Millions of targets under attack: a macroscopic characterization of the DoS ecosystem

Authors:
Mattijs Jonker

University of Twente

University of Twente
View Profile

,
Alistair King

CAIDA, UC San Diego

CAIDA, UC San Diego
View Profile

,
Johannes Krupp

Saarland University

Saarland University
View Profile

,
Christian Rossow

Saarland University

Saarland University
View Profile

,
Anna Sperotto

University of Twente

University of Twente
View Profile

,
Alberto Dainotti

CAIDA, UC San Diego

CAIDA, UC San Diego
View Profile

IMC '17: Proceedings of the 2017 Internet Measurement ConferenceNovember 2017Pages 100–113https://doi.org/10.1145/3131365.3131383

Published:01 November 2017Publication History

IMC '17: Proceedings of the 2017 Internet Measurement Conference

Pages 100–113

ABSTRACT

Denial-of-Service attacks have rapidly increased in terms of frequency and intensity, steadily becoming one of the biggest threats to Internet stability and reliability. However, a rigorous comprehensive characterization of this phenomenon, and of countermeasures to mitigate the associated risks, faces many infrastructure and analytic challenges. We make progress toward this goal, by introducing and applying a new framework to enable a macroscopic characterization of attacks, attack targets, and DDoS Protection Services (DPSs). Our analysis leverages data from four independent global Internet measurement infrastructures over the last two years: backscatter traffic to a large network telescope; logs from amplification honeypots; a DNS measurement platform covering 60% of the current namespace; and a DNS-based data set focusing on DPS adoption. Our results reveal the massive scale of the DoS problem, including an eye-opening statistic that one-third of all / 24 networks recently estimated to be active on the Internet have suffered at least one DoS attack over the last two years. We also discovered that often targets are simultaneously hit by different types of attacks. In our data, Web servers were the most prominent attack target; an average of 3% of the Web sites in .com, .net, and .org were involved with attacks, daily. Finally, we shed light on factors influencing migration to a DPS.

