Published April 25, 2012

Booter Shell Scripts Threat Advisory

Booter shell scripts are sophisticated, easy-to-use distributed denial of service (DDoS) attack scripts that make it possible to bring down web servers without vast networks of infected zombie computers. This cybersecurity threat advisory explains the origins of this form of attack and the methods it uses to infect web servers.

What You Need to Know

Booter shell scripts are customizable scripts that randomize attack signatures and make attacks more difficult to differentiate from legitimate traffic.

Booter shells:

  • lower the barrier to entry for launching DDoS attacks, so even novices can do it
  • are freely available in the hacker underground
  • threaten to ramp up the technical sophistication, design and deployment of DDoS attacks.


Attack data indicate that the DDoS threatscape is shifting towards the increased utilization of booters by malicious actors in the underground hacking communities. The web security threat posed by booter scripts has arisen from a variety of developments:

  • Increased use of dynamic web application technologies and rapid deployment of insecure web applications have created new vulnerabilities.
  • These weaknesses allow hackers to use infected web servers instead of client machines to conduct DDoS attacks.
  • Web servers typically have 1,000+ times the capacity of a workstation, providing hackers a with a much higher yield of malicious traffic at higher Packet per Second (PPS) and Bit per Second (BPS) rates with the addition of each infected machine.
  • The skill level required to take over a web server and convert it into a DDoS zombie has been simplified.

DDoS Booter Shell script can be deployed by almost anyone who purchases hosting or makes use of simple web application vulnerabilities such as RFI, LFI, SQLi and WebDAV exploits.The concept of infection also changes when discussing server-based attacks:

  • Traditional Windows malware ingrains itself into the operating system and often obfuscates its presence by spreading multiple DLLs throughout the file system.
  • Traditional methods of infection would typically involve spam campaigns, worms or browser-based exploits, requiring multitudes of infected machines.
  • DDoS Booter Scripts are simple standalone files that execute GET/POST floods when accessed via HTTP.
  • The simplified technical requirements and increased attack power of DDos Booter Shell scripts put DDoS capabilities in the hands of a much wider range of actors.

Contact Us