Most DDoS attacks tied to gaming, business disputes, FBI and prosecutors say

LAS VEGAS – The majority of distributed denial-of-service (DDoS) attacks are launched in response to disputes over business or gaming, according to federal officials investigating the incidents.

DDoS attacks occur when someone makes a service or tool unavailable by overloading it with requests. The vast majority of media coverage of DDoS attacks in recent years has centered on groups connected to or supporting nation-states – namely Russia – that launch them against the websites of rival governments.

But during the Black Hat cybersecurity conference in Las Vegas last week, FBI special agent Elliott Peterson and Cameron Schroeder – chief of the cyber and IP crimes Section division at the U.S. Justice Department – said most DDoS attacks were part of petty disputes between children or attempts by businesses to siphon customers.

The two gave a presentation about their work convicting 33-year-old Illinois native Matthew Gatrel, who was sentenced to two years in federal prison last year after being convicted of running a service that helped people launch more than 200,000 DDoS attacks.

“The number one source and motivation for DDoS attacks is people seeking to gain a competitive advantage in gaming,” Peterson said, noting that businesses in Africa and Asia also target each other with this brand of attack. “There are countries in which you see extensive use of DDoS aspiring to shut down a competing business and draw their customers to the person launching the attack. So that can be a good attack motivation. We also see retaliation attacks by businesses.”

While they acknowledge that there had been a significant increase in geopolitically-tinged DDoS attacks in 2021 and 2022, their investigation into Gatrel and others running DDoS-for-hire services revealed that most simply wanted a leg-up during gaming sessions.

Schroeder pointed out that one key factor they found was that most DDoS attacks take place during the holiday season.

“Historically and sort of sociologically, it has been one of the most massive DDoS periods. This is related to factors like kids are home from school or home for holiday break. They have extra time. They may get game consoles for Christmas or Hanukkah or Kwanzaa and they may get new games and want to try them out,” she said.

“They want to be online. And they get mad when other people are beating them in games. So they decide that maybe they should use one of these services to gain an advantage.”

A DDoS Breakdown

Peterson explained that right now, law enforcement agencies track three different types of DDoS-related services.

The cheapest – known as Booter or Stresser services – cost about $30 and are the most popular. The most headline grabbing are typically the botnet-based services which require extensive effort and money.

Law enforcement agencies have also identified open proxy services that allow people to launch attacks while obfuscating their location.

Peterson said most DDoS services examined by the FBI look like legitimate services, offering cheap plans – some of which offer 1,000 seconds of attack on one target at a time for just $20. Most of the services delineate their offerings based on length of attack, number of victims and price, according to Peterson and Schroeder.

Most of the sites take payment through PayPal or accept cryptocurrency. The platforms offer customers ways to test their attacks and some even provide ways for users to find their targets’ IP address through a variety of other identifiers.

The two noted that in January 2022, several U.S. agencies and international partners joined forces to address the issue of DDoS attacks. They held a meeting with internet service providers, large tech companies and researchers to hear about their experiences tracking and stopping DDoS attacks.

One thing many participants reiterated was that the DDoS ecosystem was mostly populated with people who were not rich cybercriminals.

“The majority are bored, working tedious functions and can be inconvenienced with the very act of us shutting down a website. It costs them money and it costs them time,” Peterson said.

“If we can increase friction, it may drive a lot of cybercriminals out of this space.”

Law enforcement takedowns

The law enforcement agencies made a plan to pursue the infrastructure used to launch DDoS attacks and they systematically took down several sites – arresting many of the administrators behind the platform like Gatrel.

The FBI has also bought Google ads that run for those searching “DDoS attack” or “Booter service.”

In May, U.S. law enforcement agencies seized 13 more internet domains that hosted “booter” services for launching DDoS attacks and arrested four people who later pleaded guilty to related charges.

After the seizures, Peterson and Schroeder said they gained valuable data on who uses these services and where they are targeting and launching attacks.

Most culprits and victims are located in the same region – so for example people in Asia are most likely to attack other people in Asia.

Peterson added that the arrests sent a chill throughout the DDoS community, with many actors in the space curious about the sites and platforms that were allowed to continue operating. The FBI was also able to disseminate the idea that there are DDoS platforms that they did not seize because they are essentially scams and not worth seizing.

This led to confusion and dissension within the DDoS communities, he said.

“We created a bit of instability in the marketplace because if you weren't seized, is it because you were a scam or not? It has been interesting to watch it play out,” he said.

This week, the FBI, IRS and Polish law enforcement officials announced another takedown of a platform called Lolek that facilitated the launching of DDoS attacks.