References

Pierluigi Paganini. The hosting provider OVH continues to face massive DDoS attacks launched by a botnet composed at least of 150000 IoT devices. http://securityaffairs.co/wordpress/51726/cyber-crime/ovh-hit-botnet-iot.html, September 2016.Google Scholar
José Jair Santanna, Roland van Rijswijk-Deij, Anna Sperotto, Rick Hofstede, Mark Wierbosch, Lisandro Zambenedetti Granville, and Aiko Pras. Booters - An Analysis of DDoS-as-a-Service Attacks. In Proceedings of the 14th IFIP/IEEE International Symposium on Integrated Network Management (IM'15), 2015.Google Scholar
Scott Hilton. Dyn Analysis Summary Of Friday October 21 Attack. http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/, October 2016.Google Scholar
Giovane C.M. Moura, Ricardo de O. Schmidt, John Heidemann, Wouter B. de Vries, Moritz Muller, Lan Wei, and Cristian Hesselman. Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. In Proceedings of the 2016 ACM Internet Measurement Conference (IMC'16), 2016. Google ScholarDigital Library
Mattijs Jonker, Anna Sperotto, Roland van Rijswijk-Deij, Ramin Sadre, and Aiko Pras. Measuring the Adoption of DDoS Protection Services. In Proceedings of the 2016 ACM Internet Measurement Conference (IMC'16), pages 279--285, 2016. Google ScholarDigital Library
UCSD Network Telescope, 2010. http://www.caida.org/projects/network_telescope/.Google Scholar
Lukas Krämer, Johannes Krupp, Daisuke Makita, Tomomi Nishizoe, Takashi Koide, Katsunari Yoshioka, and Christian Rossow. AmpPot: Monitoring and Defending Against Amplification DDoS Attacks. In International Workshop on Recent Advances in Intrusion Detection (RAID'15), pages 615--636, 2015. Google ScholarDigital Library
Sebastian Zander, Lachlan L.H. Andrew, and Grenville Armitage. Capturing Ghosts: Predicting the Used IPv4 Space by Inferring Unobserved Addresses. In Proceedings of the 2014 ACM Conference on Internet Measurement Conference (IMC'14), 2014. Google ScholarDigital Library
Philipp Richter, Georgios Smaragdakis, David Plonka, and Arthur Berger. Beyond Counting: New Perspectives on the Active IPv4 Address Space. In Proceedings of the 2016 ACM Internet Measurement Conference (IMC'16), 2016. Google ScholarDigital Library
Christian Rossow. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In NDSS, 2014.Google ScholarCross Ref
Jakub Czyz, Michael Kallitsis, Manaf Gharaibeh, Christos Papadopoulos, Michael Bailey, and Manish Karir. Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks. In Proceedings of the 2014 ACM Internet Measurement Conference (IMC'14), pages 435--448, 2014. Google ScholarDigital Library
Matthew Sargent, John Kristoff, Vern Paxson, and Mark Allman. On the Potential Abuse of IGMP. ACM SIGCOMM Computer Communication Review, 47(1), 2017. Google ScholarDigital Library
Roland van Rijswijk-Deij, Anna Sperotto, and Aiko Pras. DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In Proceedings of the 2014 ACM Internet Measurement Conference (IMC'14), pages 449--460, 2014. Google ScholarDigital Library
Jelena Mirkovic, Sven Dietrich, David Dittrich, and Peter Reiher. Internet Denial of Service: Attack and Defense Mechanisms (Radia Perlman Computer Networking and Security). 2004. Google ScholarDigital Library
Mehmud Abliz. Internet Denial of Service Attacks and Defense Mechanisms. Technical Report TR-11-178, March 2011.Google Scholar
Erik Nygren, Ramesh K. Sitaraman, and Jennifer Sun. The Akamai Network: A Platform for High-performance Internet Applications. ACM SIGOPS Operating Systems Review, 44(3):2--19, 2010. Google ScholarDigital Library
David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, and Stefan Savage. Inferring Internet Denial-of-service Activity. ACM Transactions on Computer Systems, 24(2):115--139, 2006. Google ScholarDigital Library
Alistair King. Corsaro, 2012. http://www.caida.org/tools/measurement/corsaro/.Google Scholar
Alistair King. Corsaro RS DoS Plugin, 2012. https://www.caida.org/tools/measurement/corsaro/docs/plugins.html#plugins_dos.Google Scholar
Digital Element. Netacuity edge premium edition. http://www.digitalelement.com/solutions/netacuity-edge-premium.Google Scholar
Routeviews Prefix to AS mappings Dataset (pfx2as) for IPv4 and IPv6. http://www.caida.org/data/routing/routeviews-prefix2as.xml.Google Scholar
Roland van Rijswijk-Deij, Mattijs Jonker, Anna Sperotto, and Aiko Pras. A High-Performance, Scalable Infrastructure for Large-Scale Active DNS Measurements. IEEE Journal on Selected Areas in Communications (JSAC), 34(6):1877--1888, 2016.Google ScholarCross Ref
Apache Parquet, 2014. http://parquet.io/.Google Scholar
The Domain Name Industry Brief. https://www.verisign.com/en_US/innovation/dnib/index.xhtml. Accessed: 2017-05-01.Google Scholar
Rick Holland and Ed Ferrara. The Forrester Wave^™: DDoS Services Providers (Q3 2015). Forrester Research, Inc., July 2015.Google Scholar
Alberto Dainotti, Karyn Benson, Alistair King, Bradley Huffaker, Eduard Glatz, Xenofontas Dimitropoulos, Philipp Richter, Alessandro Finamore, and Alex C. Snoeren. Lost in Space: Improving Inference of IPv4 Address Space Utilization. IEEE Journal on Selected Areas in Communications (JSAC), 34(6):1862--1876, 2016.Google ScholarCross Ref
Lost in Space: Supplemental: Country Inequality (Interactive). http://www.caida.org/publications/papers/2016/lost_in_space/supplemental/country_inequality/.Google Scholar
D. Thomas, R. Clayton, and A. Beresford. 1000 days of UDP amplification DDoS attacks. In APWG Symposium on Electronic Crime Research (eCrime 2017), 2017.Google ScholarCross Ref
Z. Morley Mao, Vyas Sekar, Oliver Spatscheck, Jacobus van der Merwe, and Rangarajan Vasudevan. Analyzing Large DDoS Attacks Using Multiple Data Sources. In Proceedings of the 2006 SIGCOMM Workshop on Large-scale Attack Defense (LSAD'06), pages 161--168, 2006. Google ScholarDigital Library
An Wang, Aziz Mohaisen, Wentao Chang, and Songqing Chen. Delving into Internet DDoS Attacks by Botnets: Characterization and Analysis. In Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'15), pages 379--390, 2015. Google ScholarDigital Library
F5 Networks, Inc. 2016 DDoS Attack Trends. November 2016.Google Scholar
Darren Anstee, Paul Bowen, C.F. Chui, and Gary Sockrider. Worldwide Infrastructure Security Report. Arbor Networks, Inc., 2016.Google Scholar
Martin McKeay et al. The Q4 2016 State of the Internet / Security Report. Akamai, 2017.Google Scholar
DDoS Threat Landscape Report 2015--2016. Imperva, Inc., August 2016.Google Scholar
Arne Welzel, Christian Rossow, and Herbert Bos. Delving into Internet DDoS Attacks by Botnets: Characterization and Analysis. In Proceedings of the 7th European Workshop on System Security (EuroSec'14), pages 3:1--3:6, 2014.Google ScholarDigital Library
Arman Noroozian, Maciej Korczyński, Carlos Hernandez Gañan, Daisuke Makita, Katsunari Yoshioka, and Michel van Eeten. Who gets the boot? analyzing victimization by ddos-as-a-service. In Proc. of the 19th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID 2016), 2016.Google ScholarCross Ref
Stephanie Weagle. Financial Impact of Mirai DDoS Attack on Dyn Revealed in New Data. https://www.corero.com/blog/797-financial-impact-of-mirai-ddos-attack-on-dyn-revealed-in-new-data.html, February 2017.Google Scholar
Matthew Prince. Technical Details Behind a 400Gbps NTP Amplification DDoS Attack. https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/, February 2014.Google Scholar
Swati Khandelwal. 602 Gbps! This May Have Been the Largest DDoS Attack in History. http://thehackernews.com/2016/01/biggest-ddos-attack.html, January 2016.Google Scholar
Sharad Agarwaly, Travis Dawson, and Christos Tryfonasy. DDoS Mitigation via Regional Cleaning Centers. Sprint ATL Research Report RR04-ATL-013177, January 2004.Google Scholar

