Who Gets the Boot? Analyzing Victimization by DDoS-as-a-Service

  • Arman NoroozianEmail author
  • Maciej Korczyński
  • Carlos Hernandez Gañan
  • Daisuke Makita
  • Katsunari Yoshioka
  • Michel van Eeten
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9854)


A lot of research has been devoted to understanding the technical properties of amplification DDoS attacks and the emergence of the DDoS-as-a-service economy, especially the so-called booters. Much less is known about the consequences for victimization patterns. We profile victims via data from amplification DDoS honeypots. We develop victimization rates and present explanatory models capturing key determinants of these rates. Our analysis demonstrates that the bulk of the attacks are directed at users in access networks, not at hosting, and even less at enterprise networks. We find that victimization in broadband ISPs is highly proportional to the number of ISP subscribers and that certain countries have significantly higher or lower victim rates which are only partially explained by institutional factors such as ICT development. We also find that victimization rate in hosting networks is proportional to the number of hosted domains and number of routed IP addresses and that content popularity has a minor impact on victimization rates. Finally, we reflect on the implications of these findings for the wider trend of commoditization in cybercrime.


Victimization Rate Broadband Network Online Gaming Attack Duration Industry Report 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work has been enabled through the support of NWO Pr. Nr. CYBSEC.12.003/628.001.003, SIDN, the Dutch National Cyber Security Center and Beatriu Pinos BP-A-214. We would like to thank Dr. Paul Vixie and Farsight Security for providing our pDNS data. In addition we would like to acknowledge the support of the MEXT (Program for Promoting Reform of National Universities) and PRACTICE (Proactive Response Against Cyber-attacks Through International Collaborative Exchange) programs.


