Booters on Demand: When Too Much of a Good Thing is Actually Horrible

Featured article by Debbie Fletcher, Independent Technology Author

As Nancy Sinatra explained, boots are made for walking. Booters, on the other hand, are made for stomping websites right off the Internet. Isn’t it strange that you’re able to purchase both footwear and cyberattacks from your smartphone today?

Since booters are essentially Distributed Denial of Service (DDoS) attack services for hire, it’s a good idea to recap just what a DDoS attack is. In a nutshell, DDoS attacks utilize multiple individual computers, each with their own bandwidth and processing power resources, to simultaneously send so much traffic to a target website that it becomes incredibly slow to normal web traffic like new visitors and regular users.

Whether it’s using up all the target web site’s available bandwidth, consuming all of its processing capacity, filling up all available memory, or even making it crash under the intense load, DDoS attacks can make the victim site unusable or inaccessible. For a personal blog, that’s frustrating. For an ecommerce company – where your website is your storefront – DDoS attacks are a costly disaster due to the lost revenue of customers who eagerly want to part with their money, but can’t. Actually, the financial damage doesn’t end there. The flood of attack traffic can incur higher bandwidth costs during the attack, as well as the cost of replacing failed server components (like power supplies or CPUs) which succumbed to the strain of absorbing the attack traffic.

What kinds of devices are able to supply that kind of traffic, you might ask? The answer is both simple and chilling: desktops, laptops and mobile devices like the ones you might be reading this on right now. When infected with the right kind of malware, any computer can be enlisted (very often without their owners knowing it) in a DDoS attack. Once infected and commandeered by a hacker, a compromised computer is joined to thousands of others in what’s called a botnet: a swarm of computers with a huge combined punch, just waiting for orders.

So where do booters fit into all this?

Booters: commodity cybercrime

Booters (aka “stressers” or “ddosers”) are DDoS-for-hire services. Think of it like an Amazon of cybercrime. Just as the cloud provided the economies of scale for low prices and free shipping, DDoS attacks are now sold like a commodity, due to the huge numbers of computers in the botnet which provide the actual “service”.

For evidence, look no further than booter mobile appthat was (briefly) available on Google Play.

Although one could come up with scenarios where a tool that simulated a DDoS attack could be legally and legitimately used, there’s no escaping the fact the people whose PCs make up the botnet didn’t grant permission for those computers to be taken over and joined to the botnet. With no way to know whether the attack traffic provided by the service comes from infected PCs or the developer’s own systems, should these apps even be allowed on app stores at all?

But is it the sole responsibility of the company behind the app store? What about the developer of the app, or the end users?

If someone uses one of these booter apps to successfully DDoS a website, or extort a ransom payment (like an Internet version of the ol’ mob protection racket), but gets caught and prosecuted, who could also face charges by being an accessory? Shouldn’t companies like Google and Apple just ban them outright from their app stores, just to avoid the legal and financial risk?

When it comes to software that can effectively used for both legal and illegal ends, knowing where exactly to draw the line can be tough. Should vulnerability scanners be banned too? How about network protocol analyzers? Among all those questions, one fact is apparent: like a nuclear North Korea, the threat of DDoS-as-a-service is not going away any time soon.