EVERYTHING about Booters (and CloudFlare)

Hi folks,

A friend forward me your topic about Booters and CloudFlare. Then I decided to join the NANOG list. The *answer* for the first question about CloudFlare and Booters is at: https://www.youtube.com/watch?v=wW5vJyI_HcU (minute 45:55) given by the _CloudFlare CEO_ in the blackhat2013.

I investigate Booters since 2013 and I know many (if not all) the possible aspects about this DDoS-as-a-Service phenomenon. A summary of my entire research (or large part of that) can be watched at https://tnc16.geant.org/web/media/archive/3A (from minute 22:53). On top of that, I developed an algorithm to find Booters and publicly share such list (http://booterblacklist.com/). My main goal with this initiative is to convince people to blacklist and keep on track the users that access Booters (that potentially perform attacks)

If you have any question about any aspect of the entire phenomenon don't hesitate to contact me. By the way, I want to help deploy the booters blacklist worldwide and help prosecutors to shutdown this bastards. I have many evidences!


Jair Santanna

Hi Jair,

This list is really interesting.

From just a preliminary test, more than half of these domains are hiding

behind Cloudflare, and OVH has a sizable fraction too. I suppose it's
inevitable, given that both are known for having non-existent abuse


Hi Paras,

I covered the booter topic in a previous reply on a different (though
basically the same) thread. By "non-existent" you mean we are
processing thousands of reports per week. If you have something to
report you can certainly do so at cloudflare.com/abuse. We'd be more
than happy to process your report also.


From just a preliminary test, more than half of these domains are
hiding behind Cloudflare, and OVH has a sizable fraction too.

you mean are using cloudflare and ovh services.

I suppose it's inevitable, given that both are known for having
non-existent abuse departments.

as the OP made pretty clear, it's not a matter of an abuse contact.
it is the service not acting as a law enforcement agency and asking
for a court order. most large service providers operate in that way.


Hi Justin,

I have submitted abuse reports in the past, maybe from 2014 - 2015, but I
gave up after I consistently did not even get replies and saw no action
being taken. It is the same behavior with other providers who host malware
knowingly. I appreciate you coming out onto the list though, it's nice to
see that CF does maintain a presence here.


Hi Randy,

I've found the vast majority of large service providers to be very
receptive to abuse reports when they contain evidence and valid information.


I for one am glad providers are on the case tackling DoS,
never ignoring abuse, and doing the best they can to
prevent these things:


I am sure a lawyer would see it very differently, I could see someone looking at this like racketeering. They get paid to provide a service to defend against DDoS, well knowingly hosting people who conduct DDoS attacks. Cloudflare profits from both the victims and the criminals. If Cloudflare isn't acting in good faith to shut down these sites when they receive evidence they are bad actors, they could find themselves in a bit of trouble.

At this point Cloudflare would know that these bad actors are hosted on their service since we know many Cloudflare employees subscribe to the NANOG list, and the list of bad actors would now show up in their email server, ready for legal discovery.

Disclaimer: I have a ton of respect for Clouldflare and what they do on the internet.

As was mentioned in the BlackHat video the DDOS providers don't like
competition and they try to take each other out which is they they nee to
be on clouadfare. If they were all kicked off of Cloudfare then they would
all take each other out leaving no need for clouydfare's DDOS sevices. So
by hosting these companies they are ensuring that they will have business.

(I have no evidence to this. Just a theory..............)

the internet.

They just lost all respect from here. Would someone from USA please report
these guys to the feds? What they are doing is outright criminal.



They can monitor (passively or actively) all access to the sites they host, even
the ones that use SSL, and they often use their close working relationship with
law enforcement to explain why they don't terminate bad actors on their network.

You can probably assume that "the feds" are intimately aware of what they're doing.


Law enforcement (US or international) knows how to contact us if they
have an inquiry to make. We also publish a Transparency
Report that covers those legal inquiries:

Here's the list sorted by DNS provider. (Of course the DNS provider isn't
necessarily the hoster.) This list omits domains which don't seem to have
NS records at the moment.

