ABSTRACT
Denial-of-Service attacks have rapidly increased in terms of frequency and intensity, steadily becoming one of the biggest threats to Internet stability and reliability. However, a rigorous comprehensive characterization of this phenomenon, and of countermeasures to mitigate the associated risks, faces many infrastructure and analytic challenges. We make progress toward this goal, by introducing and applying a new framework to enable a macroscopic characterization of attacks, attack targets, and DDoS Protection Services (DPSs). Our analysis leverages data from four independent global Internet measurement infrastructures over the last two years: backscatter traffic to a large network telescope; logs from amplification honeypots; a DNS measurement platform covering 60% of the current namespace; and a DNS-based data set focusing on DPS adoption. Our results reveal the massive scale of the DoS problem, including an eye-opening statistic that one-third of all / 24 networks recently estimated to be active on the Internet have suffered at least one DoS attack over the last two years. We also discovered that often targets are simultaneously hit by different types of attacks. In our data, Web servers were the most prominent attack target; an average of 3% of the Web sites in .com, .net, and .org were involved with attacks, daily. Finally, we shed light on factors influencing migration to a DPS.
- Pierluigi Paganini. The hosting provider OVH continues to face massive DDoS attacks launched by a botnet composed at least of 150000 IoT devices. http://securityaffairs.co/wordpress/51726/cyber-crime/ovh-hit-botnet-iot.html, September 2016.Google Scholar
- José Jair Santanna, Roland van Rijswijk-Deij, Anna Sperotto, Rick Hofstede, Mark Wierbosch, Lisandro Zambenedetti Granville, and Aiko Pras. Booters - An Analysis of DDoS-as-a-Service Attacks. In Proceedings of the 14th IFIP/IEEE International Symposium on Integrated Network Management (IM'15), 2015.Google Scholar
- Scott Hilton. Dyn Analysis Summary Of Friday October 21 Attack. http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/, October 2016.Google Scholar
- Giovane C.M. Moura, Ricardo de O. Schmidt, John Heidemann, Wouter B. de Vries, Moritz Muller, Lan Wei, and Cristian Hesselman. Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. In Proceedings of the 2016 ACM Internet Measurement Conference (IMC'16), 2016. Google ScholarDigital Library
- Mattijs Jonker, Anna Sperotto, Roland van Rijswijk-Deij, Ramin Sadre, and Aiko Pras. Measuring the Adoption of DDoS Protection Services. In Proceedings of the 2016 ACM Internet Measurement Conference (IMC'16), pages 279--285, 2016. Google ScholarDigital Library
- UCSD Network Telescope, 2010. http://www.caida.org/projects/network_telescope/.Google Scholar
- Lukas Krämer, Johannes Krupp, Daisuke Makita, Tomomi Nishizoe, Takashi Koide, Katsunari Yoshioka, and Christian Rossow. AmpPot: Monitoring and Defending Against Amplification DDoS Attacks. In International Workshop on Recent Advances in Intrusion Detection (RAID'15), pages 615--636, 2015. Google ScholarDigital Library
- Sebastian Zander, Lachlan L.H. Andrew, and Grenville Armitage. Capturing Ghosts: Predicting the Used IPv4 Space by Inferring Unobserved Addresses. In Proceedings of the 2014 ACM Conference on Internet Measurement Conference (IMC'14), 2014. Google ScholarDigital Library
- Philipp Richter, Georgios Smaragdakis, David Plonka, and Arthur Berger. Beyond Counting: New Perspectives on the Active IPv4 Address Space. In Proceedings of the 2016 ACM Internet Measurement Conference (IMC'16), 2016. Google ScholarDigital Library
- Christian Rossow. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In NDSS, 2014.Google ScholarCross Ref
- Jakub Czyz, Michael Kallitsis, Manaf Gharaibeh, Christos Papadopoulos, Michael Bailey, and Manish Karir. Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks. In Proceedings of the 2014 ACM Internet Measurement Conference (IMC'14), pages 435--448, 2014. Google ScholarDigital Library
- Matthew Sargent, John Kristoff, Vern Paxson, and Mark Allman. On the Potential Abuse of IGMP. ACM SIGCOMM Computer Communication Review, 47(1), 2017. Google ScholarDigital Library
- Roland van Rijswijk-Deij, Anna Sperotto, and Aiko Pras. DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In Proceedings of the 2014 ACM Internet Measurement Conference (IMC'14), pages 449--460, 2014. Google ScholarDigital Library
- Jelena Mirkovic, Sven Dietrich, David Dittrich, and Peter Reiher. Internet Denial of Service: Attack and Defense Mechanisms (Radia Perlman Computer Networking and Security). 2004. Google ScholarDigital Library
- Mehmud Abliz. Internet Denial of Service Attacks and Defense Mechanisms. Technical Report TR-11-178, March 2011.Google Scholar
- Erik Nygren, Ramesh K. Sitaraman, and Jennifer Sun. The Akamai Network: A Platform for High-performance Internet Applications. ACM SIGOPS Operating Systems Review, 44(3):2--19, 2010. Google ScholarDigital Library
- David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, and Stefan Savage. Inferring Internet Denial-of-service Activity. ACM Transactions on Computer Systems, 24(2):115--139, 2006. Google ScholarDigital Library
