Embed Size (px)
Citation preview
The booter market is vulnerable● Interventions work (unusual)
○ Widespread arrests and takedowns○ Closure of Hackforums booter section○ Advertising
● Target server managers○ Have mid-level technical (administrative) skills○ Work is tedious and low-status
2
3
Booter services scale DDoS users●
●
●●
4
5
6
7
Someone you don’t like
Booters: Dispersed but advertised●
●
●●●
8
Collection 1: UDP-reflection attacks from honeypots● Median 65 nodes since 2014● Hopscotch emulates abused protocols: QOTD, CHARGEN,
DNS, NTP, SSDP, SQLMon, Portmap, mDNS, LDAP● Sniffer records all resulting UDP traffic● (try to) Only reply to black hat scanners● Attack: Flow to an IP(prefix) where more than 5 packets
received by one sensor
Ethics: Absorb attack traffic, don’t reply to white hat scanners
9
Daniel R. Thomas, Richard Clayton, and Alastair R. Beresford. 2017. 1000 days of UDP amplification DDoS attacks. In APWG Symposium on Electronic Crime Research (eCrime). IEEE, (Apr. 2017).
10
Collection 2: Booter self-reports (are reliable)● Collected from booter websites which report running total● Covers 75% of active booters over 18 month period● Source code and leaked databases show generally
accurate (bad data excluded)● Heteroskedasticity and skewness kurtosis tests indicate
not faked● Correlate with Collection 1 and with interventions.
11
12
13
PRESENTER SWITCH
Intervening is hard●●●●●
14
●●●●
15
16
17
Example takedown - FBI operation● 20th December 2018● Distributed Denial of Service as a Services (booters /
stressers) targetted● 3 arrests● 15 domains seized, 7 booters
Modelling● Negative binomial regression● Time series of weekly totals and by country● ‘Intervention’ variables for all big drops, keep significant
ones
18
19
●
●●
●
20
21
Results 2: self-reported (my favourite slide)
22
Webstresser arrest
FBI takedowns
Analysis● Less resilient than other kinds of cybercrime (we think)● Single arrests and sentencing do little● But hitting the infrastructure and messaging campaigns
work
23
Why: Qualitative results● Interviews and scraping chat channels● Booting is rubbish! Low cultural capital● High user turnover - so if you can stop people getting involved, big
effect● Lots of centralisation reselling makes the market brittle to
infrastructural intervention● Depends on a relatively small number of server managers● Who have a boring and unrewarding job, so easy to dissuade ● Especially when you make their job even more annoying by messing
with the infrastructure!24
● USE OUR DATA● Talk to us about future work● [email protected]● @johnnyhistone● [email protected]● @DanielRThomas24● https://www.cambridgecybercrime.uk/process.html
25
![firstname.lastname@anu.edu.au arXiv:2005.03860v1 [cs.CV] 8 ... · firstname.lastname@anu.edu.au Abstract Cross-view geo-localization is the problem of estimat-ing the position and](https://img.dokumen.tips/doc/110x75/5f59c6e167c3d563620e0b20/anueduau-arxiv200503860v1-cscv-8-anueduau-abstract-cross-view-geo-localization.jpg)
![firstname.lastname@anu.edu.au arXiv:1912.07161v2 [cs.CV ... · firstname.lastname@anu.edu.au Abstract Zero-shot learning, the task of learning to recognize new ... [cs.CV] 23 Dec](https://img.dokumen.tips/doc/110x75/5f80f7a854f6492e135d2ce3/anueduau-arxiv191207161v2-cscv-anueduau-abstract-zero-shot-learning.jpg)
![firstname.lastname@anu.edu.au arXiv:2003.03703v2 [cs.CV] 17 … · 2020-03-18 · firstname.lastname@anu.edu.au Abstract Word-level sign language recognition (WSLR) is a fun-damental](https://img.dokumen.tips/doc/110x75/5f6f517a9685e0726e0122b2/anueduau-arxiv200303703v2-cscv-17-2020-03-18-anueduau-abstract-word-level.jpg)
![firstname.lastname arXiv:2004.01176v1 [cs.CV] 2 Apr 2020](https://img.dokumen.tips/doc/110x75/626473d645e32c01f56a7540/-arxiv200401176v1-cscv-2-apr-2020.jpg)
