DDoS-for-hire is now openly available as a service. Underground markets advertise specific compromised-host capacity for rent. The category is mature and worth a careful walkthrough; this post is the structural assessment I have been promising myself for some months.
What is now available
For a few hundred dollars, an attacker can rent a botnet of thousands of compromised hosts and direct them at any target. The economic infrastructure is professional; the operations are predictable; the targeting is at the customer's discretion.
Four specific service patterns have emerged:
Pay-per-hour DDoS. The customer specifies a target IP and duration; the service provider directs their botnet at the target for the agreed time. Rates as of mid-2005 are roughly $20-50 per hour for moderate-scale attacks (thousands of compromised hosts) and several hundred dollars per hour for larger-scale attacks.
Pay-per-attack DDoS. The customer pays a flat fee for an attack that achieves a specific outcome — typically taking the target offline for a defined period. The pricing is higher than pay-per-hour because the service provider commits to outcome rather than just effort.
Subscription botnets. The customer pays a monthly fee for ongoing access to a portion of a botnet. They can issue commands directly; the service provider is the infrastructure rather than the operator.
Botnet-as-property. The customer purchases an entire botnet outright. This is unusual but exists at the high end of the market.
The underground markets where these services are bought and sold are themselves mature. The transactions use various intermediated payment mechanisms; reputation systems exist; disputes are handled through informal arbitration.
What this means structurally
Three implications.
The attacker skill barrier has dropped further. Anyone who can navigate underground markets and pay the rates can hire DDoS. The technical knowledge required is essentially zero. The population that can launch DDoS attacks has grown by orders of magnitude.
The defensive economics are worse than ever. The cost asymmetry between attack and defence has been growing for years; DDoS-for-hire is the most recent step in the trajectory. An attacker can produce a substantial attack for a few hundred dollars; the targeted operator may have to invest tens of thousands in capacity and mitigation infrastructure.
The targeting is now narrower. Specific organisations can be hit by anyone with a grievance and a few hundred dollars. The traditional defensive posture against DDoS — having sufficient capacity to absorb attacks aimed at large internet services — does not work for medium-sized targets that previously assumed they would not be specifically targeted.
The compromised-host substrate
The substrate for these services is the cumulative compromised-host population. Every worm of recent years has contributed; many compromised hosts have not been cleaned up; the cumulative pool is enormous.
The specific host populations behind DDoS-for-hire services include:
Compromised home computers. Cable and DSL connections with substantial bandwidth and minimal supervision. The largest single category.
Compromised small-business servers. Often forgotten infrastructure (as I described in 2001) running unpatched services. Smaller in count than home computers but with better connectivity per host.
Compromised hosting-provider customers. Hosts at hosting providers that have not invested in security. These have very good connectivity per host; relatively small in count but disproportionate in capacity.
The cumulative population is, by various estimates, in the millions. Specific attacks may use only a few thousand at a time; the available pool is much larger.
What customers are buying these services for
The customer base for DDoS-for-hire is varied. Specific motivations I have seen reported:
Commercial competitors. A specific online retailer hires DDoS to take a competitor offline during a critical sales period. This is the most common customer pattern.
Disgruntled individuals. Personal grievances against specific organisations. The targeting tends to be uncoordinated and short-duration.
Extortion. "Pay us or your site goes offline for a week." The DDoS is the threat; payment averts it. This category is growing rapidly.
Political targeting. Specific organisations associated with political positions are attacked by parties opposing them. The motivations are varied; the operational pattern is similar.
Test-runs by attackers. Some hires are reconnaissance — determining whether a target can be effectively attacked, before larger operations.
The diversity of customer motivations means that essentially any organisation with a public-facing internet presence is potentially a target. The previous assumption that "only major sites need to worry about DDoS" no longer holds.
The defensive response
The defensive responses, at the operator level, remain unchanged from what I have been writing about for years:
Capacity headroom. Substantial bandwidth above normal usage levels reduces the impact of moderate attacks. The cost is real; the benefit is bounded — sufficient capacity for typical attacks but not for the largest.
Upstream coordination. Working with ISPs to apply emergency filters when attacks occur. This requires pre-existing relationships and clear procedures.
Egress filtering / BCP 38 at the operator's own network — to prevent contributing to attacks against others, even if it does not directly defend against incoming attacks.
Specialised mitigation services. Several companies now offer DDoS-mitigation as a service. The customer routes traffic through the mitigation provider; the provider absorbs attacks and forwards legitimate traffic. The cost is non-trivial; the protection is substantial.
The specialised mitigation services are the most effective single defence. They have economies of scale that individual operators cannot match. The providers maintain large absorption capacity, sophisticated traffic-pattern detection, and ongoing relationships with major carriers.
