New DDoS-for-Hire Platform Advertised on Multiple Cybercrime Forums

A stress testing service for simulating DDoS attacks on websites and servers. Threat actors can misuse such DDoS-for-hire services to target domains using unauthorized attacks.

Updated on

April 19, 2023

Published on

September 30, 2022

Read MINUTES

Subscribe to the latest industry news, threats and resources.

Table of Contents

This is also a heading
This is a heading

Category: Adversary Intelligence	Industry: Multiple	Motivation: Financial	Region: Global	Source*: F3

Executive Summary

THREAT	IMPACT	MITIGATION
A stress testing service for simulating DDoS attacks on websites and servers.	Threat actors can misuse such DDoS-for-hire services to target domains using unauthorized attacks.	Implement anti-DDoS protection on the server. Use IP geo-blocking in case of an attack.

Analysis and Attribution

Information from the Post

CloudSEK’s contextual AI digital risk platform XVigil discovered a threat actor advertising a stress testing service that can be used for websites/servers.
The post mentions the list of arguments differentiating this service from their competitors:
- Technical support is always available
- Convenient auto-pay system
- Looking to improve methods daily

[caption id="attachment_20867" align="alignnone" width="1330"]

Advertisement observed on a cybercrime forum[/caption]

Also read Raven Storm, the Multi-Threading Tool Employed by Hacktivists for DDoS Attacks

About Stress Testing

Stress Testing is a software testing activity that determines the robustness of software by testing beyond its limits of normal operation. This is to ensure that software can run anywhere, with fewer preset requirements, and under any condition.
Directing heavy and simulated traffic on domains as part of the testing process can give an idea of how long it can endure the request load, before collapsing.
Cloudflare provides DDoS protection services for websites capable of withstanding heavy traffic directed to them via botnets operated by cybercriminals or dedicated servers.

Features of the service

It is a DDoS-for-hire platform, where an attacker can launch DDoS attacks on websites that are unauthorized in nature.
It is an online service platform, with no installations required.
Supports both Layer 4 and Layer 7 protocols.
Ability to generate up to 600,000 requests/second, which can effectively DDoS the target website.
Supports multiple requests per IP (1-64).
5 attack methods are available (1 for L4 , 3 for L7).
API Key to launch attacks.
Supports 4 concurrent connections.
2,400 seconds booting time (maximum duration for DDoS'ed website downtime).

Technical Aspect

DDoS attacks carried out by threat actors particularly target the following 2 layers of the OSI (Open Systems Interconnection) model:
- Layer 4 (Transport Layer) - where data transmission (packet transmission and packet assembly) takes place between two systems, using TCP and UDP protocols.
- Layer 7 (Application Layer) - where applications interact with network services. For example, web browsers make use of this layer to provide meaningful content to users on websites.
Attacks via the platform can be carried out by buying API Keys.
The table below mentions the types of DDoS attacks which can be performed on each layer

Layer	Attacks Targeting the Layer
Layer 4	AMP - Asynchronous Messaging Protocol TCP - Transmission Control Protocol UDP - User Datagram Protocol
Layer 7	Freeflood - Simple flooding attack (20,000 requests per second). H-Captcha - Method with average power. Bypasses CloudFlare protection (including hCaptcha Challenge). Runs with a delay of up to 2 minutes. H-Flood - Method with high power, providing bypass of all simple protections.

Attack Manager Panel

Upon signing up on the website, the cybercriminal is able to access a panel titled “Attack Manager”. This panel allows an attacker to carry out DDoS attacks, based on the following specifics:

Attack Method (different for each OSI layer, as mentioned above)
Target - The provision for carrying out the attack is as follows:
- Layer 4 - Provide the IP Address & the port (default is port 80 - HTTP)
- Layer 7 - Provide the domain name
Boot Time - A predefined field containing the min and max time, ranging from 0 to 2,400s, for conducting the attack.
Request Type - GET or POST (only for Layer 7 attacks)
Concurrents - Number of concurrent sessions (from dedicated servers (zombies)) that will attack the targeted domain / IP at a given time. At a time, 4 concurrent connections are supported. More the concurrent sessions, more the power of the DDoS attack.

