Researchers profiled a popular DDoS booter ecosystem by expanding an initial dataset of 171 domains, 464 IP addresses, and nine emails into thousands of artifacts, revealing extensive infrastructure and distribution across registrars and geographies. The analysis uses bulk WHOIS, DNS lookups, Reverse WHOIS, and IP geolocation to map assets and identify related domains and IPs. #TopStresser #PowerStresser #MythicalStress #Stresser
Keypoints
- The investigation expanded IoCs from 171 domains, 464 IPs, and nine emails to 2,196 connected artifacts, including 20 more emails, 43 email-connected domains, 185 additional IPs, 645 IP-connected domains, and 1,303 string-connected domains.
- Bulk WHOIS analysis identified 52 registrars hosting the IoCs, led by Namecheap (34 domains) and NiceNIC International (14 domains), with many domains spread across others.
- Domain ages ranged from May 2019 to May 2024, with 66 domains created in 2023; 41 IoCs lacked creation dates.
- Registrant countries covered 20 nations, with Iceland (30 domains) and the U.S. (29) at the top; several other countries contributed domains.
- Some domains have been seized by the FBI, but others continue to host DDoS tools such as topstresser.top, powerstresser.pro, quickdown.pro, and starkstresser.net.
- IP geolocation and ISP data show 173 IPs geolocated in the U.S. (out of 185) and 47 ISPs involved, with Cloudflare managing the largest share (305 IPs).
MITRE Techniques
- [T1583] Acquire Infrastructure – Domain infrastructure mapping via bulk WHOIS lookup for 171 IoCs to obtain WHOIS details. ‘bulk WHOIS lookup for the 171 domains tagged as IoCs to obtain their WHOIS details.’
- [T1583.003] Acquire Infrastructure – Domains – Reverse WHOIS searches revealing that IoCs appear in the current WHOIS records of more than 15,000 domains. ‘Reverse WHOIS API… revealed that they appeared in the current WHOIS records of more than 15,000 domains.’
- [T1046] DNS Discovery – DNS lookups used to map host infrastructure by resolving domain IoCs to IPs. ‘DNS lookups led to the discovery of 185 additional IP addresses.’
Indicators of Compromise
- [Domain] IoCs – 171 domains initially — topstresser.top, powerstresser.pro, quickdown.pro, starkstresser.net, and 2 more domains
- [IP Addresses] IoCs – 464 addresses — 54[.]157[.]24[.]8, 104[.]21[.]11[.]249, 172[.]67[.]150[.]206, 2606:4700:3032::ac43:96ce, 2606:4700:3032::ac43:911c
- [Email Addresses] IoCs – 9 email addresses — examples not provided in article
- [Domain] Email-connected Domains – 43 domains — (context: domains connected via email addresses tied to IoCs)
- [IP Addresses] Additional IPs – 185 additional IP addresses — (context: discovered via IP geolocation lookups)
- [Domain] String-connected Domains – 1,303 domains — examples include strings starting with panel., pluto., joker
Read more: https://circleid.com/posts/20240607-profiling-a-popular-ddos-booter-services-ecosystem