It’s All About The Money: PayPal And its Fight Against DDoS for Hire Services

Over the past couple of years hacker groups like the Lizard Squad have gained internet infamy. First for their high-profile exploits, such as the Lizard Squad Christmas attacks on Sony PlayStation and Xbox Live, and then for their DDoS-for-hire services that allowed anyone with a grudge and some spare cash to unleash DDoS devastation on the websites of their choosing.

If you’ve followed these stories at all, you won’t be blamed for thinking these groups do it because they’re too obsessed with video games, or because they’ve got nothing better to do, living in their parents’ basements and all. But make no mistake about it: hackers behind DDoS for hire services are doing it for the money.

Booter in action, working on does DDoS attacks

Read on to find out how PayPal is hitting these services where it hurts, why these excellent efforts aren’t quite a cure-all, and what you need to do to pick up the slack.

The skinny on booters and stressers

These DDoS for hire services are known as booters or stressers. According to anti-DDoS specialists Incapsula, what booters and stressers offer is access to a cluster of malware infected computers called a botnet that are used in DDoS attacks. Booters and stressers enable anyone to pay a fee, log in to the backend of a website, and navigate a user-friendly platform to identify a target and launch a DDoS attack using these botnets. These sites typically offer subscriptions that range from $10-$300/month for an unlimited number of attacks that last anywhere from 30 seconds to three hours.

DDoS attacks are Distributed Denial of Service attacks, which render websites and other online services unavailable to legitimate users. As such, there are a number of motives for these attacks: revenge, business rivalries and gaming rivalries chief among them.

Unfortunately, not having any gaming or business rivals or enemies in general doesn’t mean your website is safe. A cute little money-making hobby for many is sending ransom emails to the owners of random websites demanding payment in order to prevent a DDoS attack.

The supporting players

When booters and stressers hit the news it was followed by information that was almost even more depressing. Not only did these DDoS for hire services exist, but it seemed they were being supported by legitimate businesses. CloudFlare, a professional DDoS protection service, has been found to be supplying these booter websites with DDoS protection (for example, see here and here) , while online payment giant PayPal was being used as a means for users to pay the fees for these DDoS for hire services.

The difference between PayPal and CloudFlare is in how these companies reacted to making the news alongside booters and stressers.

Paypal on a smartphone

PayPal boots the booters

Since news broke about CloudFlare providing DDoS protection to DDoS for hire services CloudFlare has issued much the same statement: choosing not to protect these websites would be a form of censorship, which they don’t support. Even accusations of conflict of interest, (a valid claim, given that CloudFlare is protecting groups enabling the attacks that make CloudFlare their money,) are met with this line about censorship.

PayPal, on the other hand, have taken action. Working with researchers at UC Berkeley, George Mason University and the University of Maryland, PayPal has been identifying the accounts associated with these booter websites and placing restrictions on the accounts, essentially freezing funds and disallowing further payments.

Within a few days of these steps being taken, the researchers found the percentage of active booters fell from between 70 and 80% to a low of 10%. This step didn’t cause all of these services to pack it in, of course. Some of them have moved to a Bitcoin payment system, a peer to peer online payment system. However, because Bitcoin is far less popular than PayPal, the actions taken by PayPal have greatly limited DDoS for hire services.

Paypal intervention against booters
Decrease in active Booters percentage due to Paypal intervention (source: krebsonsecurity.com)

It’s good news…but not great news

What PayPal is doing is admirable, and their continued efforts will play a significant role in limiting the average person’s ability to launch a DDoS attack. But these efforts aren’t going to make DDoS for hire services go away entirely, nor are they likely to impact the major multi-vector DDoS attacks that cost unprotected organizations an average of $40,000 per hour to deal with. These are not being launched by people paying $100/month for the privilege.

If you’re a business owner or a website owner, you simply can’t leave the protection of your website against DDoS attacks up to companies like PayPal. They’ll do their part, certainly, but their part isn’t enough.

Forty-five percent of organizations are targeted by DDoS attacks, and 70% of organizations targeted are targeted more than once. And if that $40,000 per hour to deal with an unmitigated DDoS attack isn’t shocking enough, consider that DDoS attacks also routinely cause software and hardware damage, a loss of revenue, reduced consumer trust, and even theft of customer data or intellectual property.

If those things don’t sound like a good time to you, professional DDoS protection is a necessity.