Analyzing DDoS-as-a-Service customer databases


Jair Santanna (from Northwave Security) in collaboration with Curated Intelligence recently shared his methodology about how to analyze the databases of cybercriminal websites that offer Distributed Denial of Service (DDoS) attacks as a paid service. 

Background

For years cybercriminals have run DDoS-as-a-Service (DDoSaaS) offerings, commonly known as Booters, Stressers, or DDoS-for-hire. Recently, in December 2022, coordinated action against DDoSaaS sites led to many being taken down by a group of international law enforcement agencies (LEAs). This included the topic of this blog, the "stresser[.]gg" DDoSaaS site.

Research by Curated Intelligence members uncovered that the source code and databases of stresser[.]gg was publicly leaked back in March 2022 (see Figure 1).

Figure 1. A post on BreachForums containing the StresserGG DDoSaaS source code.

Jair Santanna (from Northwave Security) revisited the data leaked in March 2022, following the international LEA action and explained his methodology to investigate databases and uncovered a number of interesting findings.  

The scripts, data, and analysis of stresser[.]gg are publicly available on Santanna's Github:

https://github.com/jjsantanna/stresser.gg_db_analysis/blob/master/analysis_stressergg.ipynb

The analysis of the databases have been broken down into multiple areas:

  1. Attacks per day
  2. Attacks per user
  3. Attacks on a same target
  4. The difference between users (anyone with an account), customers (any user that paid anything), and attackers
  5. The number of login times per user
  6. The average time for a user perform an attack since they logged in
  7. The users using TOR
  8. The IP addresses used by users
  9. The IP addresses of targets
  10. The country of attackers and victims
  11. The payment records and account details
  12. Querying the data per username, user_id, country and autonomous system number (ASN)

The intention of sharing this analysis is to facilitate the information security community and international LEAs with a methodology to analyze data from cybercriminal platforms.

The coordinated action from international LEAs and research by the information security community has helped reduced the prevalence of organized cybercriminal groups running DDoSaaS platforms and hopefully discouraged many from doing so.


Disclaimer - Curated Intelligence is a private trust group and members are able to publish their research under our banner without it being attributed to them. We thank our members for their contribution.