The rise and fall of DDoS-for-hire: Why cybercriminals bounce back so quickly

Distributed Denial-of-Service (DDoS) attacks have long been a persistent cybersecurity threat, and the emergence of DDoS-for-hire services, also known as "booter" or "stresser" services, has made launching such attacks more accessible than ever. These illicit services allow individuals with minimal technical expertise to rent out attack capabilities for a fee, effectively enabling cybercrime as a service. In response, law enforcement agencies worldwide have been working to disrupt the DDoS-for-hire market through coordinated takedowns, arrests, and digital influence campaigns.

A recent study, “Assessing the Aftermath: The Effects of a Global Takedown against DDoS-for-Hire Services”, authored by Anh V. Vu, John Kristoff, Ben Collier, Richard Clayton, Daniel R. Thomas, and Alice Hutchings, evaluates the effectiveness of recent large-scale crackdowns on the booter industry. The study, which will be presented at the USENIX Security Symposium 2025, draws from extensive datasets, including web traffic analytics, millions of DDoS attack records, and underground forum discussions, to assess the short- and long-term impacts of law enforcement interventions. It reveals that while takedowns initially reduce attack volumes and disrupt services, the illicit market remains highly resilient, with many services resurrecting within days.

Understanding the DDoS-for-hire ecosystem and previous crackdowns

The DDoS-for-hire industry operates under a subscription-based model, where users can purchase attack capabilities for as little as a few dollars. These services advertise their offerings in underground forums, chat groups, and even on public-facing websites. While some claim to be legitimate stress-testing tools, their primary use is overwhelmingly malicious - targeting gaming servers, school networks, and corporate infrastructure. Many users mistakenly believe that using such services carries minimal legal risk, despite clear laws criminalizing their use in most jurisdictions.

Law enforcement agencies have conducted multiple interventions to disrupt these services. A major international takedown in December 2018 led to the seizure of 15 booter services, resulting in a temporary decline in DDoS activity. However, attack volumes recovered within weeks, as new booter services emerged to replace those that had been shut down. Recognizing the short-lived impact of single-wave interventions, authorities escalated their efforts in December 2022 and May 2023, targeting a larger number of booter domains and incorporating digital influence tactics to discourage users from seeking alternative services.

The latest crackdown, dubbed Operation PowerOFF, was the most extensive intervention to date, involving law enforcement agencies from multiple countries, including the FBI, UK’s National Crime Agency (NCA), and Dutch Police. It included two waves of website takedowns, the deployment of deceptive law enforcement-controlled booter sites, and the seizure of booter operators’ databases to track and identify users. Despite these efforts, the study finds that the impact of these interventions was significant but fleeting.

How effective were the takedowns? Insights from data analysis

To evaluate the impact of Operation PowerOFF, the researchers analyzed multiple datasets spanning from July 2021 to June 2023, covering both waves of takedowns. The analysis focused on three key areas: the rate at which seized booter services re-emerged, the impact on global DDoS attack volumes, and shifts in user behavior within underground cybercrime communities.

Resilience of Booter Services

The first wave of takedowns in December 2022 resulted in the seizure of 49 booter domains, disrupting roughly half of all active booter services. However, 52% of these services resumed operations within a median time of just 19 hours, with some reappearing in as little as 8 hours. Many of these resurrected services simply changed their domain names, maintaining the same branding and user base.

The second wave in May 2023, which targeted 13 additional booter domains, showed even faster recovery rates. All seized booters reappeared within a median of 42 hours, demonstrating that takedowns alone were insufficient to eliminate these services. Operators adapted by pre-purchasing backup domains and migrating their infrastructure to jurisdictions with weaker enforcement.

Impact on Global DDoS Attack Volumes

Using data from multiple DDoS monitoring sources, including honeypots, ISP traffic analysis, and self-reported statistics from booters, the study identified a temporary decline in DDoS activity following the first wave. Specifically:

• Global DDoS attack volume dropped by 20–40%, with a notable decrease in UDP-based amplification attacks, a method commonly used by booters.
• This reduction lasted for approximately six weeks, after which attack levels rebounded to pre-takedown levels.
• The second wave of takedowns had a minimal impact, suggesting that additional waves of takedowns yield diminishing returns.

These findings indicate that while large-scale interventions can temporarily disrupt attack infrastructure, they do not eliminate the demand for DDoS attacks, leading to a rapid market recovery.

User Behavior and Market Perception

Analysis of underground forum discussions and Telegram chats revealed that the perception of risk among booter users increased following the takedowns. Many users expressed concerns about law enforcement monitoring and legal repercussions, leading some to exit the market. However, seasoned cybercriminals quickly adapted, sharing alternative ways to access resurrected services and discussing new attack methods to circumvent enforcement actions.

The study also highlights the role of law enforcement deception campaigns, where the NCA set up fake booter services to gather intelligence and deter potential customers. These deceptive sites attracted thousands of visits, but users quickly recognized them as law enforcement traps, limiting their long-term effectiveness.

Challenges and future strategies for combatting DDoS-for-hire services

The findings of the study emphasize the resilience of the cybercrime-as-a-service market and the limitations of traditional takedown approaches. While takedowns disrupt individual operators, they do not address the underlying demand for these services. One of the biggest challenges is the rapid resurrection of booter services, as operators are highly adaptable. Many of them prepare in advance by setting up redundant infrastructure, using alternative payment methods such as cryptocurrencies, and shifting their communication to decentralized platforms, making it difficult for authorities to permanently dismantle their operations. Even when law enforcement takes down multiple domains, new services quickly emerge to take their place.

Jurisdictional challenges further complicate efforts to combat DDoS-for-hire services. Many booter operators relocate their infrastructure to countries with weak cybercrime enforcement, making international cooperation critical for long-term disruption. However, legal complexities and varying levels of cybersecurity policies between nations often hinder the effectiveness of global interventions. Without consistent enforcement mechanisms, booters can continue operating from regions where they are less likely to face prosecution.

Another growing concern is the evolution of attack methods. Traditionally, booters relied heavily on UDP amplification attacks, but as mitigation measures against these attacks have improved, cybercriminals have shifted towards harder-to-detect techniques, such as direct-path and application-layer attacks. These newer attack methods target specific vulnerabilities in web applications, making them more challenging to filter and block. This shift demonstrates that DDoS-for-hire services are not just persistent but also increasingly sophisticated, adapting to defensive countermeasures with new attack strategies.

Given these persistent challenges, the study recommends a multi-pronged approach that extends beyond simple takedowns. One of the key strategies is targeting the payment infrastructure used by booter services. Restricting access to financial systems, such as blocking cryptocurrency transactions for known booters, could make it harder for them to operate profitably. Additionally, strengthening partnerships between law enforcement, domain registrars, hosting providers, and cybersecurity firms could help prevent booters from re-establishing themselves after takedowns. Legal and policy measures also need to evolve, with harsher penalties for booter operators to deter future cybercriminals from entering the market. Lastly, public awareness campaigns could play a crucial role in reducing demand for DDoS-for-hire services by educating potential users about the legal risks and consequences of launching attacks through such platforms.

While these strategies present potential pathways for more effective enforcement, the fight against DDoS-for-hire services remains an ongoing challenge. The adaptability of cybercriminals means that interventions must be proactive, multi-faceted, and continuously evolving to stay ahead of this ever-persistent threat.