  above.com bootr.org
  above.com formalitystresser.com
  above.com masterboot.net
  above.com olympusstresser.org
  above.com renegade-products.net
  above.com royalbooter.de
  arubadns.cz hyperstresser.com
  arubadns.net hyperstresser.com
  axc.nl umbstresser.net
  bodis.com vbooter.com
  bookmyname.com evilbooter.net
  cloudflare.com alphastress.com
  cloudflare.com anonymous-stresser.net
  cloudflare.com aurastresser.com
  cloudflare.com beststresser.com
  cloudflare.com boot4free.com
  cloudflare.com booter.eu
  cloudflare.com booter.org
  cloudflare.com booter.xyz
  cloudflare.com bullstresser.com
  cloudflare.com buybooters.com
  cloudflare.com cnstresser.com
  cloudflare.com connectionstresser.com
  cloudflare.com crazyamp.me
  cloudflare.com critical-boot.com
  cloudflare.com cstress.net
  cloudflare.com cyberstresser.org
  cloudflare.com darkstresser.info
  cloudflare.com darkstresser.net
  cloudflare.com databooter.com
  cloudflare.com ddos-fighter.com
  cloudflare.com ddos-him.com
  cloudflare.com ddos.city
  cloudflare.com ddosbreak.com
  cloudflare.com ddosclub.com
  cloudflare.com ddostheworld.com
  cloudflare.com defcon.pro
  cloudflare.com destressbooter.com
  cloudflare.com destressnetworks.com
  cloudflare.com diamond-stresser.net
  cloudflare.com diebooter.com
  cloudflare.com diebooter.net
  cloudflare.com down-stresser.com
  cloudflare.com downthem.org
  cloudflare.com exitus.to
  cloudflare.com exostress.in
  cloudflare.com free-boot.xyz
  cloudflare.com freebooter4.me
  cloudflare.com freestresser.xyz
  cloudflare.com grimbooter.com
  cloudflare.com heavystresser.com
  cloudflare.com hornystress.me
  cloudflare.com iddos.net
  cloudflare.com inboot.me
  cloudflare.com instabooter.com
  cloudflare.com ipstresser.co
  cloudflare.com ipstresser.com
  cloudflare.com jitterstresser.com
  cloudflare.com k-stress.pw
  cloudflare.com layer-4.com
  cloudflare.com layer7.pw
  cloudflare.com legionboot.com
  cloudflare.com logicstresser.net
  cloudflare.com mercilesstresser.com
  cloudflare.com mystresser.com
  cloudflare.com netbreak.ec
  cloudflare.com netspoof.net
  cloudflare.com networkstresser.com
  cloudflare.com neverddos.com
  cloudflare.com nismitstresser.net
  cloudflare.com onestress.com
  cloudflare.com onestresser.net
  cloudflare.com parabooter.com
  cloudflare.com phoenixstresser.com
  cloudflare.com pineapple-stresser.com
  cloudflare.com powerstresser.com
  cloudflare.com privateroot.fr
  cloudflare.com purestress.net
  cloudflare.com quantumbooter.net
  cloudflare.com quezstresser.com
  cloudflare.com ragebooter.net
  cloudflare.com rawlayer.com
  cloudflare.com reafstresser.ga
  cloudflare.com restricted-stresser.info
  cloudflare.com routerslap.com
  cloudflare.com sharkstresser.com
  cloudflare.com signalstresser.com
  cloudflare.com silence-stresser.com
  cloudflare.com skidbooter.info
  cloudflare.com spboot.net
  cloudflare.com stormstresser.net
  cloudflare.com str3ssed.me
  cloudflare.com stressboss.net
  cloudflare.com stresser.club
  cloudflare.com stresser.in
  cloudflare.com stresser.network
  cloudflare.com stresser.ru
  cloudflare.com stresserit.com
  cloudflare.com synstress.net
  cloudflare.com titaniumbooter.net
  cloudflare.com titaniumstresser.net
  cloudflare.com topstressers.com
  cloudflare.com ts3booter.net
  cloudflare.com unseenbooter.com
  cloudflare.com vbooter.org
  cloudflare.com vdos-s.com
  cloudflare.com webbooter.com
  cloudflare.com webstresser.co
  cloudflare.com wifistruggles.com
  cloudflare.com xboot.net
  cloudflare.com xr8edstresser.com
  cloudflare.com xtreme.cc
  cloudflare.com youboot.net
  cloudns.net bemybooter.eu
  crazydomains.com buzzbooter.info
  dnsnuts.com stagestresser.com
  dnsnuts.com ufa-booters-tools.com
  domaincontrol.com ddos.tools
  domaincontrol.com iridiumstresser.net
  domaincontrol.com national-stresser.net
  domaincontrol.com onionstresser.com
  domaincontrol.com pokent.com
  domaincontrol.com xenon-stresser.com
  domaindiscover.com instinctproducts.com
  foundationapi.com booter.in
  foundationapi.com mini-booter.com
  free-h.org darkbooter.fr
  free-h.org omega-stresser.us
  freenom.com boot.ml
  freenom.com kth-stress.tk
  hichina.com stresser.cc
  hostinger.co.uk powerdos.co.uk
  hostinger.fi nuke.pe.hu
  hostnet.nl darkstresser.nl
  hostnetbv.com darkstresser.nl
  hostnetbv.nl darkstresser.nl
  ibspark.com ddos-ip.com
  ibspark.com national-stresser.com
  ibspark.com time-stresser.pw
  kdnetworks.net stressed.pw
  kirklanddc.com asylumstresser.com
  myhostadmin.net battle.pw
  name-services.com anonymous-stresser.com
  name-services.com avengestresser.com
  name-services.com celerystresser.com
  name-services.com ddosit.net
  name-services.com ddosit.us
  name-services.com ddossite.com
  name-services.com divinestresser.com
  name-services.com down-stresser.us
  name-services.com ebolastresser.com
  name-services.com emaizstresser.net
  name-services.com exile-stresser.net
  name-services.com hazebooter.com
  name-services.com ionbooter.com
  name-services.com isitdownyet.com
  name-services.com lifetimeboot.com
  name-services.com networkstresser.net
  name-services.com omegastresser.com
  name-services.com powerstress.com
  name-services.com stuxstresser.com
  name-services.com xrshellbooter.com
  name.com infectedstresser.net
  name.com netstress.net
  namebrightdns.com dreamstresser.com
  namebrightdns.com netspoof.com
  namebrightdns.com yakuzastresser.com
  namecheaphosting.com ipstresstest.com
  namecheaphosting.com respawn.ca
  one.com equinoxstresser.net
  one.com riotstresser.com
  one.com wifistruggles.net
  parkingcrew.net b-h.us
  parkingcrew.net buyddos.com
  parkingcrew.net freezystresser.nl
  parkingcrew.net getsmack.de
  parkingcrew.net optimusstresser.com
  parkingcrew.net stress-me.net
  parkingcrew.net superstresser.com
  parkingcrew.net xrstresser.net
  parklogic.com fagstresser.net
  parktons.com ddoser.xyz
  registrar-servers.com anonymousbooter.com
  registrar-servers.com bigbangbooter.com
  registrar-servers.com booter.io
  registrar-servers.com kryptonic.pw
  registrar-servers.com network-stressing.net
  registrar-servers.com orcahub.com
  registrar-servers.com ragebooter.com
  registrar-servers.com stresser.info
  registrar-servers.com thestresser.com
  registrar-servers.com, network-stressing.net
  rentondc.com cyber-sst.com
  rentondc.com vdoss.net
  rookdns.com chargen.cf
  rookdns.com dejabooter.com
  rookdns.com emo-stresser.com
  rookdns.com minecraftstresser.com
  rookdns.com nightlystresser.ml
  rookdns.com speed-stresser.com
  rookdns.com vex-stresser.net
  rookdns.com xtremebooter.com
  sedoparking.com booter-sales.hourb.com
  sedoparking.com stresser.org
  strong-stresser.com strong-stresser.com
  technorail.com hyperstresser.com
  tini4u.net ddos.kr
  udag.de hydrostress.com
  udag.net hydrostress.com
  udag.org hydrostress.com
  ztomy.com foreverinfamous.com


