Johannes Krupp
ABSTRACT
Amplification DDoS attacks have gained popularity and become a serious threat to Internet participants. However, little is known about where these attacks originate, and revealing the attack sources is a non-trivial problem due to the spoofed nature of the traffic.
In this paper, we present novel techniques to uncover the infrastructures behind amplification DDoS attacks. We follow a two-step approach to tackle this challenge: First, we develop a methodology to impose a fingerprint on scanners that perform the reconnaissance for amplification attacks that allows us to link subsequent attacks back to the scanner. Our methodology attributes over 58% of attacks to a scanner with a confidence of over 99.9%. Second, we use Time-to-Live-based trilateration techniques to map scanners to the actual infrastructures launching the attacks. Using this technique, we identify 34 networks as being the source for amplification attacks at 98\% certainty.
- GeoLite2 Free Downloadable Databases. https://dev.maxmind.com/geoip/geoip2/geolite2/.Google Scholar
- IP to ASN mapping. https://www.team-cymru.org/IP-ASN-mapping.html.Google Scholar
- RIPE Atlas. https://atlas.ripe.net.Google Scholar
- The Spoofer Project. http://spoofer.cmand.org.Google Scholar
- Basescu, C., Reischuk, R. M., Szalachowski, P., Perrig, A., Zhang, Y., Hsiao, H.-C., Kubota, A., and Urakawa, J. SIBRA: Scalable Internet Bandwidth Reservation Architecture. In NDSS '16.Google Scholar
- Belenky, A., and Ansari, N. On Deterministic Packet Marking. Comput. Netw. 51, 10 (2007). Google ScholarDigital Library
- Chen, R., Park, J.-M., and Marchany, R. A Divide-and-Conquer Strategy for Thwarting Distributed Denial-of-Service Attacks. Parallel and Distributed Systems, IEEE Transactions on 18, 5 (May 2007), 577--588. Google ScholarDigital Library
- Clayton, R. How Much Did Shutting Down McColo Help? CEAS '09.Google Scholar
- Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., and Karir, M. Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks. In ACM IMC '14. Google ScholarDigital Library
- Dean, D., Franklin, M. K., and Stubblefield, A. An Algebraic Approach to IP traceback. ACM Trans. Inf. Syst. Secur. 5, 2 (2002). Google ScholarDigital Library
- Doeppner, T. W., Klein, P. N., and Koyfman, A. Using Router Stamping to Identify the Source of IP Packets. In ACM CCS '00. Google ScholarDigital Library
- Dong, Q., Adler, M., Banerjee, S., and Hirata, K. Efficient Probabilistic Packet Marking. In IEEE ICNP '05. Google ScholarDigital Library
- Durumeric, Z., Wustrow, E., and Halderman, J. A. ZMap: Fast Internet-wide scanning and its security applications. In USENIX Sec '13. Google ScholarDigital Library
- Duwairi, B., Chakrabarti, A., and Manimaran, G. An Efficient Probabilistic Packet Marking Scheme for IP Traceback, 2004.Google ScholarCross Ref
- Gao, Z., and Ansari, N. A Practical and Robust Inter-domain Marking Scheme for IP Traceback. Computer Networks 51, 3 (2007). Google ScholarDigital Library
- Graham, R. D. Masscan: Mass ip port scanner. https://github.com/robertdavidgraham/masscan (2014).Google Scholar
- John, A., and Sivakumar, T. DDoS: Survey of Traceback Methods. International Journal of Recent Trends in Engineering 1, 2 (2009).Google Scholar
- Karami, M., Park, Y., and McCoy, D. Stress Testing the Booters: Understanding and Undermining the Business of DDoS Services. In ACM WWW '16. Google ScholarDigital Library
- Korkmaz, T., Gong, C., Saraç, K., and Dykes, S. G. Single Packet IP Traceback in AS-level Partial Deployment Scenario. IJSN (2007), 95--108. Google ScholarDigital Library
- Krämer, L., Krupp, J., Makita, D., Nishizoe, T., Koide, T., Yoshioka, K., and Rossow, C. Amppot: Monitoring and defending against amplification ddos attacks. In RAID '15.Google Scholar
- Kührer, M., Hupperich, T., Rossow, C., and Holz, T. Exit from Hell? Reducing the Impact of Amplification DDoS Attacks. In USENIX Sec '14.Google Scholar
- Li, Y., Wang, Q., Yang, F., and Su, S. Traceback DRDoS Attacks. Journal of Information & Computational Science 8 (2011).Google Scholar
- Mirkovic, J., and Reiher, P. A Taxonomy of DDoS Attack and DDoS Defense Mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34, 2 (2004). Google ScholarDigital Library
