USENIX: Gamers use DDoS as a service to cheat -- a lot

Cheating gamers pay as little as $10 per month to launch denial of service attacks against their opponents as a tactical advantage using commercial providers that walk the line between being legitimate businesses that stress-test their customers' networks and purveyors of DDoS as a service, researchers at USENIX Security 2013 say.

Gamers attacking each other as well as gaming Web sites accounted for 180 out of 277 customers of twBooter, which says it helps to see how well sites withstand DDoS attacks, according to researchers Mohammad Karami and Damon McCoy of George Mason University who presented a paper on the subject this week in Boston. The service was used in some cases to knock government Web sites offline, they say.

TwBooter launched nearly 50,000 attacks during two months earlier this year charging a bargain price of about $15,000 total, the researchers say. Some of the attacks could generate 827M bit/sec in traffic against a single Internet connection, enough to swamp the personal links of Internet gamers or midsize Web sites.

[FLIP SIDE:Start-up Defense.Net debuts with anti-DDoS service]

The USENIX paper is based on about two months of SQL dumps from the company's severs that are publicly available on the Internet, the researchers say.

Conventional DDoS attacks rely on vast numbers of compromised computers organized as a botnet, which are expensive to create and manage. But twBooter launches its attacks from 15 servers, two of them in the U.S. and the rest in the Netherlands and charges $10 to $200 per month.

[MORE FROM USENIX:New security scheme whacks text spammers in hours]

The service employed a dozen different types of DDoS attacks, but just eight - SYN flood, UDP flood, amplification attacks, HTTP POST, HTTP GET, HTTP HEAD, RUDY (R-U-Dead-Yet) and slowloris -- account for 96% of the twBooter attacks recorded for the period Jan. 23 to March 15.

During that time 277 customers launched 48,884 attacks against 11,304 targets, either Web URLs or IP addresses. TwBooter gives customers the option to launch attacks that last anywhere from a minute to two hours, with the price adjusted according to the duration. About 65% of customers called for attacks lasting 10 minutes or less. They can pay more to launch up to three concurrent attacks, but 74% chose to launch just one attack at a time.

Most gamers are connected to the Internet via residential broadband connections, so they are readily overwhelmed.

[STILL MORE USENIX:Researchers propose security that adapts to combat malware that morphs]

The 15% of users who bought attacks lasting an hour or more were likely targeting Web sites, not gamers, the researchers say.

Just six users accounted for about half of the attack time over the period examined. That represented the top 2% of users who launched concurrent attacks for more than an hour in duration against Web sites, not individual user Internet access lines.

To hide their true identities, the servers spoofed their source addresses and employed proxies to deliver attack packets.

Tim Greene covers Microsoft and unified communications for Network World and writes the  Mostly Microsoft blog. Reach him at and follow him on Twitter@Tim_Greene.

Read more about wide area network in Network World's Wide Area Network section.

Tags ddosUSENIXWide Area NetworkIPSIDSIDS/IPSTwBooter

Show Comments