Life inside a DDOS "booter site"

The internal records of Lizardsquad's Lizardstresser — a service that would, for money, flood sites with traffic intended to knock them off the Internet — were dumped to Mega by Doxbin's former operator, providing an unprecedented public look at the internal workings of booter.

Most of Lizardstresser's customers attack small servers, including personal Minecraft servers. Their most prolific customer was called "ryanbrogan" (an alias taken from the name of an FBI cybercrime agent) who paid the service to attack a single server at SF-based hosting provider Centauri Communications 1,468 times. Ryanbrogan also attacked 19 other sites.

An Ars analysis of the LizardStresser database found that the service launched nearly 16,000 individual attacks over the past month, targeting just over 3,900 IP addresses. The vast majority of these attacks—67 percent—targeted common Web server ports (port 80 and 8080 for HTTP; and a small but significant number of attacks on port 443 for HTTPS). The next most popular target–accounting for nearly 7 percent of the attacks—was port 25565, the network port used by Minecraft servers.

The next most popular target was Parallels' Plesk control panel for shared hosting accounts, which accounted for about 5.5 percent of the attacks. LizardStresser's customers also tried out attacks on Domain Name Service and File Transfer Protocol services. And rounding out the top attacks were assaults on Xbox Live and Battlefield 4 game traffic, likely aimed at interrupting service to specific individuals based on the fact that they were pointed at residential IP addresses.

Other big targets were hosting companies in Nevada, Quebec, Poland, and Malaysia. It's likely that these attacks were focused on Web forums and personal sites that the attackers held a grudge against. Ars attempted to reach Centauri and other hosting companies to ask them about the attacks, but we only reached a live person at one company who declined to be identified. "We get attacked all the time," he said, noting that there was nothing particularly noteworthy about the last month in terms of the volume of denial-of-service attacks.

A hacked DDoS-on-demand site offers a look into mind of "booter" users [Sean Gallagher/Ars Technica]