Top

Published in:

2021 | OriginalPaper | Chapter

DDoS Never Dies? An IXP Perspective on DDoS Amplification Attacks

Authors : Daniel Kopp, Christoph Dietzel, Oliver Hohlfeld

Published in: Passive and Active Measurement

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

DDoS attacks remain a major security threat to the continuous operation of Internet edge infrastructures, web services, and cloud platforms. While a large body of research focuses on DDoS detection and protection, to date we ultimately failed to eradicate DDoS altogether. Yet, the landscape of DDoS attack mechanisms is even evolving, demanding an updated perspective on DDoS attacks in the wild. In this paper, we identify up to 2608 DDoS amplification attacks at a single day by analyzing multiple Tbps of traffic flows at a major IXP with a rich ecosystem of different networks. We observe the prevalence of well-known amplification attack protocols (e.g., NTP, CLDAP), which should no longer exist given the established mitigation strategies. Nevertheless, they pose the largest fraction on DDoS amplification attacks within our observation and we witness the emergence of DDoS attacks using recently discovered amplification protocols (e.g., OpenVPN, ARMS, Ubiquity Discovery Protocol). By analyzing the impact of DDoS on core Internet infrastructure, we show that DDoS can overload backbone-capacity and that filtering approaches in prior work omit 97% of the attack traffic.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter New Kids on the DRDoS Block: Characterizing Multiprotocol and Carpet Bombing Attacks

next chapter A Peek into the DNS Cookie Jar

Jim Troutman via Twitter. https://twitter.com/troutman/status/1090212243197870081. Accessed 26 May 2020

Akamai: Prolexic Technologies by Akamai (2018). https://www.akamai.com/us/en/cloud-security.jsp

Akamai: State of the Internet Security Report (Attack Spotlight: Memcached) (2018). https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-summer-2018-attack-spotlight.pdf

Alerts, A.S.: Memcached-fueled 1.3 tbps attacks (2018). https://blogs.akamai.com/2018/03/memcached-fueled-13-tbps-attacks.html

Antonakakis, M., et al.: Understanding the mirai botnet. In: USENIX Security Symposium (2017)

BBC: ‘Hacking attacks’ hit Russian political sites (2012). http://www.bbc.com/news/technology-16032402

Beverly, R., Berger, A., Hyun, Y., Claffy, K.: Understanding the efficacy of deployed internet source address validation filtering. In: ACM IMC (2009)

Beverly, R., Bauer, S.: The spoofer project: inferring the extent of internet source address filtering on the internet. In: Steps to Reducing Unwanted Traffic on the Internet Workshop (2005)

Bjarnason, S., Dobbins, R.: Netscout - A Call to ARMS: Apple Remote Management Service UDP Reflection/Amplification DDoS Attacks (2020). http://de.netscout.com/blog/asert/call-arms-apple-remote-management-service-udp

10.

Blenn, N., Ghiëtte, V., Doerr, C.: Quantifying the spectrum of denial-of-service attacks through internet backscatter. In: International Conference on Availability, Reliability and Security (2017)

11.

Bou-Harb, E., Lakhdari, N.E., Binsalleeh, H., Debbabi, M.: Multidimensional investigation of source port 0 probing. Digit. Investig. 11, 114–123 (2014)CrossRef

12.

Brownlee, N., Claffy, K.C., Nemeth, E.: DNS measurements at a root server. In: IEEE GLOBECOM (2001)

13.

Burke, I.D., Herbert, A., Mooi, R.: Using network flow data to analyse distributed reflection denial of service (DRDoS) attacks, as observed on the south african national research and education network (SANReN): a postmortem analysis of the memcached attack on the SANReN. In: Annual Conference of the South African Institute of Computer Scientists and Information Technologists (2018)

14.

Büscher, A., Holz, T.: Tracking DDoS attacks: insights into the business of disrupting the web. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (2012)

15.

Cimpanu, C.: ZDNet - Protocol used by 630,000 devices can be abused for devastating DDoS attacks. www.zdnet.com/article/protocol-used-by-630000-devices-can-be-abused-for-devastating-ddos-attacks/. Accessed 26 May 2020

16.