Index Terms

Millions of targets under attack: a macroscopic characterization of the DoS ecosystem
1. Networks
  1. Network properties
    1. Network security
      1. Denial-of-service attacks
  2. Network services
    1. Network management
2. Security and privacy
  1. Network security
    1. Web protocol security
  2. Security services

Recommendations

DoSTRACK: a system for defending against DoS attacks
SAC '09: Proceedings of the 2009 ACM symposium on Applied Computing

Denial of service (DoS) attacks are one of the complex problems in the current Internet. In this paper, we propose a system, DoSTRACK, that can efficiently deal with the TCP SYN and reflection Distributed Denial of Service (DDoS) attacks. We also ...
Read More
Evaluation of TFTP DDoS amplification attack

Web threats are becoming a major issue for both governments and companies. Generally, web threats increased as much as 600% during last year (WebSense, 2013). This appears to be a significant issue, since many major businesses seem to provide these ...
Read More
Enhanced-Adaptive Pattern Attack Recognition Technique E-APART Against EDoS Attacks in Cloud Computing

Cloud Computing is most widely used in current technology. It provides a higher availability of resources to greater number of end users. In the cloud era, security has develop a reformed source of worries. Distributed Denial of Service DDoS and ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
IMC '17: Proceedings of the 2017 Internet Measurement Conference
November 2017
509 pages
ISBN:9781450351188
DOI:10.1145/3131365
General Chairs:
Steve Uhlig
Queen Mary University of London
,
Olaf Maennel
Tallinn University of Technology
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 November 2017
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
DDoS
cloud-based mitigation
reflection attacks
spoofed attacks
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate277of1,083submissions,26%
Upcoming Conference
IMC '24

Sponsor:

sigcomm

sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 71
  Total Citations
  View Citations
- 974
  Total Downloads
- Downloads (Last 12 months)245
- Downloads (Last 6 weeks)34
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Millions of targets under attack: a macroscopic characterization of the DoS ecosystem

IMC '17: Proceedings of the 2017 Internet Measurement Conference

ABSTRACT

References

Cited By

Index Terms

Recommendations

DoSTRACK: a system for defending against DoS attacks

Evaluation of TFTP DDoS amplification attack

Enhanced-Adaptive Pattern Attack Recognition Technique E-APART Against EDoS Attacks in Cloud Computing