Distributed denial of service (DDoS) attacks might be the best example of criminal activity turned into a commodity. We are talking, of course, about DDoS-for-hire services that rent out access to a network of enslaved botnet devices, (e.g., Trojan-infected PCs), which are used as a platform to launch DDoS attacks.
Today, DDoS-for-hire companies operate in broad daylight under the guise of “stresser” services. This whitewashed term implies that the service is meant to test the resilience of your own server.
In practice, few bother to ask for any proof of ownership, allowing you to “stress test” whomever you want—just as long as you continue forking over their subscription fees.
And the fees aren’t exactly prohibitive. A year ago, our survey of the 20 most common stresser services showed that the average price was $38 per hour, and went as low as $19.
Recently, the SecureWorks Underground Hacker Marketplace Report showed that, on the bottom end, the cost of hiring a stresser service on the Russian underground dropped to just five dollars per hour.
“Stress Testers” on Fiverr
The price tag made us think of Fiverr—a trendy online marketplace where various professional services are offered for five bucks. Would DDoS dealers have the audacity to use this platform to push their wares?
A quick site search confirmed that, in fact, they would.
As you can see from the image above, the ads we found were pretty incriminating—especially the skull and bones image that offered to “Massive DDoS Attack your Website”.
Not wanting to rush to judgment, we decided to investigate and see if the users were the innocent stress testers they claimed to be. To do so, we created an account on Fiverr and asked each of the stresser providers the following question: “Regarding the stress test, does the site have to be my own?”
Most had the good sense to ignore our message. One suggested that we talk on Skype. In the end, it was skull-and-bones guy who spilled the beans, saying:
“Honestly, you [can] test any site. Except government state websites, hospitals.”
This just goes to show that even DDoSers have some moral compass, as well as a healthy fear of the government.
With the true capabilities of at least one of the “stress testers” confirmed, we reached out to Fiverr to let them know about the misuse of their service. They were very quick to respond with a promise to have their Trust & Safety team investigate further.
Two days later we saw the results of their efforts. Three of the stresser providers were removed, including our pal Scullzy.
Stressing the stressers
Fiverr’s decisive action should serve as an example to an online community that, by and large, has accepted the existence of illegal stressers as a fact of life.
From hosters maintaining their websites, to forums allowing promotional posts and review sites comparing offerings, stressers have embedded themselves into the internet landscape and, much like organic viruses, are feeding off of their hosts.
But even if stressers aren’t going away, we don’t have to make their lives any easier. Next time you encounter an ad for an illegitimate DDoS-for-hire service, take a moment to report it. It’s time to the expose this charade by applying some stress to the stressers.