Cisco: Implementing BGP Flowspec (2018). https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5-2/routing/configuration/guide/b_routing_cg52xasr9k/b_routing_cg52xasr9k_chapter_011.html

17.

Cloudflare: Memcached DDoS Attack. https://www.cloudflare.com/learning/ddos/memcached-ddos-attack/

18.

Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., Karir, M.: Taming the 800 pound gorilla: the rise and decline of NTP DDoS attacks. In: ACM IMC (2014)

19.

DE-CIX: DE-CIX GlobePEER Remote (2018). https://www.de-cix.net/de/de-cix-service-world/globepeer-remote

20.

Dietzel, C., Feldmann, A., King, T.: Blackholing at IXPs: on the effectiveness of DDoS mitigation in the wild. In: Karagiannis, T., Dimitropoulos, X. (eds.) PAM 2016. LNCS, vol. 9631, pp. 319–332. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30505-9_24CrossRef

21.

Dietzel, C., Wichtlhuber, M., Smaragdakis, G., Feldmann, A.: Stellar: network attack mitigation using advanced blackholing. In: ACM CoNEXT (2018)

22.

Feldmann, A., et al.: The lockdown effect: implications of the COVID-19 pandemic on internet traffic. In: ACM IMC (2020)

23.

Gillman, D., Lin, Y., Maggs, B., Sitaraman, R.K.: Protecting websites from attack with secure delivery networks. IEEE Comput. Mag. 48(4), 26–34 (2015)CrossRef

24.

Giotsas, V., Smaragdakis, G., Dietzel, C., Richter, P., Feldmann, A., Berger, A.: Inferring BGP blackholing activity in the internet. In: ACM IMC (2017)

25.

Hart, J.: Rapid7 - Understanding Ubiquiti Discovery Service Exposures. http://blog.rapid7.com/2019/02/01/ubiquiti-discovery-service-exposures/. Accessed 26 May 2020

26.

Hohlfeld, O.: Operating a DNS-based active internet observatory. In: ACM SIGCOMM Poster (2018)

27.

Interfax-Ukraine: Poroshenko reports on DDoS-attacks on Ukrainian CEC from Russia on Feb. 24–25 (2019). https://www.kyivpost.com/ukraine-politics/poroshenko-reports-on-ddos-attacks-on-ukrainian-cec-from-russia-on-feb-24-25.html

28.

Jonker, M., King, A., Krupp, J., Rossow, C., Sperotto, A., Dainotti, A.: Millions of targets under attack: a macroscopic characterization of the DoS ecosystem. In: ACM IMC (2017)

29.

Jonker, M., Sperotto, A., van Rijswijk-Deij, R., Sadre, R., Pras, A.: Measuring the adoption of DDoS protection services. In: ACM IMC (2016)

30.

Jonker, M., Pras, A., Dainotti, A., Sperotto, A.: A first joint look at DoS atacks and BGP blackholing in the wild. In: ACM IMC (2018)

31.

Karami, M., McCoy, D.: Rent to pwn: analyzing commodity booter DDoS services. Usenix Login 38(6), 20–23 (2013)

32.

Kopp, D., Wichtlhuber, M., Poese, I., de Santanna, J.J.C., Hohlfeld, O., Dietzel, C.: DDoS hide & seek: on the effectiveness of a booter services takedown. In: ACM IMC (2019)

33.

Krämer, L., et al.: AmpPot: monitoring and defending against amplification DDoS attacks. In: International Workshop on Recent Advances in Intrusion Detection (2015)

34.

Krebs, B.: KrebsOnSecurity Hit With Record DDoS (2016). https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos

35.

Lakhina, A., Crovella, M., Diot, C.: Characterization of network-wide anomaliesin traffic flows. In: ACM IMC (2004)

36.

Lichtblau, F., Streibelt, F., Krüger, T., Richter, P., Feldmann, A.: Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses. In: ACM IMC (2017)

37.

