Demystifying DDoS as a Service

In recent years, we have observed a resurgence of DDoS attacks. These attacks often exploit vulnerable servers (e.g., DNS and NTP) to produce large amounts of traffic with little effort. However, we have also observed the appearance of application-level DDoS attacks, which leverage corner cases in the logic of an application in order to severely reduce the availability of the provided service. In both cases, these attacks are used to extort a ransom, to hurt a target organization, or to gain some tactical advantage. As it has happened for many of the components in the underground economy, DDoS has been commoditized, and DDoS as a service (DaaS) providers allow paying customers to buy and direct attacks against specific targets. In this article, we present a measurement study of 17 different DaaS providers, in which we analyzed the different techniques used to launch DDoS attacks, as well as the infrastructure leveraged in order to carry out the attacks. Results show a growing market of short-lived providers, where DDoS attacks are available at low cost (tens of dollars) and capable of easily disrupting connections of over 1.4 Gb/s. In our study, particular attention was given to characterize application-level (HTTP) DDoS attacks, which are more difficult to study given the low volume of traffic they generate and the need to study the logic of the application providing the target service.