Industry News

Criminals earn less than minimum wage when blasting websites off the internet

Want to knock a website off the internet for 48 hours? That will cost you a mere $173.


source: Arbor Networks

That’s one of the surprising findings uncovered by a behind-the-scenes look into the DDoS-for-hire industry, conducted by Arbor Networks researcher Dennis Schwarz.

Schwarz focused his attention on a Russian-language hacker called “Forceful”, who rents out his “booter” services to anyone who is interested in launching a distributed denial-of-service attack.

The investigation into Forceful’s so-called booter or stresser service was aided by public mistakes made by the criminal, which allowed Arbor Networks to keep a beady eye on Forceful’s botnet and command & control center.

It turns out that Forceful will charge you $60 per day to rent out his booter, or $400 if you need a site to be taken out for an entire week.

Forceful’s daily rate works out to approximately $2.50 per hour – less than the minimum working wage in many countries.

If you’re not sure if Forceful is the right DDoS attacker for you, well he’s thought of that. He advertises a free test, lasting five to ten minutes on a Russian crime forum.

Since last July, Forceful’s DDoS bot has been used against 108 targets, with attacks lasting between one hour to two weeks.

The rewards for this criminal activity are not considerable, and it doesn’t sound as if Forceful is going to get rich quick:

“In the end, the total estimated revenue for the 82 attacks from July 9, 2015 to October 18, 2015 was $5,408. The mean estimated revenue per attack was $66 and the mean estimated revenue per day was $54.”

Of course, this may not be the only income source for those renting out DDoS attacks. DDoS mitigation firm CloudFlare reported this week that it has seen a dramatic rise in the number of individual DDoS attacks, with many focused on the weekend.

The largest attack CloudFlare saw during the month of February peaked at 400 Gbps.


“That’s about a 15x increase in individual DoS events. These new attacks are interesting for a couple of reasons. First, the spikes align with the weekends. It seems the attackers are busy with something else during the week. Second, they are targeting a couple of fairly benign websites – this demonstrates that anybody can become the target of a large attack. Third, the overall volume of the attack is enormous.”

What is surprising is just how much of a difference there is between the cost of renting a DDoS attack and the estimated potential financial damage that such an attack can inflict on an online company. In a recent report, Arbor calculated that a DDoS attack costs victims on average approximately $500 per *minute*.

Of course, the costs of running a booter/stresser service are very low – they’re not paying taxes, and are exploiting compromised computers, servers and poorly-configured home broadband routers to launch their attacks, rather than having to purchase and maintain the infrastructure themselves.

And if someone really wants to make money from a DDoS attack, the big money is not so much in renting out the booter service to bring down the websites – but in attempting to extort money from victims, with the blackmail threat that their sites will stay down unless they pay up.

Any company which relies upon its website to make money, and provide services to its customers, needs to consider very seriously what it is going to do about DDoS attacks. The problem isn’t going away, and it’s just getting worse. And as long as computer users continue to attach devices to the internet which are poorly defended against being hijacked by online criminals, I cannot see that threat disappearing.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.