For most medium-sized operators, the cost-benefit of mitigation services is becoming favourable as DDoS-for-hire makes targeted attacks more likely. The market for these services is growing rapidly.
What does not work
A few things sometimes proposed but not effective:
Trying to defeat the attack at the host level. A flooded host cannot defend itself; the bandwidth saturation has already happened upstream. Host-level defences against DDoS are largely useless.
Trying to identify and prosecute the attackers. The attribution problem is severe; the customers and operators are typically in jurisdictions that do not cooperate with investigation; the prosecution rate is essentially zero. Some specific cases have been prosecuted but the deterrent value across the broader population is small.
Trying to clean up the compromised-host substrate. This would be the structural answer; it is also enormously difficult. The compromised hosts are owned by individual users and small organisations who lack the technical capacity to clean up; the cumulative cleanup work is far beyond what any current effort can deliver.
What might work, eventually
Three structural changes that, if deployed at scale, would substantially reduce the DDoS-for-hire problem:
Universal BCP 38 deployment. Source-address validation at the carrier level prevents spoofed-source DDoS, which is a meaningful fraction of current attacks. The deployment has been underway for years; it is not yet universal.
Stronger ISP responsibility for compromised customers. ISPs that proactively detect and isolate compromised customer hosts reduce the substrate. Some ISPs are starting to do this; many are not. The economic incentives are uneven.
Mature DDoS-mitigation infrastructure at carrier scale. The mitigation services I described above operating at carrier scale, integrated with the carriers' own infrastructure, would absorb attacks much more effectively. This requires investment that carriers have been slow to make.
None of these is fast. The cumulative trajectory is positive but slow. The threat will continue to scale faster than the response for some years.
What this teaches
Four generalisations.
Cybercrime is a market. The DDoS-for-hire infrastructure is the most visible single instance. Underground markets exist for many other categories of cybercriminal capability — credential lists, exploitation services, malware-as-a-service.
The defensive economics are structurally bad. The cost asymmetry between attack and defence is enormous; it grows over time as the underground markets mature.
Smaller operators are now in the threat model. The previous assumption that only major sites needed to worry about DDoS no longer holds. Any operator with a public-facing presence is potentially a target.
Structural change requires coordinated infrastructure investment. Individual operators cannot solve this problem. The collective infrastructure (BCP 38, ISP responsibility, carrier mitigation) is what matters; the deployment of collective infrastructure is slow.
What I am doing
For my own infrastructure: a small home network with a small public IP allocation. The realistic exposure to DDoS is bounded — I am not a high-value target. My defensive measures are the BCP 38 egress filtering I have always run plus a known relationship with my ISP for emergency support.
For friends running medium-sized infrastructure: I have been recommending DDoS-mitigation services for several. The cost-benefit has shifted; the services are now affordable enough to be worth considering for any operator whose business depends on availability.
For my structured-log analysis: tracking the patterns of DDoS-related scan and probe traffic. The reconnaissance that precedes targeted DDoS is sometimes visible.
A reflection on the trajectory
The DDoS-for-hire emergence represents a meaningful shift in the threat model. Previously, DDoS was a category that affected major operators rarely. Now it is a category that can affect any operator at any time, for a few hundred dollars.
The trajectory points toward continued maturation of the underground markets. Pricing will probably decrease over time as the market becomes more competitive. The capabilities will probably increase as the underlying compromised-host infrastructure grows.
The defensive response is, on the available evidence, going to be a years-to-decades transition. Operators will increasingly need to factor DDoS into their threat models; mitigation services will become more common; carrier-level infrastructure will eventually catch up.
For the next year or two, operators in the medium-sized category — too small to absorb attacks, too significant to be ignored — will be in a particularly difficult position. The mitigation services are the practical defence; the structural improvements are years away.
What I expect over the next year
Three predictions:
At least one major UK organisation will publicly disclose a DDoS-for-hire-related incident. Probability: 75%, deadline end of 2006.
Mitigation-service market growth will accelerate. Several major UK carriers will partner with mitigation providers. Probability: 80%, deadline end of 2006.
The cost of DDoS-for-hire will decrease as competition increases. Probability: 70%, deadline end of 2006.
More as the year develops.
A closing observation
DDoS has been part of the threat model since 2000; the structural shift to commercial availability is the new development. The defensive responses available at the operator level are bounded; the structural responses required at the infrastructure level are slow.
For operators whose business depends on continuous availability: this is the time to assess your DDoS readiness. The threat is now more accessible to attackers than it has ever been; the cost to attackers continues to drop; the probability of being targeted grows.
More in time.
The deeper structural problem
Let me extend the DDoS-for-hire post with a more careful treatment of the structural problem and its long-term trajectory.