This is a common 'complaint' point for abuse senders. I often wonder why.
What is a reply supposed to do or tell you?

Because replying admits knowledge and creates a papertrail thereof. Esp.
w.r.t. copyright infringement takedown notices etc.

(or also because said providers are innundated with such requests because they
don't actually care as it's all part of their profit centre.)


From our side:

abuse@ reports generates an auto reply indicating where our reporting
form is located.

Reports at our reporting form generate an auto reply confirming we
received the report. All reports filed via the form are reviewed by a
human and at a minimum passed on to
the responsible hosting provider so they are aware and they can follow their
policies to address with their customer.

This is why policy, as painful as it is to produce, is useful.

There isn't even general agreement on whether (or what!) Cloudfare is
doing is a problem.

Which is why interested parties need to get together and agree on some
sort of policy regarding this and similar things.

Or not and just let it go.

That policy could, at least in theory, be attached to peering
agreements, BGP agreements, address allocations, etc as contracts as a
means of enforcement. And if necessary presented to law enforcement or
courts as clearly defined violations of GAAP.

It may not be a law per se but it's the sort of thing a court case
might use, say in a civil damages suit or even law enforcement action,
to establish that defendant's behavior exhibited reckless disregard
and so on.

As an analogy you can't accuse someone of mayhem if no one can be
bothered to write down what mayhem might be and why the defendant
should have known their actions were mayhemic.

aiding and abetting. at the very least willful negligence.


* goemon@sasami.anime.net (Dan Hollis) [Wed 27 Jul 2016, 20:21 CEST]:

I am not seeing Justin's replies hitting my mailbox, only snipets of quotes
and replies... but my experience to date with CloudFlare has been exactly the
same, no response or action of any kind to abuse reports.

...Searching... here is an example. Banco do Brasil "you must update your
details" phishing fraud using compromised hosts. Example email and for details
neccessary to confirm sent to abuse@cloudflare.com on 7/17. Ten days later and
the compromised CloudFlare-fronted site is still up and still running. Would
there be any confusion if the following abuse report (plus attached original
email) arrived in your mailbox?