How to Become an Internet Supervillain in Three Easy Steps

May 12, 2015 Roland Dobbins

One of the truisms of comic books and graphic novels is that nothing is immutable – both heroes and villains are rebooted, retconned, featured as radically (or subtly) different versions in alternate timelines, etc. The Marvel Cinematic Universe, which so far includes the Captain America, Thor, Hulk, Iron Man, and Avengers films, is a good example. DC are doing the same with The Flash and Green Arrow, and the latest cinematic incarnations of Batman and Superman are set to do battle with one another in a projected summer blockbuster movie next year.

And these new variants on old stories proliferate throughout the various versions of each character arc – variations on the same themes, but instantly recognizable to long-time fans and easily remembered by new ones. Tony Stark’s updated Iron Man origin story in the first Iron Man movie is one such example; the supervillain Mystique’s origin in the X-Men series of films (not part of the MCU) is another.

That isn’t to say that there’s no innovation taking place – Frank Miller’s The Dark Knight Returns radically migrated the general public perception of Batman away from the 1960s comedy paradigm popularized by the camp television series towards a much darker interpretation of Bruce Wayne’s tortured transformation into the Batman over the course of two (soon to be three) successive reboots of the cinematic portrayal of the classic superhero. Alan Moore’s Watchmen cleverly subverted the tried and true formulas of both superheroes and their supervillain nemeses, transforming one into the other in a paired set of character inversions which are amongst the strongest and most memorable in all forms of literature. With Marvels, Alex Ross and Kurt Busiek brought us back to the beginnings of the character arcs of many of the major Marvel superheroes – giving us a very different perspective on those beginnings – resulting in a familiar, yet greatly altered perception of their stories and significance. Ross and Mark Waid did the same for Superman, Wonder Woman, and Captain Marvel (along with several other nearly-forgotten characters) in DC’s seminal Kingdom Come series.

And then Mark Millar showed up, and subverted everything we thought we knew about the superhero/supervillain dichotomy in his ‘Millarworld’ milieu, as well as in more established Marvel and DC franchises. Millar made use of many of the same basic concepts mixed in with more extreme characters and circumstances, leading to outcomes both familiar in theme but wildly varying in details.

Depending upon your inclinations and sensibilities, the thematic and archetypal similarities between the story arcs of comic books and graphic novels and the state of security of many Internet-connected networks and properties may be either amusing, depressing, or strangely compelling. Or some combination of the three.

And as it turns out, it’s considerably easier to become a supervillain on the Internet than it ever has been in comics:

Step 1: Possess – or Invent – a Motive.

Whether it’s ideology, greed, online gaming disputes, or pure nihilism (e.g., ‘for the lulz’), for all practical purposes, there’s a near-infinitude of miscreants or potential miscreants on the Internet (latest user population estimate: 3 billion and counting) today, and many of them have a near-infinite set of axes to grind, either real or imaginary. No matter an organization’s industry, vertical, focus, market, services, or user population, somewhere out there, there’s someone who can somehow benefit from disrupting the availability of its Internet presence – it doesn’t matter who or why, it’s just enough to know that they’re out there, and they’re apparently a permanent feature of life on the Internet, reaching back into its very own Cold War-/ARPANET/IRC-driven origin story, seemingly destined to always be with us.

Step 2: Develop – or Acquire – the Means.

Whether a given archenemy is a network- and applications-savvy polymath or a clueless script kiddie barely able to click a mouse or maneuver across a touchscreen, there are superpowers out there waiting to be invented, used, or reused in the service of disruption. The real innovators (think Lex Luthor or Victor von Doom) are relatively rare; they develop new DDoS attack methodologies, sell them onwards or utilize them personally to accomplish their own individual goals (generally extortion, a diversion to mask online espionage of one form or another, or ideological in nature), and then those new methodologies inevitably make their way downstream into weaponized cloud-based DDoS ‘booter’ or ‘stresser’ tools, allowing the least technically-inclined aspiring Doctor Impossibles to make use of highly effective DDoS techniques such as link-saturating reflection/amplification attacks or more subtle TCP connection-oriented attack methodologies, all through an accessible (if not aesthetically pleasing) Web GUI interface. Push a few buttons, move a few sliders, pay up with a few (likely stolen) Bitcoins or credit cards, and a new Internet supervillain is born!

