Av Gurus

Level 29
Malware Hunter
By leveraging their access to Russian underground hacking forums and their powerful DDoS botnet surveillance platform, analysts from Arbor Networks have managed to estimate how much a regular DDoS booter makes per day from one single botnet.

For their experiment, Arbor chose a random threat actor who went under the name of Forceful. By tracking his ads across different forums, Arbor experts managed to connect his DDoS-for-hire services with the activity of a previously known botnet, activating from the kypitest[.]ru C&C (command-and-control) server.

Forceful had created a custom piece of malware, which he used to infect victims and add them to his botnet, which he was controlling through the G-Bot DDoS botnet Web panel, operating from the above domain.

Security researchers tracked Forceful's botnet across time
One of the neat features of being a multi-national corporation is the advantage of having cool toys to debug malicious activity that happens on the Internet. In Arbor's arsenal of tools, there is the BladeRunner platform, a monitoring system that watches and logs DDoS attacks, recording their origin and duration.

Using logs from the BladeRunner platform, Arbor's researcher managed to identify many of the attacks sent out from Forceful's kypitest[.]ru platform, which first became active on July 9, 2015.

This information allowed Arbor to take the Forceful price list and compare it to the number and length of attacks that originated from his infrastructure, providing a basic estimate for the hacker's daily revenue.

Discrepancy between the cost to hire and the cost to fend off DDoS attacks
On the hacking forums he advertised on, Forceful was peddling his service for $60 for day-long attacks, $400 for week-long attacks, and was also offering a 10% discount on orders above $500, and a 15% price cut on orders above $1,000.

Arbor discovered 82 attacks from July 9, 2015 to October 18, 2015, which added up to $5,408. This gives a mean estimated revenue per attack of $66 and an average estimated revenue per day of $54.

According to a previous report issued at the end of January, Arbor also estimated that it costs a company around $500 per minute to fend off attacks.

This shows why DDoS attacks are so effective in blackmail campaigns, where someone could spend just a few hundreds of dollars per week to hire a DDoS botnet, but extort tens of thousands from companies that cannot fend off attacks and end up paying before more damage is done to their business.