Researchers from the University of Cambridge’s Security Group recently published important findings on the effectiveness of global law enforcement actions against DDoS-for-hire services, also known as booters. Their study, Assessing the Aftermath: the Effects of a Global Takedown against DDoS-for-hire Services, was presented at the USENIX Security Symposium 2025 and awarded an Honourable Mention. The work was carried out by Anh V. Vu, Ben Collier, Daniel R. Thomas, John Kristoff, Richard Clayton, and Alice Hutchings.
Booters have long offered an easy way for anyone with a few dollars to launch denial-of-service attacks. Marketed as “stress-testing” tools, they are widely used for malicious purposes and pose a persistent challenge to defenders.
The paper analyses the coordinated law enforcement takedowns in December 2022 and May 2023, which together seized around 60 domains. The research team drew on a wide range of data sources—traffic analytics, DDoS attack datasets, splash page logs, and online forums—to understand both the technical and social impact of the interventions.
Key findings include:
- Fast recovery, but lasting disruption: Booter operators typically resurrected their services within 20–40 hours, often under new domains. However, site traffic collapsed by 80–90%, with many domains reduced to negligible daily visits.
- Temporary reduction in DDoS volumes: The December 2022 takedown coincided with a 20–40% drop in global DDoS traffic, especially UDP-based attacks. Volumes rebounded within weeks, but the short-term impact was clear.
- Undermining trust in the market: Law enforcement also deployed deceptive booter sites and messaging campaigns, creating doubt among operators and users. This erosion of trust is seen as a significant deterrent.
- Changing user profile: Most visitors to seized booter sites came from the US and Europe, often gamers rather than seasoned cybercriminals. Few attempted to hide their identities, highlighting the low barrier to entry in this ecosystem.
The research underlines that while takedowns do not eliminate booters, they serve as valuable disruptions. By making the market unstable, forcing operators to waste resources, and discouraging casual users, these interventions reduce overall harm—even if only temporarily.
As the authors note, the fight against DDoS-for-hire is not about a single decisive victory. Instead, it is a long-term effort to keep the ecosystem fragile and unappealing, gradually pushing it away from being a casual tool into a riskier niche.
This is an excellent example of rigorous, data-driven research that sheds light on both the technical and human aspects of cybercrime. We congratulate the University of Cambridge Security Group and the authors for their contribution to the field and for helping the community better understand how to tackle the persistent challenge of DDoS-for-hire services.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com