China DDoS

Over the past six months, a large number of DDoS-for-hire platforms — also known as DDoS booters or DDoS stressors — have appeared in China, all sporting the same interface, and seeming to be based on the same source code.

While the common train of thought would have been to believe that all of these new DDoS booters were launched by the same operator in order to increase his market dominance via different brands, an investigation by the Cisco Talos and Umbrella teams revealed the contrary.

Most DDoS booters look the same but are run by different actors

By searching for recently registered domain names containing the word "DDoS," researchers identified several DDoS-for-hire platforms for Chinese-speaking users, of which 32 used a nearly identical backend.

Information included in the domain registration data revealed that different persons were behind most platforms, contrary to an initial assessment.

This initial discovery was confirmed after researchers registered accounts on the platforms and discovered small differences on each service.

While small UI tweaks here and here were important, the most conclusive evidence that different administrators managed each service came from the different way each platform handled user payments.

All platforms use a similar UI

UI and code-wise, the vast majority of the backend was the same on all 32 platforms. All featured an admin panel built on a free Bootstrap theme offered by design firm PixelCave, used the same (default) background images, and providing the same features.

Same ol' login page found on all recent Chinese DDoS-for-hire platforms
Same ol' login page found on all recent Chinese DDoS-for-hire platforms

Researchers believe that one Chinese-based crook got his hands on the source code of a DDoS-for-hire platform written for English-speaking users and translated it to Chinese.

The large number of DDoS booters currently available leads Cisco experts to believe that this actor is either selling this translated source code or has made it available online for free.

This theory explains the sharp increase in the number of Chinese-based DDoS-for-hire platforms that appeared since the start of 2017, including brands such as HackDD, 794 DDoS, 87 DDoS, PP DDoS, and others.

DDoS culture in the Southeast Asia

The culture of launching DDoS attacks is well-established in China, but also in other countries in the Southeast Asia. During the past few years, China and South Korea have been the favorite targets of DDoS attacks, but also the primary locations where DDoS botnet C&C servers were located.

In most cases, attacks are aimed at gaming servers. It is also not out of the ordinary for crooks to use DDoS attacks to extort money from companies, or businesses themselves to DDoS their competition.

According to a Kaspersky Lab report regarding DDoS activity in Q2 2017, "China, South Korea, and the USA remained leaders by both the number of attacks and the number of targets."

Below is a list of DDoS booters Cisco identified during its research:

www[.]794ddos[.]cn
www[.]dk.ps88[.]org
www[.]tmddos[.]top
www[.]wm-ddos[.]win
www[.]tc4[.]pw
www[.]hkddos[.]cn
www[.]ppddos[.]club
www[.]lnddos[.]cn
www[.]711ddos[.]cn
www[.]830ddos[.]top
www[.]bbddos[.]com
www[.]941ddos[.]club
www[.]123ddos[.]net
www[.]the-dos[.]com
www[.]etddos[.]cn
www[.]jtddos[.]me
www[.]ccddos[.]ml
www[.]87ddos[.]cc
www[.]ddos[.]cx
www[.]hackdd[.]cn
www[.]shashenddos[.]club
www[.]minddos[.]club
www[.]caihongtangddos[.]cn
www[.]zfxcb[.]top
www[.]91moyu[.]top
www[.]xcbzy[.]club
www[.]this-ddos[.]cn
www[.]aaajb[.]top
www[.]ddos[.]qv5[.]pw
www[.]tdddos[.]com
www[.]ddos[.]blue