Full Report
Jair Santanna (from Northwave Security) in collaboration with Curated Intelligence recently shared his methodology about how to analyze the databases of cybercriminal websites that offer Distributed Denial of Service (DDoS) attacks as a paid service. BackgroundFor years cybercriminals have run DDoS-as-a-Service (DDoSaaS) offerings, commonly known as Booters, Stressers, or DDoS-for-hire. Recently, in December 2022, coordinated action against DDoSaaS sites led to many being taken down by a group of international law enforcement agencies (LEAs). This included the topic of this blog, the "stresser[.]gg" DDoSaaS site.Research by Curated Intelligence members uncovered that the source code and databases of stresser[.]gg was publicly leaked back in March 2022 (see Figure 1).Figure 1. A post on BreachForums containing the StresserGG DDoSaaS source code.Jair Santanna (from Northwave Security) revisited the data leaked in March 2022, following the international LEA action and explained his methodology to investigate databases and uncovered a number of interesting findings. The scripts, data, and analysis of stresser[.]gg are publicly available on Santanna's Github:https://github.com/jjsantanna/stresser.gg_db_analysis/blob/master/analysis_stressergg.ipynbThe analysis of the databases have been broken down into multiple areas:Attacks per dayAttacks per userAttacks on a same targetThe difference between users (anyone with an account), customers (any user that paid anything), and attackersThe number of login times per userThe average time for a user perform an attack since they logged inThe users using TORThe IP addresses used by usersThe IP addresses of targetsThe country of attackers and victimsThe payment records and account detailsQuerying the data per username, user_id, country and autonomous system number (ASN)The intention of sharing this analysis is to facilitate the information security community and international LEAs with a methodology to analyze data from cybercriminal platforms.The coordinated action from international LEAs and research by the information security community has helped reduced the prevalence of organized cybercriminal groups running DDoSaaS platforms and hopefully discouraged many from doing so.Disclaimer - Curated Intelligence is a private trust group and members are able to publish their research under our banner without it being attributed to them. We thank our members for their contribution.
Analysis Summary
# Tool/Technique: DDoS-as-a-Service (DDoSaaS) Platforms (Stresser.gg Example)
## Overview
This analysis focuses on the methodology for investigating the customer databases of Distributed Denial of Service (DDoS) attack platforms, commonly known as Booters, Stressers, or DDoS-for-hire services, using the leaked data from the "stresser[.]gg" site as a case study. These services are used by malicious actors to launch large-scale denial of service attacks against targets.
## Technical Details
- Type: Service / Infrastructure
- Platform: Web-based criminal infrastructure, targeting various network protocols and services.
- Capabilities: Providing customers with the ability to commission and launch distributed denial of service attacks against specified targets.
- First Seen: The specific site mentioned ("stresser[.]gg") was subject to international law enforcement action in December 2022, following a data leak in March 2022.
## MITRE ATT&CK Mapping
This activity primarily relates to the **Impact** tactic, facilitating a Denial of Service attack.
- **TA0040 - Impact**
- **T1498 - Network Denial of Service**
- T1498.002 - Application Layer Denial of Service (Often used by DDoSaaS platforms)
- T1498.001 - Protocol Denial of Service
## Functionality
### Core Capabilities
The service allows users (customers/attackers) to:
- Initiate DDoS attacks against specified targets.
- Analyze attack metrics such as attacks per day and attacks per user.
- Track payment records and account details for customer management.
### Advanced Features
The analysis methodology focuses on extracting privileged or identifying information from the leaked databases, including:
- **User Profiling:** Differentiating between general users, paying customers, and actual attackers.
- **Activity Tracking:** Measuring login frequency and the average time taken between login and performing an attack.
- **Anonymity Assessment:** Identifying users who utilize the TOR network for obfuscation.
- **Geospatial Analysis:** Determining the country of origin for attackers and victims, and analyzing the Autonomous System Numbers (ASNs) associated with them.
## Indicators of Compromise
Since the source material focuses on database analysis rather than malware artifacts, the IoCs relate to the infrastructure itself and customer attribution derived from the database:
- File Hashes: N/A (Analysis of leaked database content, not specific malware executables)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: The analysis targets IP addresses used by users and targets, as well as the geographic origins of this traffic (countries and ASNs). Specific historical C2 server IPs/domains related to 'stresser[.]gg' would need extraction from the linked GitHub repository for full disclosure.
- Behavioral Indicators: Patterns of usage, such as repeated logins followed rapidly by attack execution, or consistent use of TOR.
## Associated Threat Actors
Individuals and groups who purchase and utilize DDoS-for-hire services. Specific customer usernames, IP addresses, and payment details resulting from the database analysis (which are not fully detailed in the summary context) would identify precise actors.
## Detection Methods
Detection methods are generally focused on identifying the use of these services or the attacks they generate:
- Signature-based detection: Signatures targeting known DDoS attack payloads or specific stresser scripts, although this analysis focuses on infrastructure data.
- Behavioral detection: Monitoring for high volumes of anomalous traffic directed at an organization, characteristic of a DDoS attack.
- YARA rules: Not specifically mentioned, but could be developed for common stresser scripts or configuration files found in similar leaks.
## Mitigation Strategies
Mitigation addresses both the infrastructure and the resulting attacks:
- **Prevention Measures:** Robust network security posture, layered DDoS mitigation services (cloud-based scrubbing centers).
- **Hardening Recommendations:** Implementing strong rate-limiting policies, volumetric anomaly detection systems, and using Web Application Firewalls (WAFs) to defend against application-layer DDoS attacks. Cooperation with LEAs when details of such platforms are uncovered.
## Related Tools/Techniques
- **DDoS Booter/Stresser Services:** Other commercial DDoS attack platforms.
- **Data Exfiltration:** The initial step involved the public leak of the database contents via breach forums (e.g., BreachForums mentioned).