Assessing the Aftermath: the Effects of a Global Takedown against DDoS-for-hire Services

TL;DR

This study evaluates a large-scale, two-wave global takedown of DDoS-for-hire services (booters) using diverse data sources, including ground-truth splash-page traffic, web-traffic analytics, multiple DDoS datasets, and online discussions. It finds that the first intervention significantly reduced UDP-based DDoS activity for a limited period (roughly six weeks) but that many booters quickly resurrected with new domains, and overall attack volumes rebounded. The second wave shows minimal influence, suggesting resilience in the illicit market and adaptation by operators. The authors argue that sustained, multi-faceted disruption—combining infrastructure takedowns, deception domains, and user-targeted influence campaigns—can dampen market growth in the short term but is unlikely to produce lasting elimination without ongoing, coordinated efforts and demand-reduction strategies.

Abstract

Law enforcement and private-sector partners have in recent years conducted various interventions to disrupt the DDoS-for-hire market. Drawing on multiple quantitative datasets, including web traffic and ground-truth visits to seized websites, millions of DDoS attack records from academic, industry, and self-reported statistics, along with chats on underground forums and Telegram channels, we assess the effects of an ongoing global intervention against DDoS-for-hire services since December 2022. This is the most extensive booter takedown to date conducted, combining targeting infrastructure with digital influence tactics in a concerted effort by law enforcement across several countries with two waves of website takedowns and the use of deceptive domains. We found over half of the seized sites in the first wave returned within a median of one day, while all booters seized in the second wave returned within a median of two days. Re-emerged booter domains, despite closely resembling old ones, struggled to attract visitors (80-90% traffic reduction). While the first wave cut the global DDoS attack volume by 20-40% with a statistically significant effect specifically on UDP-based DDoS attacks (commonly attributed to booters), the impact of the second wave appeared minimal. Underground discussions indicated a cumulative impact, leading to changes in user perceptions of safety and causing some operators to leave the market. Despite the extensive intervention efforts, all DDoS datasets consistently suggest that the illicit market is fairly resilient, with an overall short-lived effect on the global DDoS attack volume lasting for at most only around six weeks.

Figures (13)

• Figure 1: Overview of booter resurrections and reinstallations after two waves of takedown (hours). Red dots indicate means.
• Figure 2: The aggregated ground-truth visit sessions per day to booter domains during both waves seen by our splash pages.
• Figure 3: The average duration of ground-truth ordinary visit sessions, number of requests and user agents per session, and number of requests made through public proxies and VPNs.
• Figure 4: The flow of users visiting another seized domain after accessing a seized one, excluding self-navigations. B0 to B9 mark the seized booters that are most frequently navigated.
• Figure 5: Number of API request sessions (top) and calling users (bottom) per day by top booter vendors over the period.