Step 3: Identify the Opportunity.

Unfortunately, the industry best current practices (BCPs) for maximizing the availability of network elements, servers, application stacks, services, et. al. which have been developed and made publicly available and are continually evangelized by many participants in the global operational security community, including Arbor ASERT, are more honored in the breach than in the observance. As a result, even very well-understood, basic DDoS attack methodologies all too often succeed even against large, well-resourced organizations with Internet-facing properties which are crucial to their revenue streams, logistics, and brand reputation. This state of affairs works in favor of all levels of attackers, who often don’t even bother to perform much (if any) reconnaissance before launching DDoS attacks against their intended targets.

The more effective Internet supervillains with the longest-running criminal careers are those who practice good tradecraft, who don’t risk gaining too much negative attention from various combinations of law enforcement agencies, and who know when to fade into the background until the next target of opportunity presents itself. And then there are those who adopt a flashy moniker, who’re extremely profligate with their attack campaigns, who threaten DDoS attacks of the greatest sophistication and largest attack traffic volumes – but who in reality are utilizing the same tried-and-true attack methodologies pioneered by the original innovators, slowly expanding their mastery of entry-level ‘booter’/‘stresser’ services while becoming giddy with their newfound, yet circumscribed, superpowers. For this category of Internet supervillains, small initial successes often boost their self-confidence to unjustified levels, and leadithem into an overly profligate series of attacks against high-profile institutions which is almost certainly going to bring a lot of unwanted (from the attacker’s point of view) official scrutiny.

For the last year or so, an individual or organization calling itself DD4BC (‘DDoS for Bitcoins’) has been been rapidly increasing both the frequency and the scope of its DDoS extortion attempts, shifting target demographics from low-level Bitcoin exchanges to online casinos and betting shops and, most recently, to prominent financial institutions across Europe, Asia, Australia, and New Zealand. DD4BC’s modus operandi is generally to launch a relatively small 10gb/sec – 15gb/sec reflection/amplification DDoS attacks against the chosen target, then email an extortion demand for between 15 and 100 Bitcoins (whatever they believe the target in question may be willing to pay) to an official contact address at the targeted organization. These extortion demands typically claim that DD4BC have 400gb/sec – 500gb/sec of DDoS attack capacity at their disposal, and give the targeted organization 48 hours to pay up, else they threaten to unleash overwhelming DDoS attacks against the target in the event of non-payment.

As of this writing, we’re unaware of any organization which has actually given in to DD4BC’s extortion demands, so we’re unsure of how lucrative DD4BC’s DDoS-driven extortion campaigns actually are for the perpetrator(s). What we have observed is that to date, DD4BC seem not to have generated any DDoS attacks in excess of a few tens of gb/sec – which, sadly, have been sufficient to at least initially disrupt the availability of many targeted organizations due to the all-too-commonplace lack of adequate preparations on the part of the defenders. However, the targets and their ISP and MSSP partners have generally moved quickly to successfully mitigate the DD4BC DDoS attacks, not least because DD4BC are simply making use of well-known DDoS attack methodologies such as ntp, SSDP, and WordPress XML-RPC reflection/amplification attacks, plus the occasional SYN-flood (one of the original DDoS attack methodologies in use on the then-nascent commercial Internet, first put to use in 1995). The WordPress reflection/amplification attack, first described in early 2014, seems to be the latest addition to their repertoire.

The ntp reflection/amplification attacks utilized by DD4BC have been seen on the public Internet for the last several years, achieving mainstream popularity in late 2013/early 2014, with Arbor publishing an analysis of the attacks and detailed mitigation instructions in mid-2014. SSDP ascended into popularity in mid-2014, and Arbor included descriptions of and effective mitigation techniques for this DDoS attack methodology in updates to our earlier publications on the general topic of reflection/amplification DDoS attacks.