  1. 1.
    Czyz, J., Kallitsis, M., Papadopoulos, C., Bailey, M.: Taming the 800 Pound Gorilla: the rise and decline of NTP DDoS attacks. In: Proceedings of ACM IMC, pp. 435–448 (2014)Google Scholar
  2. 2.
    Krämer, L., Krupp, J., Makita, D., Nishizoe, T., Koide, T., Yoshioka, K., Rossow, C.: AmpPot: monitoring and defending against amplification DDoS attacks. In: Bos, H., et al. (eds.) Raid 2015. LNCS, vol. 9404, pp. 615–636. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-26362-5_28 CrossRefGoogle Scholar
  3. 3.
    Thomas, K., Yuxing, D., David, H., Holt, T.J., Kruegel, C., Mccoy, D., Bursztein, E., Grier, C., Savage, S., Vigna, G.: Framing dependencies introduced by underground commoditization. In: WEIS (2015)Google Scholar
  4. 4.
    Santanna, J.J., Sperotto, A.: Characterizing and mitigating the DDoS-as-a-Service phenomenon. In: Sperotto, A., Doyen, G., Latré, S., Charalambides, M., Stiller, B. (eds.) AIMS 2014. LNCS, vol. 8508, pp. 74–78. Springer, Heidelberg (2014)Google Scholar
  5. 5.
    Kuhrer, M., Hupperich, T., Bushart, J., Rossow, C., Holz, T.: Going wild: large-scale classification of open DNS resolvers categories and subject descriptors. In: Proceedings of ACM IMC (2015)Google Scholar
  6. 6.
    Karami, M., Mccoy, D.: Understanding the emerging threat of DDoS-As-a-Service. In: Proceedings of Usenix LEET, pp. 2–5 (2013)Google Scholar
  7. 7.
    Santanna, J.J., Durban, R., Sperotto, A., Pras, A.: Inside booters: an analysis on operational databases. In: Proceedings of IFIP/IEEE IM, pp. 432–440 (2015)Google Scholar
  8. 8.
    Karami, M., Park, Y., McCoy, D.: Stress testing the booters: understanding and undermining the business of DDoS services. In: Proceedings of WWW (2016)Google Scholar
  9. 9.
    Akamai: State of the Internet / Security Q4. Technical report Akamai (2014).
  10. 10.
    Arbor Networks: Worldwide infrastructure security report volume X. Technical report (2015).
  11. 11.
    Incapsula: DDoS global threat landscape report. Technical report (2015).
  12. 12.
    Rossow, C.: Amplification Hell: revisiting network protocols for DDoS abuse. In: Proceedings of NDSS, pp. 23–26 (2014)Google Scholar
  13. 13.
    Santanna, J., Van Rijswijk-deij, R., Hofstede, R., Sperotto, A.: Booters - an analysis of DDoS-as-a-Service attacks. In: Proceedings of IFIP/IEEE IM (2015)Google Scholar
  14. 14.
  15. 15.
    Asghari, H., van Eeten, M.J.G., Bauer, J.M.: Economics of fighting botnets: lessons from a decade of mitigation. IEEE Secur. Priv. 13(5), 16–23 (2015)CrossRefGoogle Scholar
  16. 16.
    TeleGeography: Telegeography globalcomms data.
  17. 17.
  18. 18.
    Farsight Security: DNSDB.
  19. 19.
    Tajalizadehkhoob, S., Korczynski, M., Noroozian, A., Ganan, C., van Eeten, M.: Apples, oranges and hosting providers: heterogeneity and security in the hosting market. In: Proceedings of IEEE/IFIP NOMS, pp. 289–297 (2016)Google Scholar
  20. 20.
  21. 21.
    Asghari, H., Ciere, M., Van Eeten, M.J.G.: Post-Mortem of a Zombie: conficker cleanup after six years. In: USENIX Security (2015)Google Scholar
  22. 22.
    PRB. Population Reference Bureau - Gross Domestic Product.
  23. 23.
    Ledbetter, A.M., Kuznekoff, J.H.: More than a game: friendship relational maintenance and attitudes toward Xbox LIVE communication. Commun. Res. 39(2), 269–290 (2012)CrossRefGoogle Scholar
  24. 24.
    Allamanis, M., Scellato, S., Mascolo, C.: Evolution of a location-based online social network. In: Proceedings of ACM IMC, p. 145. ACM Press, New York (2012)Google Scholar
  25. 25.
    Schravese, F., Born, A.: Lekker thuis providers platleggen (2015).
  26. 26.
    Alexa: Alexa top 1M ranked sites (2015).
  27. 27.
    Zittrain, J., Albert, K., Lessig, L.: Perma: scoping and addressing the problem of link and reference rot in legal citations. Legal Inform. Manage. 14(02), 88–99 (2014)CrossRefGoogle Scholar
  28. 28.
    Kaplan, E.L., Meier, P.: Nonparametric estimation from incomplete observations. J. Am. Statist. Assoc. 53(282), 457–481 (1958)MathSciNetCrossRefzbMATHGoogle Scholar
  29. 29.
    Kuhrer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from Hell? Reducing the impact of amplification DDoS attacks. In: USENIX Security, pp. 111–125 (2014)Google Scholar
  30. 30.
    Kuhrer, M., Hupperich, T., Rossow, C., Thorsten Holz, G.: Horst: Hell of a handshake: abusing TCP for reflective amplification DDoS attacks. In: Proceedings of USENIX WOOT (2014)Google Scholar
  31. 31.
    Durumeric, Z., Bailey, M., Halderman, J.A.: An internet-wide view of internet-wide scanning. In: USENIX Security, pp. 65–78 (2014)Google Scholar
  32. 32.
    Hutchings, A., Clayton, R.: Exploring the provision of online booter services. In: Deviant Behavior, pp. 1–16 (2016)Google Scholar
  33. 33.
    Florencio, D., Herley, C.: Where do all the attacks go? In: Economics of Information Security and Privacy III, pp. 13–33 (2013)Google Scholar
  34. 34.
    Florencio, D., Herley, C.: Is everything we know about password- stealing wrong? IEEE Secur. Priv. Mag. 10(6), 63–69 (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Arman Noroozian
    • 1
    Email author
  • Maciej Korczyński
    • 1
  • Carlos Hernandez Gañan
    • 1
  • Daisuke Makita
    • 2
    • 3
  • Katsunari Yoshioka
    • 2
  • Michel van Eeten
    • 1
  1. 1.Delft University of TechnologyDelftNetherlands
  2. 2.Yokohama National UniversityYokohamaJapan
  3. 3.National Institute of Information and Communications TechnologyKoganeiJapan

Personalised recommendations