Dedicated Servers

To facilitate DDoS attacks, there are servers that are readily available to carry out different types of attacks. The specifics of the servers are:
- Layer 4 - 1 server with 3 DDoS attack slots that can be used concurrently.
- Layer 7 - 3 servers with 10 DDoS attack slots that can be used concurrently.

A Simulated DDoS Attack

The actor has provided the following graph as an example of the DDoS attack simulated by the service. [caption id="attachment_20868" align="alignnone" width="1280"]

Graph depicting requests per second in the DDoS attack[/caption] The following can be inferred by the information in the above graph:

The request rate peaked at 79,074 requests per second in this DDoS attack.
The attack method followed here is HCaptcha, with no direct evidence that the HCaptcha mechanism was bypassed.
Upon conducting HUMINT, it was discovered that the cybercriminals had mentioned dedicated servers to carry out attacks.
The maximum number of requests that can be carried out are 600,000. This count was independently verified using the DSTAT tool.

Pricing Structure

The website provides a free plan for users availing services without commission.
The website also has a uniform pricing structure for its paid users, i.e, Regular and Premium.
The price ranges from USD 10 to USD 850 monthly with testing specifications varying for each pricing bracket.

Information from Cybercrime Forum

These websites have been advertised on other DDoS-for-hire websites.
The use of these websites was widespread during the infancy of the Russia-Ukraine war.
The service was primarily used for conducting DDoS attacks against Russian websites.
User reviews indicate that the service is gaining traction among the average internet user.

Threat Actor Activity and Rating

Threat Actor Profiling
Active since	August 2022
Reputation	Low (Multiple complaints and concerns on the forum)
Current Status	Active
History	Unknown
Rating	F3 (F: Reliability Unknown; 3: Possibly true)

Also Read How to bypass CAPTCHAs easily using Python and other methods

Impact & Mitigation

Impact	Mitigation
Cybercriminals can make use of these to launch sophisticated unauthorized attacks on domains. Significant amount of downtime for the website and the hosting server. Follow-up attack by the threat actor groups abusing a vulnerability on the domain side or server side.	Monitor cybercrime forums for the latest tactics employed by threat actors. Implement anti-DDoS protection on the server. Use IP geo-blocking in case of an attack. Patch vulnerable and exploitable endpoints. Monitor for anomalies in user accounts, which could indicate possible account takeovers

References

Appendix

[caption id="attachment_20869" align="alignnone" width="1280"]

Requests per second graph - from a DDoS attack orchestrated using the service[/caption] [caption id="attachment_20870" align="alignnone" width="452"]

A website that uses HCaptcha protection to filter bots from real users.[/caption] [caption id="attachment_20871" align="alignnone" width="365"]

An image of the attack panel[/caption] [caption id="attachment_20872" align="alignnone" width="1110"]

Server information facilitating the DDoS attacks[/caption] [caption id="attachment_20873" align="alignnone" width="1167"]

The monthly Subscription pricing structure[/caption] [caption id="attachment_20874" align="alignnone" width="1487"]

Advertisement for the website that was observed on another cybercrime forum[/caption] [caption id="attachment_20875" align="alignnone" width="1460"]

Advertisement for the website that was observed on Shellix marketplace[/caption] Advertisement of another DDoS service which was rooted and whose sensitive information was available on a forum [caption id="attachment_20877" align="alignnone" width="629"]

CheckHost statistics of a domain targeted by DDoS attacks from the DDoS-for-Hire platform[/caption] [caption id="attachment_20878" align="alignnone" width="655"]

Mention of the site on two GitHub repositories, that list other DDoS-for-hire websites that should be blacklisted[/caption] [caption id="attachment_20879" align="alignnone" width="737"]

An entry for the website, in a website listing the Top 20 stress testing services in 2022[/caption]

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Table of Contents

This is also a heading
This is a heading

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action

November 15, 2023

CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks

November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.

Schedule a Demo

Real time Threat Intelligence Data

More information and context about Underground Chatter

On-Demand Research Services

Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.

Trusted by 400+ Top organisations

Get started

Learn more