New study evaluates effectiveness of four different type of Law enforcement interventions against DOS attacks.
The first ever evaluation of effective responses to Denial of Service (DOS) attacks, was released on 21.10.2019. It showed that high profile arrests have a low impact, while targeted messaging has a significant long-term impact.
For 5 years researchers from the University of Cambridge and University of Strathclyde measured the impact of different types of law enforcement actions on Denial of Service attacks. On the 21.10.2019 they presented their findings at the ACM Internet Measurement Conference in Amsterdam, having been supported by the Engineering and Physical Sciences Research Council. The study has, according to the University of Cambridge, already influenced the policy of the FBI and NCA towards booter services.
You can access the study here.
A Denial of Service attacks (DOS):” is an attack meant to shut down a machine or network, making it inaccessible to its intended users”. It does this, by flooding the target with traffic, or sending it information triggering a crash.
“Hacktivist” groups, like the Electronic Disturbance Theater have made platforms enabling “non-hackers” to conduct such attacks publicly available. As such, DOS attacks have for long been associated with online protest, but also as smoke screens for other attacks.
However, increasingly such attacks can also be purchased through “booter service websites”. The largest of which, carries out 30.000 to 50.000 DOS attacks daily.
This commercial availability has widened the user spectrum, according to the study.
“Law enforcement are concerned that DoS attacks purchased from a booter site might be like a ‘gateway drug’ to more serious cybercrime,” said Ben Collier from Cambridge’s Department of Computer Science & Technology, the paper’s first author.
However, he goes on: “A big problem is that there is still relatively little evidence as to what best practice looks like for tackling cybercrime.”
To start this process of identifying best practices, the study analysed the impact of:
- High Profile Court cases
- taking down individual booters
- wide ranging interventions
- targeted messaging campaigns
Court cases, appear to have no significant impact on the overall amount of DOS attacks. The study highlights the limited reach of such news, especially abroad. Thus, while in some cases a short-term localised reduction of attacks was detected, the overall attack landscape remained more or less the same.
Taking down individual boosters also appears to only produce short term effects. These, are compared to the court cases more significant, as a regional rather than a localised reduction of attacks was measured. Nevertheless, the study highlights that no long-lasting changes, in neither the dynamics of the booter market nor the number of attacks was achieved.
More promising, according to the study, were campaigns by Law enforcement agencies targeting several booters or the general support infrastructure enabling DOS attacks. The study measured a 27% to 37% reduction of attacks over 10 weeks, following a coordinated shut down of booter services. Further, closing down websites providing direction to such booters lead to a comparable smaller reduction in attacks but its effect lasted for 13 weeks.
Finally, the most promising practice, according to the study, was “The NCA’s search adverts campaign targeting potential booter users in the UK”. From late December 2017 to June 2018, the NCA bought targeted Google adverts aimed at young men in the UK. When a user searched for booter services, a targeted advert popped up, explaining that DoS attacks are illegal.
Indeed, while in the rest of the world DOS attacks were rising, the UK deviates as the amount of attacks were significantly reduced for the entire amount of the campaign. Only a few months after the campaign had ended did the DOS attack levels rise again. Hence, the campaign managed to significantly reduce DOS attacks for a timeframe of seven to eight month, making it the most effective response.
For the study, this also suggested that the increase in DOS attacks, at least in the UK, is driven by an “increased demand for these services linked to new users entering the market, rather than extra activity by existing booter users.”
To summarise, the study highlights the need for coordinated actions. It suggests that targeting individuals in court cases or shutting down individual boot servers produces almost no deterrent effect and has if anything a short-term effect. On the other hand, the study suggests that targeting the wider infrastructure of boot server or how easy it is to access them, produces a significant reduction of attacks. The longest lasting and most significant impact was achieved by deterring new users to access the booter services in the first place.
Notes: This Article is based on the “Booting the Booters: Evaluating the Effects of Police Interventions in the Market for Denial-of-Service Attacks” study
Author: Niklas Hamann
Collier, Ben; Clayton, Richard; Thomas, Daniel and Hutchings, Alice (2019). Booting the Booters: Evaluating the Effects of Police Interventions in the Market for Denial-of-Service Attacks In: Internet Measurement Conference, 2019, 21-23
University of Cambridge (2019). Prevention better than cure at keeping young users from getting involved in cybercrime Available at: https://www.cam.ac.uk/research/news/prevention-better-than-cure-at-keeping-young-users-from-getting-involved-in-cybercrime
DOS, Study, Cybersecurity,