- Alistair King. Corsaro, 2012. http://www.caida.org/tools/measurement/corsaro/.Google Scholar
- Alistair King. Corsaro RS DoS Plugin, 2012. https://www.caida.org/tools/measurement/corsaro/docs/plugins.html#plugins_dos.Google Scholar
- Digital Element. Netacuity edge premium edition. http://www.digitalelement.com/solutions/netacuity-edge-premium.Google Scholar
- Routeviews Prefix to AS mappings Dataset (pfx2as) for IPv4 and IPv6. http://www.caida.org/data/routing/routeviews-prefix2as.xml.Google Scholar
- Roland van Rijswijk-Deij, Mattijs Jonker, Anna Sperotto, and Aiko Pras. A High-Performance, Scalable Infrastructure for Large-Scale Active DNS Measurements. IEEE Journal on Selected Areas in Communications (JSAC), 34(6):1877--1888, 2016.Google ScholarCross Ref
- Apache Parquet, 2014. http://parquet.io/.Google Scholar
- The Domain Name Industry Brief. https://www.verisign.com/en_US/innovation/dnib/index.xhtml. Accessed: 2017-05-01.Google Scholar
- Rick Holland and Ed Ferrara. The Forrester Wave™: DDoS Services Providers (Q3 2015). Forrester Research, Inc., July 2015.Google Scholar
- Alberto Dainotti, Karyn Benson, Alistair King, Bradley Huffaker, Eduard Glatz, Xenofontas Dimitropoulos, Philipp Richter, Alessandro Finamore, and Alex C. Snoeren. Lost in Space: Improving Inference of IPv4 Address Space Utilization. IEEE Journal on Selected Areas in Communications (JSAC), 34(6):1862--1876, 2016.Google ScholarCross Ref
- Lost in Space: Supplemental: Country Inequality (Interactive). http://www.caida.org/publications/papers/2016/lost_in_space/supplemental/country_inequality/.Google Scholar
- D. Thomas, R. Clayton, and A. Beresford. 1000 days of UDP amplification DDoS attacks. In APWG Symposium on Electronic Crime Research (eCrime 2017), 2017.Google ScholarCross Ref
- Z. Morley Mao, Vyas Sekar, Oliver Spatscheck, Jacobus van der Merwe, and Rangarajan Vasudevan. Analyzing Large DDoS Attacks Using Multiple Data Sources. In Proceedings of the 2006 SIGCOMM Workshop on Large-scale Attack Defense (LSAD'06), pages 161--168, 2006. Google ScholarDigital Library
- An Wang, Aziz Mohaisen, Wentao Chang, and Songqing Chen. Delving into Internet DDoS Attacks by Botnets: Characterization and Analysis. In Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'15), pages 379--390, 2015. Google ScholarDigital Library
- F5 Networks, Inc. 2016 DDoS Attack Trends. November 2016.Google Scholar
- Darren Anstee, Paul Bowen, C.F. Chui, and Gary Sockrider. Worldwide Infrastructure Security Report. Arbor Networks, Inc., 2016.Google Scholar
- Martin McKeay et al. The Q4 2016 State of the Internet / Security Report. Akamai, 2017.Google Scholar
- DDoS Threat Landscape Report 2015--2016. Imperva, Inc., August 2016.Google Scholar
- Arne Welzel, Christian Rossow, and Herbert Bos. Delving into Internet DDoS Attacks by Botnets: Characterization and Analysis. In Proceedings of the 7th European Workshop on System Security (EuroSec'14), pages 3:1--3:6, 2014.Google ScholarDigital Library
- Arman Noroozian, Maciej Korczyński, Carlos Hernandez Gañan, Daisuke Makita, Katsunari Yoshioka, and Michel van Eeten. Who gets the boot? analyzing victimization by ddos-as-a-service. In Proc. of the 19th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID 2016), 2016.Google ScholarCross Ref
- Stephanie Weagle. Financial Impact of Mirai DDoS Attack on Dyn Revealed in New Data. https://www.corero.com/blog/797-financial-impact-of-mirai-ddos-attack-on-dyn-revealed-in-new-data.html, February 2017.Google Scholar
- Matthew Prince. Technical Details Behind a 400Gbps NTP Amplification DDoS Attack. https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/, February 2014.Google Scholar
- Swati Khandelwal. 602 Gbps! This May Have Been the Largest DDoS Attack in History. http://thehackernews.com/2016/01/biggest-ddos-attack.html, January 2016.Google Scholar
- Sharad Agarwaly, Travis Dawson, and Christos Tryfonasy. DDoS Mitigation via Regional Cleaning Centers. Sprint ATL Research Report RR04-ATL-013177, January 2004.Google Scholar
Index Terms
- Millions of targets under attack: a macroscopic characterization of the DoS ecosystem
Recommendations
DoSTRACK: a system for defending against DoS attacks
SAC '09: Proceedings of the 2009 ACM symposium on Applied ComputingDenial of service (DoS) attacks are one of the complex problems in the current Internet. In this paper, we propose a system, DoSTRACK, that can efficiently deal with the TCP SYN and reflection Distributed Denial of Service (DDoS) attacks. We also ...
Evaluation of TFTP DDoS amplification attack
Web threats are becoming a major issue for both governments and companies. Generally, web threats increased as much as 600% during last year (WebSense, 2013). This appears to be a significant issue, since many major businesses seem to provide these ...
Enhanced-Adaptive Pattern Attack Recognition Technique E-APART Against EDoS Attacks in Cloud Computing
Cloud Computing is most widely used in current technology. It provides a higher availability of resources to greater number of end users. In the cloud era, security has develop a reformed source of worries. Distributed Denial of Service DDoS and ...
Comments