WebStresser takedown is not the end of DDoS-for-hire


Europol has taken down the WebStresser service, one of the biggest DDoS-for-hire portals, as part of Operation Power Off. However, while there have been claims that this has seen DDoS attacks fall by as much as 60% as a result, I’m really not convinced that anyone can breathe easy.

Europol has announced the successful takedown of the world’s biggest DDoS attack marketplace. A statement reads “The administrators of the DDoS marketplace webstresser.org were arrested on 24 April 2018 as a result of Operation Power Off, a complex investigation led by the Dutch Police and the UK’s National Crime Agency with the support of Europol and a dozen law enforcement agencies from around the world. The administrators were located in the United Kingdom, Croatia, Canada and Serbia.”

Apparently, further measures were taken against ‘top users’ of WebStresser across the globe and the services infrastructure in the Netherlands, United States and Germany was seized.

This is, without doubt, a good thing. With an estimated 4 million attacks executed at the time of the international police operation, the removal of WebStresser can be seen as nothing else. With fees for the service starting at 15 Euros a month and some 136,000 registered users, it was also a cash cow for the criminal organisation behind the service.

Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3), says that “criminals are very good at collaborating, victimising millions of users in a moment from anywhere in the world. We need to collaborate as good as them with our international partners to turn the table on these criminals and shut down their malicious cyberattacks.” While Jaap van Oss, Dutch Chairman of the Joint Cybercrime Action Taskforce (J-CAT), added “this joint operation is yet another successful example of the ongoing international effort against these destructive cyberattacks.”

Experience has shown in recent years that for every DDoS attack marketplace taken out, multiple new platforms will pop up like the heads of a hydra  

So far so reassuring. More feelgood news came from DDoS mitigation specialist Link11, which claimed attacks had fallen across Europe by as much as 60% following the WebStresser takedown. However, it’s important not to get too carried away by this revelation. For a start, it would only seem to apply to the two days following the takedown. Link11 stated that the Link11 Security Operation Center (LSOC) “has registered significantly fewer DDoS attacks since the arrest of the suspected platform administrators, down 64% from the peak number recorded. The LSOC, which monitors DDoS attack activity on the internet 24/7, has registered lower attack activity, especially on April 25 and 26, presumably due to elimination of the source.”

Link11 also added that “the general threat level posed by DDoS attacks remains high, however.” And this is the most important line in that whole statement if you ask me. As the Head of the Link11 Security Operation Center, Onur Cengiz, confirms “the number of attacks will only decrease temporarily. Experience has shown in recent years that for every DDoS attack marketplace taken out, multiple new platforms will pop up like the heads of a hydra.”

Andrew Lloyd, President at Corero Network Security, another DDoS mitigation specialist is skeptical the takedown has had such a major impact across Europe at all. “Given the volume of attacks, we seriously doubt that Webstresser.org was responsible for 60 percent of all the attacks in Europe,” Lloyd says, adding “it is possible that Webstresser made disproportionate use of Link11’s circuits.”

Indeed, Corero suggests that its own statistics show that attack volumes globally, and in Europe, actually increased across the week following the Europol operation. “European attacks have remained higher in the second half of the month versus the first half of April and the year as a whole,” Lloyd concludes.

All of which just goes to illustrate how difficult the job of law enforcement is when it comes to taking down DDoS-for-hire services. If an international, multi-agency, complex investigation such as Operation Power Off ultimately equates to giving the bad guys the equivalent of a dead leg, then you can see the scope of the problem. The main take away from this story is not that a bad guy has been taken down, but rather that more bad guys fill the void almost instantly. Which means organisations need to keep eyes on the ball, and not relax their DDoS mitigation stance.