In short, DD4BC appear to be utilizing commercial ‘booter’/’stresser’ services, and are slowly expanding their mastery of these entry-level attack-generation systems to launch attacks employing well-known methodologies with equally well-known mitigation techniques available through commercial solutions and services such as Arbor’s Peakflow SP/TMS, APS, and Arbor Cloud, as well as a variety of network infrastructure-based tools and techniques recommended by Arbor to network operators of all varieties.

The secret identities and motivations of aspiring Internet supervillains may be of prurient interest to both targets and bystanders, but the actual details aren’t actually necessary for organizations with significant Internet-facing properties to successfully defend against the well-known and readily-mitigated DDoS attack methodologies utilized by lower-tier miscreants, as well as the increasingly sophisticated attacks launched by more skilled attackers.

During the most recent upsurge in DD4BC activity, we’ve worked with targeted organizations who hadn’t yet incorporated the relevant best current practices (BCPs) nor followed the mitigation recommendations made by Arbor and other participants in the global operational security community, and who therefore were initially affected by DD4BC’s use of these well-known DDoS attack methodologies. However, it was relatively easy to bring them up to speed very quickly, with both on-premise and ISP/MSSP DDoS defense solutions, services , and techniques which effectively mitigated the attacks against these organizations.

Conversely, we also collaborated with organizations – both service providers of various stripes as well as enterprises in various verticals – who’d already incorporated Arbor’s recommended BCPs and detection/classification/traceback/mitigation techniques during the initial upsurge in ntp reflection/amplification attacks in early 2014, SSDP reflection/amplification attacks in mid-2014, as well as those we’d been assisting in mitigating DNS, SNMP, chargen, and other reflection/amplification attacks over many years. Because these organizations have kept up with the latest BCPs and recommended mitigation strategies and have done so for many years, they and their customers/users were almost completely unaffected by the standard reflection/amplification attacks launched against them by BB4DC, who soon decided to switch their focus to less prepared and capable targets.

“With great power comes great responsibility,” as Uncle Ben was retconned into remonstrating to a young Peter Parker in Ultimate Spider-Man #4. The good news is that practically every organization of note with an Internet presence either has in their possession the superpowers needed to defeat today’s DDoSing Internet supervillains, or can quickly call on allies who possess those powers in abundance. And just like in the comics, the fact that most of the bad guys simply utilize variations on well-established themes means that once an organization has implemented the relevant recommendations and BCPs, they’re well-prepared to deal with bad actors ranging from the likes of Paste Pot Pete and Negaduck to Galactus, Eater of Worlds or Darkseid – and all those in between.


1 Soluk, Kirk. (2014, February 14). NTP Attacks: Welcome to The Hockey Stick Era.

2 ASERT Threat Intelligence. (2014, March). ASERT Threat Intelligence Brief 2014-05 – Comprehensive Insight and Mitigation Strategies for NTP Reflection/Amplfication Attacks. Available to Arbor Customers Upon Request.

3 Dobbins, Roland. (2014, October). Presentation – When the Sky is Falling: Network-Scale Mitigation of High-Volume Reflection/Amplification DDoS Attacks.

4 Dobbins, Roland. (2014, August). Webinar – When the Sky is Falling: Network-Scale Mitigation of High-Volume Reflection/Amplification DDoS Attacks.

5 Dobbins, Roland. (2009 – Present). Public Folder of Best Current Practices (BCPs) tutorials and techniques for network operators.


Previous Article
How to Become an Internet Supervillain in Three Easy Steps

One of the truisms of comic books and graphic novels is that nothing is...

Next Article
Bedep’s DGA: Trading Foreign Exchange for Malware Domains
Bedep’s DGA: Trading Foreign Exchange for Malware Domains

As initially researched by Trend Micro [1] [2], Zscaler [1] [2], Cyphort,...