Corero
Blog & News

One Less Booter/Stresser Service Won’t Stop DDoS Attacks

U.S Law enforcement officials have prosecuted Matthew Gatrel, an Illinois man who owned a “booter” service called DownThem and a server hosting service called AmpNode.  He was convicted of selling “spoofing” servers that can be pre-configured with DDoS attack scripts and lists of vulnerable “attack amplifiers” used to launch simultaneous cyberattacks on victims. Between 2014 and 2018, Gatrel had thousands of clients who paid him to launch more than 200,000 Distributed Denial of Service (DDoS) attacks. He also provided the infrastructure and resources for other cybercriminals to run their own DDoS stresser businesses.

A press release from the US Attorney’s Office of the Central District of California explains, “Records from the DownThem service revealed more than 2,000 registered users and more than 200,000 launched attacks, including attacks on homes, schools, universities, municipal and local government websites, and financial institutions worldwide. Many AmpNode customers were themselves operating for-profit DDoS services.”  Even today, the AmpNode website is still online, and promotes its spoofing servers, stating, “We believe in privacy and network freedom and with our own private networks, we ENABLE spoofing!”

The California court found him guilty and sentenced him to two years in prison. He was one of several cybercriminals charged in 2018 when the US FBI collaborated with a number of international agencies and industry partners to crack down on booter-stresser services. According to Krebs on Security, Gatrel’s co-defendant and partner in the business, Juan “Severon” Martinez of Pasadena, Calif., pleaded guilty just before the trial.

Stresser services are commonly marketed as a way for clients to test their own infrastructures against attacks, but in reality, they are used to attack other sites and networks. Booter services are dangerous because they make it very easy and cheap to launch DDoS attacks; clients can choose from subscription services that offer attacks that vary in volume or duration.

The booter/stresser services also enable new attack vectors to spread like wildfire, since cybercriminals are typically eager to share and exploit them on the Dark Web. The Corero Threat Intel Report for 2021/2022 has observed a net increase in the number of unique DDoS attack vectors seen in the wild and in the level of year-over-year DDoS activity. With each new vector there is often a long tail, measured in years, of subsequent exploitation and related attacks. For example, the vulnerabilities referenced in the July 2020 FBI DDoS alert and the leverage of OpenVPN reflections which ramped during the COVID-19 pandemic, continue to appear in present day attacks.

The law enforcement and prosecutors who closed the Gatrel case deserve a round of congratulations and thanks, but cybersecurity professionals won’t gain much comfort from it.  The reality is that Gatrel’s operation was only one of many booter/stresser services in the world that continue to launch DDoS attacks on a daily basis. (And one hopes that he doesn’t return to his criminal ways after his short prison sentence.) Justice was served, but cybercrime goes on. Krebs on Security said it best: “DDoS experts say booter and stresser services that remain in operation continue to account for the vast majority of DDoS attacks launched daily around the globe.”