- P. Ferguson, D. Senie. BCP 38 on Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. http://tools.ietf.org/html/bcp38, 2000. Google ScholarDigital Library
- Prince, M. The DDoS That Almost Broke the Internet. https://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/, 2013.Google Scholar
- Rossow, C. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In NDSS '14 (2014).Google Scholar
- Salvatore Sanfilippo. New TCP Scan Method. http://seclists.org/bugtraq/1998/Dec/79.Google Scholar
- Santanna, J., Durban, R., Sperotto, A., and Pras, A. Inside Booters: An Analysis on Operational Databases. In IFIP/IEEE IM '15 (2015).Google Scholar
- Santanna, J. J., van Rijswijk-Deij, R., Hofstede, R., Sperotto, A., Wierbosch, M., Granville, L. Z., and Pras, A. Booters - An Analysis of DDoS-As-a-Service Attacks. In IFIP/IEEE IM '15.Google Scholar
- Savage, S., Wetherall, D., Karlin, A., and Anderson, T. Network Support for IP Traceback. IEEE/ACM Trans. Netw. 9, 3 (2001). Google ScholarDigital Library
- Savage, S., Wetherall, D., Karlin, A. R., and Anderson, T. E. Practical Network Support for IP Traceback. In ACM SIGCOMM '00. Google ScholarDigital Library
- Schwarz, M. J. DDoS Attack Hits 400 Gbit/s, Breaks Record. http://www.darkreading.com/attacks-and-breaches/ddos-attack-hits-400-gbit-s-breaks-record/d/d-id/1113787, 2014.Google Scholar
- Shokri, R., Varshovi, A., Mohammadi, H., and Yazdani, N. DDPM: Dynamic Deterministic Packet Marking for IP Traceback. In IEEE ICON '06, vol. 2.Google Scholar
- Snoeren, A. C., Partridge, C., Sanchez, L. A., Jones, C. E., Tchakountio, F., Kent, S. T., and Strayer, W. T. Hash-based IP Traceback. ACM SIGCOMM Comput. Commun. Rev. 31, 4 (2001). Google ScholarDigital Library
- Snoeren, A. C., Partridge, C., Sanchez, L. A., Jones, C. E., Tchakountio, F., Schwartz, B., Kent, S. T., and Strayer, W. T. Single-packet IP traceback. IEEE/ACM Trans. Netw. 10, 6 (2002). Google ScholarDigital Library
- Song, D. X., and Perrig, A. Advanced and Authenticated Marking Schemes for IP Traceback. In Proc. of IEEE INFOCOM (2001), vol. 2.Google Scholar
- Specht, S. M., and Lee, R. B. Distributed Denial of Service: Taxonomies of Attacks, Tools and Countermeasures. In International Workshop on Security in Parallel and Distributed Systems (2004).Google Scholar
- Stadje, W. The collector's problem with group drawings. Advances in Applied Probability 22, 4 (1990).Google ScholarCross Ref
- Sung, M., Xu, J., Li, J., and Li, L. Large-scale IP Traceback in High-speed Internet: Practical Techniques and Information-theoretic Foundation. IEEE/ACM Trans. Netw. 16, 6 (2008). Google ScholarDigital Library
- Yaar, A., Perrig, A., and Song, D. StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense. IEEE Journal on Selected Areas in Communications 24, 10 (2006). Google ScholarDigital Library
- Yaar, A., Perrig, A., and Song, D. X. Pi: A Path Identification Mechanism to Defend against DDoS Attack. In IEEE S&P '03. Google ScholarDigital Library
- Zhang, X., Hsiao, H.-C., Hasker, G., Chan, H., Perrig, A., and Andersen, D. G. SCION: Scalability, Control, and Isolation on Next-Generation Networks. In IEEE S&P '11. Google ScholarDigital Library
Index Terms
- Identifying the Scan and Attack Infrastructures Behind Amplification DDoS Attacks
Recommendations
Scan, Test, Execute: Adversarial Tactics in Amplification DDoS Attacks
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityAmplification attacks generate an enormous flood of unwanted traffic towards a victim and are generated with the help of open, unsecured services, to which an adversary sends spoofed service requests that trigger large answer volumes to a victim. ...
Dual-Level Attack Detection, Characterization and Response for Networks Under DDoS Attacks
DDoS attacks aim to deny legitimate users of the services. In this paper, the authors introduce dual-level attack detection D-LAD scheme for defending against the DDoS attacks. At higher and coarse level, the macroscopic level detectors MaLAD attempt to ...
Evaluation of TFTP DDoS amplification attack
Web threats are becoming a major issue for both governments and companies. Generally, web threats increased as much as 600% during last year (WebSense, 2013). This appears to be a significant issue, since many major businesses seem to provide these ...
Comments