UPDATED 11:43 EST / JANUARY 13 2015

NexusGuard Headquarters NEWS

Lizard Squad and the DDoS-for-hire ecology explained by NexusGuard

NexusGuard Headquarters

Recently, Internet mayhem group Lizard Squad made news by ruining Christmas Day for Xbox Live and PlayStation Network users. Afterwards the group unveiled a distributed denial of service (DDoS) tool offered to the public that allows people to use the DDoS infrastructure to boot companies offline for a few seconds to a hours in exchange for cash.

This phenomena kicked open the doors of a shadowy hacker underbelly that already offers these services (even publicly) and gave the popular news media a good look at what’s called DDoS-for-hire.

To get a better understanding of the black market industry behind tools used for DDoS, SiliconANGLE spoke to NexusGuard’s Chief Scientist Terrence Gareau. His thoughts were included in a story outlining predictions for DDoS in 2015, which Lizard Squad’s current activities appear to be fulfilling.

NexusGuard provides enterprise-level DDoS protection and risk management services and has been operating since 2008. As a result, its engineers and scientists have been at the front lines of understanding and witnessing the nature and evolution of DDoS attacks, how they affect businesses with Internet presence, and what’s for sale on the DDoS-for-hire market.

Anti-DDoS computer scientists such as Gareau go to work every day to see a landscape dominated by tools that are used constantly to attack network infrastructure; a wide variety of attackers wield these tools from script-kiddies to nation states. The stakes can be high with millions of dollars riding on a large company being offline for even part of a day.

The services provided as DDoS-for-hire are often called “booters” or “stressers.” In fact, the Lizard Squad DDoS-for-hire service is called the Lizard Stresser. Its Terms of Service suggests that it should only be used to test your own network—as normally “stressers” are used as part of network testing to make sure it can handle the traffic—however, the tool is utterly indiscriminate and is pointedly designed to be used as a cyberweapon.

Include that the tool itself brags about the Lizard Squad’s exploits against Microsoft and others and it’s obvious what it’s marketed for.

“Welcome to LizardStresser,” says the Introduction section, “brought to you by Lizard Squad. This booter is famous for taking down some of the world’s largest gaming networks such as XBOX LivePlaystation NetworkJagexBattleNetLeague of Legends and many more! With this stresser, you wield the power to launch some of the World’s largest denial of service attacks.”

Lizard Squad in for the lulz or the money?

 

One of the principal curiosities of Lizard Squad’s activities as a run-up to the New Year happened to be the way the group comported themselves on Twitter and other social media. It’s not uncommon for Internet mayhem groups to brag about exploits and generally induce disruption—as seen with LulzSec and DerpTrolling—but there was just something too much like a marketing campaign in Lizard Squad’s activities.

lizard-squad-ddos-bombThe group did more than just claim credit for taking large businesses offline, they predicted and perpetrated large DDoS attacks designed to have the largest impact possible proving the efficacy and power of their DDoS tool. The attacks started with Lizard Squad hitting major gaming networks including Battle.net (home of World of Warcraft, Starcraft II, and Diablo), EVE Online, and League of Legends to finally culminate in ruining Christmas Day for Xbox Live and PlayStation Network.

This all happened with much fanfare from the Twitter account of Lizard Squad. As they shouted their capabilities from the rooftops, but mysteriously the group never spoke of what tool they used to commit the crimes. The group seemed to be showing off without “showing off.”

If nothing else: it became evident the Lizard Squad’s DDoS tool is impressive.

So when the Lizard Stresser finally appeared on the market and it asked for money from everyday users to DDoS sites offline, it felt almost like no surprise.

The anatomy of DDoS-for-hire

 

According to Gareau there are four parts to DDoS-for-hire infrastructure: a free cloud CDN to hide the system, a front end for customers, the API for control, and the attack infrastructure itself: the botnet.

The fundamental part of any DDoS-for-hire operation, of course, is the botnet or the weaponized portion of the DDoS network. Botnets are usually large groups of computers running a specialized program designed to send bursts of garbage information to particular targets in order to saturate their network connections and thus knock them offline.

Modern day DDoS attacks have a wide variety of mechanisms to inflict service disruptions, as seen from attack trends in 2014. One of the most common today is amplification attacks, which use vulnerable Internet services to increase the payload of a DDoS attack by using them to increase the amount of data being sent across the network. This is done by sending a small message to a vulnerable service which responds with a large message; if the attacker spoofs their return address to that of the target, a fusillade of small messages from the attacker becomes an onslaught of large messages sent to the victim.

