My IP Help

DDoS-as-a-Service

Also known as: Booter, Stresser, DDoSaaS

A commercial service that rents out DDoS attack capacity by the minute through a web dashboard, lowering the skill barrier for launching denial-of-service attacks.

Last updated:

What is DDoS-as-a-service?

DDoS-as-a-service (also marketed as booter or stresser services) is the commercial productization of the DDoS attack. A customer pays a subscription fee — typically $10 to $300 per month — and gets access to a web dashboard where they enter a target IP or domain, pick an attack method, set a duration, and click "launch." The actual attack traffic comes from the service provider's botnet or from amplification infrastructure they've scouted.

Why these services exist despite being illegal

Running DDoS-for-hire is a crime in most jurisdictions and the US and UK have brought repeated takedown operations against large booter operators. Yet the market persists because:

  • Low skill barrier — the customer doesn't need to own a botnet or know how DDoS works
  • Plausible cover story — services market themselves as "stress testers" you can use "on your own servers"
  • Small transactions — most attacks last minutes and cost dollars, which makes law-enforcement cost/benefit difficult
  • Resilient infrastructure — providers rotate domains, payment processors, and hosting after each seizure

Detection and defense

Traffic from a booter is still DDoS traffic — it shows the familiar fingerprint of a huge number of source IPs sending identical, low-value requests. Upstream DDoS mitigation (Cloudflare, AWS Shield, dedicated scrubbing providers) is the only practical defense against serious volume. For smaller targets, blocking at the edge by country, ASN, or abuse-list membership can reduce impact. The source IPs of a booter attack are usually already cataloged — running them through an IP abuse report checker typically returns a long history of prior reports.

Frequently Asked Questions

Cheap. Public booter services have advertised attacks for as little as $5-$20 for a few minutes, $30-$150 for an hour, and $300-$1,000 per month for unlimited use. The economics are why DDoS-as-a-service has flourished — a teenager with a stolen credit card can knock a small business offline for less than the cost of lunch. Premium "pentest" branded services charge more and target larger volumes.
No — operating one is criminal in nearly every jurisdiction under computer-misuse laws (US Computer Fraud and Abuse Act, UK Computer Misuse Act 1990, EU Directive 2013/40/EU), and using one to attack a target you don't own is criminal too. Operators market their services as "stress testers for your own servers" to provide deniability, but courts have consistently rejected this defense. Major operators have been prosecuted in repeated takedown waves (Operation Power OFF in 2018, 2022, and 2024 each seized dozens of services).
Public booters typically deliver 10-100 Gbps for low-tier packages, with some claiming several hundred Gbps via amplification. The truly large attacks (multi-Tbps) come from private botnets, not retail booter services — those aren't sold to walk-up customers. But even 10 Gbps is enough to saturate the upstream of any small or medium business that doesn't sit behind dedicated DDoS protection.
Because the operating cost is low, the customer demand is high, and the infrastructure is easily portable. Operators rotate domains, payment processors, and hosting providers after each seizure, often relaunching under a new brand within weeks. The criminal economics keep working as long as there is a marginal demand for cheap-and-easy attacks. Sustained law-enforcement pressure has measurably reduced the market size, but full eradication would require disrupting the demand side too.
Sit behind a CDN with built-in DDoS protection (Cloudflare free tier, Bunny, Fastly, BunnyCDN, AWS CloudFront with Shield Standard) — these absorb most volumetric attacks at their edge before traffic reaches your origin. For application-layer attacks (slow HTTP, login flooding), add WAF rules and rate limiting at the CDN. Self-hosted solutions without upstream scrubbing simply cannot survive a sustained booter attack — your upstream link saturates before any filtering you do can help.
Back to glossary