Saved in:
Bibliographic Details
Main Authors: Vu, Anh V., Collier, Ben, Thomas, Daniel R., Kristoff, John, Clayton, Richard, Hutchings, Alice
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2502.04753
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866910819913039872
author Vu, Anh V.
Collier, Ben
Thomas, Daniel R.
Kristoff, John
Clayton, Richard
Hutchings, Alice
author_facet Vu, Anh V.
Collier, Ben
Thomas, Daniel R.
Kristoff, John
Clayton, Richard
Hutchings, Alice
contents Law enforcement and private-sector partners have in recent years conducted various interventions to disrupt the DDoS-for-hire market. Drawing on multiple quantitative datasets, including web traffic and ground-truth visits to seized websites, millions of DDoS attack records from academic, industry, and self-reported statistics, along with chats on underground forums and Telegram channels, we assess the effects of an ongoing global intervention against DDoS-for-hire services since December 2022. This is the most extensive booter takedown to date conducted, combining targeting infrastructure with digital influence tactics in a concerted effort by law enforcement across several countries with two waves of website takedowns and the use of deceptive domains. We found over half of the seized sites in the first wave returned within a median of one day, while all booters seized in the second wave returned within a median of two days. Re-emerged booter domains, despite closely resembling old ones, struggled to attract visitors (80-90% traffic reduction). While the first wave cut the global DDoS attack volume by 20-40% with a statistically significant effect specifically on UDP-based DDoS attacks (commonly attributed to booters), the impact of the second wave appeared minimal. Underground discussions indicated a cumulative impact, leading to changes in user perceptions of safety and causing some operators to leave the market. Despite the extensive intervention efforts, all DDoS datasets consistently suggest that the illicit market is fairly resilient, with an overall short-lived effect on the global DDoS attack volume lasting for at most only around six weeks.
format Preprint
id arxiv_https___arxiv_org_abs_2502_04753
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Assessing the Aftermath: the Effects of a Global Takedown against DDoS-for-hire Services
Vu, Anh V.
Collier, Ben
Thomas, Daniel R.
Kristoff, John
Clayton, Richard
Hutchings, Alice
Cryptography and Security
Law enforcement and private-sector partners have in recent years conducted various interventions to disrupt the DDoS-for-hire market. Drawing on multiple quantitative datasets, including web traffic and ground-truth visits to seized websites, millions of DDoS attack records from academic, industry, and self-reported statistics, along with chats on underground forums and Telegram channels, we assess the effects of an ongoing global intervention against DDoS-for-hire services since December 2022. This is the most extensive booter takedown to date conducted, combining targeting infrastructure with digital influence tactics in a concerted effort by law enforcement across several countries with two waves of website takedowns and the use of deceptive domains. We found over half of the seized sites in the first wave returned within a median of one day, while all booters seized in the second wave returned within a median of two days. Re-emerged booter domains, despite closely resembling old ones, struggled to attract visitors (80-90% traffic reduction). While the first wave cut the global DDoS attack volume by 20-40% with a statistically significant effect specifically on UDP-based DDoS attacks (commonly attributed to booters), the impact of the second wave appeared minimal. Underground discussions indicated a cumulative impact, leading to changes in user perceptions of safety and causing some operators to leave the market. Despite the extensive intervention efforts, all DDoS datasets consistently suggest that the illicit market is fairly resilient, with an overall short-lived effect on the global DDoS attack volume lasting for at most only around six weeks.
title Assessing the Aftermath: the Effects of a Global Takedown against DDoS-for-hire Services
topic Cryptography and Security
url https://arxiv.org/abs/2502.04753