According to security researcher Brian Krebs, the DDoS botnet run by Lizard Squad is mostly made up of home routers that have been compromised to become DDoS zombies.

This is echoed by Gareau who says Lizard Squad’s “attack infrastructure appears stronger by leveraging infected hosts and vps providers,” and this is what makes the LizardStresser so interesting because he adds their “attack infrastructure is what sets them apart. They have an enhanced understanding compared with like-minded ‘bad guy’ services.”

Second, the system needs some sort of master-controller that tells the bots what to do or an API (known to programmers as the Application Programming Interface). The malware running the zombie bots connects to the master to receive orders (i.e. what target to flood, how much data to send, how long to send it.) In many cases DDoS botnets have used Internet Relay Chat channels to receive commands from the master, which can be a person logging into IRC or another program that relays commands.

Next, in the for-hire part may require some sort of front end for participants to actually put money in. While it’s certainly possible for a DDoS botnet operator to just take money and then send commands manually, DDoS-for-hire has gotten to the point where the entire service is automated from taking money, verifying the transaction, and initiating the attack via the API.

“The front end is similar to others, likely containing a great deal of code reuse from publicly leaked front ends,” says Gareau. The Lizard Squad crew may have a powerful back-end, but their front-end programming savvy seems to be mostly of the copy/paste variety.

Krebs confirms this and he believes that Lizard Squad’s front-end is basically a rip-off of an already black market available DDoS tool called titaniumstresser, which he says is an already established DDoS for hire service.

This entire system must be hosted and it is usually run on what’s called “bulletproof” hosting. In hacker parlance bulletproof hosting refers to any hosting provider who is willing to host pretty much anything irrespective of the illegality of the content. The bulletproof host in Lizard Squad’s case houses the front end with login and capability to take orders paid for via Bitcoin.

To hide all of this a cloud content distribution network (or CDN) is used to obfuscate the IP address of the bulletproof hosting so that it’s more difficult for authorities or other hackers to attack the front end. In the case of the Lizard Squad stresser service the service is CloudFlare.

lizard-stresser-screenshot

For a nominal charge the Lizard Stresser takes bitcoins and credit cards to trigger DDoS attacks against any target.

 .

Lizard Squad’s DDoS-for-hire no longer so black market

 

Ordinarily booter services are not something the general public, or even mainstream media, see very often. These services are generally offered by operators who spend their time in the less respectable neighborhoods of the Internet and thus are often the purview of security researchers and bloggers.

Although it should be noted that over the past few years DDoS-for-hire services have gotten bolder and many advertise themselves and offer front ends that allow PayPal as a method of payment. Lizard Squad’s service has simply managed to snag a more mainstream audience than most due to the exploits that lead to its unveiling.

“The pricing is in-line with similar providers,” says Gareau. He also notes that the Lizard Squad DDoS-for-hire service could be said to have a competitively aggressive attack capability putting it in the higher end of such services.

ddos-attackPricing on the Lizard Stresser starts at $5.99 monthly for 100 second bursts and goes up to $129.99 monthly for an 8 hour blast. The booter service also offers a “lifetime” option expected to be approximately 5 years topping out at $500. The purchase package page is slick, looks professional, and offers both Bitcoin and Google Wallet options for payments.

The Lizard Stresser site itself claims to have been used 16,995 times since going online.

It’s hard to tell if it’s actually been used due to the nature of attack botnets using numerous mechanisms to hide their numbers and capabilities. However, Lizard Squad themselves continue to brag about its capabilities and even used it recently to take image message board 8chan offline, as reported by Ars Technica.

This seems to give further weight to evidence that Lizard Squad is marketing this tool to make money for themselves based on the fame garnered from the Xbox and PlayStation Christmas Day attacks.

“I really feel Lizard Squad has upped the ante on the DDoS for hire market,” says Gareau. “They have taken an approach much like Silicon Valley startups that focuses on marketing and media to push a product and make their stresser appear better than competitors.”

Whether a group of juvenile delinquents who found themselves in the midst of a media publicity blitz or accidentally-savvy marketers, Lizard Squad has made headlines and changed the nature of DDoS-for-hire and the way the media itself perceives DDoS.

photo credit: photosteve101 via photopin cc

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU