtime for the website and the hosting server.
  • Follow-up attack by the threat actor groups abusing a vulnerability on the domain side or server side.
  • Monitor cybercrime forums for the latest tactics employed by threat actors.
  • Implement anti-DDoS protection on the server.
  • Use IP geo-blocking in case of an attack.
  • Patch vulnerable and exploitable endpoints.
  • Monitor for anomalies in user accounts, which could indicate possible account takeovers

References

Appendix

Requests per second graph - from a DDoS attack orchestrated using the service
Requests per second graph - from a DDoS attack orchestrated using the service
 
A website that uses HCaptcha protection to filter bots from real users.
A website that uses HCaptcha protection to filter bots from real users.
An image of the attack panel
An image of the attack panel
 
Server information facilitating the DDoS attacks
Server information facilitating the DDoS attacks
 
Monthly Subscription pricing structure
The monthly Subscription pricing structure
 
Advertisement for the website that was observed on another cybercrime forum
Advertisement for the website that was observed on another cybercrime forum
 
Advertisement for the website that was observed on Shellix marketplace
Advertisement for the website that was observed on Shellix marketplace
  Advertisement of another DDoS service which was rooted and whose sensitive information was available on a forum
CheckHost statistics of a domain targeted by DDoS attacks from the DDoS-for-Hire platform
CheckHost statistics of a domain targeted by DDoS attacks from the DDoS-for-Hire platform
 
Mention of the site on two GitHub repositories, that list other DDoS-for-hire websites that should be blacklisted
Mention of the site on two GitHub repositories, that list other DDoS-for-hire websites that should be blacklisted
 
An entry for the website, in a website listing the Top 20 stress testing services in 2022
An entry for the website, in a website listing the Top 20 stress testing services in 2022
 

Table of Contents

Request an easy and customized demo for free