Why the underground markets work
The DDoS-for-hire markets, and the broader underground markets they exist within, function because of several specific structural conditions:
Reputation systems. Buyers and sellers in underground markets have reputation, which constrains bad behaviour within the market. Sellers who fail to deliver get poor reputation; buyers who do not pay get blacklisted. The mechanisms are informal but effective.
Intermediated payment. Various payment mechanisms (e-gold, money mules, increasingly cryptocurrency) allow value to flow without directly traceable transactions. The payment infrastructure makes the markets economically viable.
Jurisdiction shopping. The participants operate from jurisdictions where local law enforcement does not pursue them, even when international cooperation requests are made. The geographic distribution of participants is not accidental.
Specialisation. The supply chain has matured to include specialists at each stage. Different parties handle compromise, infrastructure, attack execution, payment processing. The specialisation produces efficiency; it also makes any individual operator harder to identify and prosecute.
These conditions are the substrate for the underground markets. Each is structural; addressing any single one produces partial improvement but does not eliminate the markets.
What addressing the structural conditions would require
Three specific structural responses, each substantial:
Disrupting reputation systems. Operations that infiltrate underground markets and undermine the reputation infrastructure (false positive reviews, payment defaults, identity disclosure) reduce market efficiency. Some such operations exist; they are bounded by legal constraints and resource limits.
Disrupting payment infrastructure. Tracking and blocking the payment mechanisms used by criminal markets reduces economic viability. The financial-system response has been improving; cryptocurrency-style mechanisms have been complicating this.
International law-enforcement cooperation. Multi-jurisdictional investigations, with shared evidence and coordinated arrests, raise the cost of criminal operations. The cooperation has been improving but unevenly; specific jurisdictions remain difficult to engage.
The combination of these — reputation disruption, payment disruption, prosecution — is the structural answer. Each is bounded; the combination is more effective.
The decade-long trajectory
Looking at the broader pattern over the past decade:
The underground markets did not exist in any meaningful sense in 1995. The 1990s underground was hobbyist-focused, with limited commercial activity.
The markets emerged in early 2000s as the commercial-cybercrime infrastructure formed. By 2005 they are mature.
The likely 2010-2015 trajectory: continued maturation, more sophisticated specialisation, possibly some structural disruption from law-enforcement and financial-system responses.
The likely 2015-2020 trajectory is harder to predict. The structural responses may catch up with the threats; alternative mechanisms (cryptocurrency, anonymity infrastructure) may complicate the responses; new categories of cybercrime may emerge.
What individual operators can do
The structural responses are not in any individual operator's control. What operators can do:
Reduce attack surface. Smaller and harder-to-identify targets are less attractive to opportunistic attackers. Many operators are too visible relative to the value of their targets.
Robust defence in depth. The disciplines I have been writing about — patching, segmentation, monitoring, forensic readiness — apply.
Engage with specialised mitigation services for high-risk operations. For operators whose business depends on availability, the mitigation services are increasingly the practical defence.
Contribute to coordinated defence. Operators who participate in industry coordination, share intelligence, and contribute to collective defence produce better outcomes than operators who do not.
Vote and advocate for policy responses. The structural responses require political-economic decisions. Operators who engage with the policy conversations contribute to better outcomes.
A final reflection
The DDoS-for-hire commercialisation is a category change that I have been tracking for some years. The pattern is now operational; the implications are still developing; the response is years from being adequate.
For my own writing: continued tracking of this category and related ones. The cumulative coverage over multiple years is more useful than any individual post.
More in time.
A final note on collective infrastructure
Let me close with broader observations about the collective infrastructure that defends against DDoS-for-hire and similar commercial cybercrime.
The individual operator's defensive options are bounded. The collective infrastructure (carrier-level mitigation, BCP 38 deployment, law-enforcement cooperation, financial-system anti-fraud) is what produces structural improvement over time.
The specific ways individual operators contribute to the collective infrastructure:
Apply BCP 38 / egress filtering on your own networks. Not because it directly defends you; because it prevents your networks from contributing to attacks against others.
Report incidents to industry coordination bodies. Honeynet Project, Anti-Phishing Working Group, the various national CERTs. The aggregate data informs collective defence.
Cooperate with law enforcement when incidents involve your infrastructure. The cumulative effect of multiple successful prosecutions matters; each operator's cooperation contributes.
Push your suppliers and partners toward better practices. Customer pressure on hosting providers, ISPs, vendors — collectively this shifts industry behaviour.
Engage with policy conversations. The structural responses require political-economic decisions; operators who engage with policy contribute to better outcomes.
None of these is dramatic; each is small; the cumulative effect across the operator population is meaningful.
For my own work: I will continue to contribute through the channels I can. The notebook is one channel; conference participation is another; the Honeynet contributions are a third. Each is bounded; the combination is what scales.
More in time.