Is law enforcement powerless against DDoS-for-hire services? Half of all “booters” resurrect within a day

Law enforcement agencies' efforts to stop DDoS-for-hire services, also known as “booters,” are proving ineffective. More than half of all booters that are taken down quickly reappear online. On average, the services are available again within 20 hours.

That’s what researchers from the University of Cambridge have concluded after studying two waves of takedowns, which happened in December 2022 and May 2023.

Analysts examined the impact of law enforcement campaigns against the so-called booters. The Cambridge researchers hosted splash pages on their infrastructure and logged over 20 million visits.

To gain a clearer picture of access to these booters, the researchers also collected Similarweb traffic analytics for all seized and resurrected domains, as well as DDoS attack datasets from Hopscotch, AmpPot, Netscout, and a collection of self-reported statistics from over 200 booters spanning two years. In total, 47 million DDoS attacks were recorded and analyzed.

Lastly, the researchers collected thousands of forum posts and chats from various booters’ Telegram channels to see how operators and customers reacted to the campaign.

Researchers noticed how quickly the booters bounced back into action. In the December 2022 wave, over half of all DDoS-for-hire services returned after around 20 hours, with only one key difference: the domain name had changed.

In the May 2023 wave, all seized booters were back online, mostly within 40 hours after they were taken down.

The speed it took to relaunch their website doesn’t necessarily mean it was successful. In most cases, traffic collapsed.

“We observed an 80-90% reduction in both visits and visitors compared to pre-seizure levels, and by the end of September 2023, the combined traffic to all resurrected domains had dropped to only trivial daily visits,” the researchers said.

The seized booter services' most frequent visitors originated from the United States, followed by China, Germany, the United Kingdom, and Russia, with smaller numbers from France, the Netherlands, Turkey, Poland, and Singapore.

Only a handful of users tried to hide their location and identity with proxy servers or VPNs.

“This supports the idea that typical booter customers are not seasoned criminals but rather young, relatively inexperienced users with little awareness of operational security,” the analysts said.

What lesson is there in this story? Interventions by law enforcement agencies do work in the short term because they reduce the number of DDoS attacks and cut traffic. However, in the long run, their efforts seem to have little effect because seized domains are replaced within hours and attack volumes rebound in weeks.

“The fight against DDoS-for-hire is less about landing a knockout punch and more about ensuring the market never feels stable again,” the researchers concluded.