Think about what you could do with five dollars. You could get dinner for yourself at McDonald’s, so long as you don’t upsize the fries. You could buy a toy for a dog. You could get half of a low quality haircut. Or you could take a website offline, causing both short term and long term repercussions for a business.
Unfortunately, that’s the reality. Five dollars could allow a person to severely impact a business, but not get the large size fries with a fast food value meal. It’s called DDoS for hire, and it’s a big problem that’s only getting bigger.
Distributing distributed denial of service attacks
DDoS is an initialism for distributed denial of service attacks, a type of cyber-attack that leverages a botnet of compromised computers and internet-connected devices to either overwhelm the network infrastructure of a target website, or flood it with traffic. The end result of an unmitigated DDoS attack is often either the target website being knocked offline, or slowed down so much that legitimate users are unable to use it.
To the average person who doesn’t spend their time targeting websites to take them offline and cause users to lose trust in that website, most likely causing a significant loss of revenue and long-term consequences like software or hardware damage or even theft of intellectual property or personal information, a distributed denial of service attack might sound a bit complicated. And it is! Hijacking internet connected devices to form a botnet is no easy feat.
Getting to use those botnets, however, is now easier than ever. DDoS for hire services often refer to themselves as ‘stressers,’ services that are intended for people to stress test their own websites and servers. But since these stressers don’t require users to prove website ownership prior to these so-called stress tests, stressers have become a simple way to aim a DDoS attack at any website a user wants.
The cost of mayhem
Roughly a year ago the average cost of using a stresser was $38 per hour, and the low end of the pricing spectrum was around $19. A low price to potentially do major harm to a business, to be sure. But now it’s become even cheaper. According to the Underground Hacker Marketplace Report, using a stresser on the Russian underground is just five dollars per hour.
Well, you might think, there probably aren’t too many people who know how or would want to access the Russian underground. But how about Fiverr, the self-billed world’s largest marketplace for creative and professional services? Fiverr is a completely legitimate marketplace, used by millions to procure legitimate services like logo design or voiceover work for just five dollars. Apparently it’s also been used by people to procure DDoS for hire services for just five dollars.
A fast Fiverr response
It was DDoS protection services provider Incapsula that uncovered the stresser services available on Fiverr, and in order to ensure they were dealing with what they thought they were dealing with, Incapsula did a little undercover work to unmask the problematic DDoS for hire services, sending messages to a number of stresser services asking if the website they stress tested had to be their own. While some of the messages went ignored, one stresser service replied saying that any site could be stress tested, except for government state websites and hospitals.
With this confirmation in place, Incapsula contacted Fiverr about the illegitimate stresser services, receiving a reply that the Fiverr Trust and Safety team would be investigating further. Within several days, three of the stress testing services had been removed from the website.
The morals of the story
The lessons that need to be learned from this tale of the ever-increasing (and ever-cheapening) distributed denial of service marketplace are two-fold. Firstly, DDoS attacks are already incredibly prevalent, and with them being so cheap and so readily available, they’re only going to get more common. Protect your website and protect your business.
Secondly, DDoS attacks are criminal activity. Marketplaces like Fiverr do not exist to make criminal activity possible. That kind of thing is bad for business. If you see these so-called stresser services being offered in legitimate digital marketplaces, take a minute and report it. You will doubtlessly be preventing distributed denial of service attacks and their ensuing damage. If a person can’t even get an entire low quality haircut for $5, they shouldn’t be able to wreak havoc on a website for the same amount. It just isn’t right.
[su_box title=”About Benjamin Stone” style=”noise” box_color=”#336588″][short_info id=’74810′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.