"It may soon become easier for Internet service providers to anticipate
and block certain types of online assaults launched by Web-based
attack-for-hire services known as “booter” or “stresser” services, new
research released today suggests.
The findings come from researchers in Germany who’ve been studying
patterns that emerge when miscreants attempt to mass-scan the entire
Internet looking for systems useful for launching these digital sieges —
known as “distributed denial-of-service” or DDoS attacks.
Enter researchers from Saarland University in Germany, as well as the
Yokohama National University and National Institute of Information and
Communications Technology — both in Japan. In a years-long project first
detailed in 2015, the researchers looked for scanning that appeared to
be kicked off by ne’er-do-wells running booter services.
To accomplish this, the research team built a kind of distributed
“honeypot” system — which they dubbed “AmpPot” — designed to mimic
services known to be vulnerable to amplification attacks, such as DNS
and NTP floods.
What’s new in the paper being released today by students at Saarland
University’s Center for IT-Security, Privacy and Accountability (CISPA)
is the method by which the researchers were able to link these
mass-scans to the very amplification attacks that follow soon after.
The researchers worked out a way to encode a secret identifier into the
set of AmpPot honeypots that any subsequent attack will use, which
varies per scan source. They then tested to see if the scan
infrastructure was also used to actually launch (and not just to
prepare) the attacks."
Sumber : https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/