Luchs, M., Doerr, C.: The curious case of port 0. In: IFIP Networking (2019)

38.

Luckie, M., Beverly, R., Koga, R., Keys, K., Kroll, J.A., Claffy, K.: Network hygiene, incentives, and regulation: deployment of source address validation in the internet. In: ACM SIGSAC Conference on Computer and Communications Security (2019)

39.

Maghsoudlou, A., Gasser, O., Feldmann, A.: Zeroing in on port 0 traffic in the wild. In: PAM (2021)

40.

Mohamed, J.: Daily Mirror: Hackers attack the Stock Exchange: Cyber criminals take down website for more than two hours as part of protest against world’s banks (2016). http://www.dailymail.co.uk/news/article-3625656/Hackers-attack-Stock-Exchange-Cyber-criminals-website-two-hours-protest-against-world-s-banks.html

41.

Moore, D., Voelker, G., Savage, S.: Inferring internet denial-of-service activity. In: USENIX Security Symposium (2001)

42.

Morales, C.: NETSCOUT Arbor Confirms 1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon Us (2018). https://asert.arbornetworks.com/netscout-arbor-confirms-1-7-tbps-ddos-attack-terabit-attack-era-upon-us/

43.

Moura, G.C.M., Hesselman, C., Schaapman, G., Boerman, N., de Weerdt, O.: Into the DDoS maelstrom: a longitudinal study of a scrubbing service. In: European Symposium on Security and Privacy Workshops (2020)

44.

MSK-IX: Protection against DDoS-attacks by blackholing. www.msk-ix.ru/eng/routeserver.html#blackhole

45.

Nawrocki, M., Blendin, J., Dietzel, C., Schmidt, T.C., Wählisch, M.: Down the black hole: dismantling operational practices of BGP blackholing at IXPs. In: ACM IMC (2019)

46.

NETIX: Blackholing. www.netix.net/services/14/NetIX-Blackholing

47.

Netscout: Netscout Threat Intelligence Report (2020–02) (2020). https://www.netscout.com/sites/default/files/2020-02/SECR_001_EN-2001_Web.pdf

48.

NOKIA: Filter Policies (2020). https://documentation.nokia.com/html/0_add-h-f/93-0073-HTML/7750_SR_OS_Router_Configuration_Guide/filters.html. Accessed 24 May 2020

49.

null001: OpenVPN service is used for UDP reflection amplification DDoS attack. http://13.58.107.157/archives/8190

50.

Prince, M.: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It) (2013). https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho/

51.

Prince, M.: Technical Details Behind a 400Gbps NTP Amplification DDoS Attack (2014). https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/

52.

Reynolds, J., Postel, J.: Assigned numbers (1984). https://tools.ietf.org/html/rfc900

53.

Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: NDSS (2014)

54.

Ryba, F.J., Orlinski, M., Wählisch, M., Rossow, C., Schmidt, T.C.: Amplification and DRDoS Attack Defense-A Survey and New Perspectives. arXiv preprint arXiv:1505.07892 (2015)

55.

Sachdeva, M., Kumar, K., Singh, G., Singh, K.: Performance analysis of web service under DDoS attacks. In: IEEE International Advance Computing Conference (2009)

56.

Singh, K., Singh, A.: Memcached DDoS exploits: operations, vulnerabilities, preventions and mitigations. In: International Conference on Computing, Communication and Security (2018)

57.

Technologies, A.: 2018 State of the Internet/Security: A Year in Review (2018). https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/2018-state-of-the-internet-security-a-year-in-review.pdf

58.

Thomas, D.R., Clayton, R., Beresford, A.R.: 1000 days of UDP amplification DDoS attacks. In: APWG Symposium on Electronic Crime Research (2017)

59.

Times, N.Y.: Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool (2017). https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html

60.

Trammel, B.: Private conversation (2021)

61.

Traynor, I.: Russia accused of unleashing cyberwar to disable Estonia (2007). https://www.theguardian.com/world/2007/may/17/topstories3.russia

62.

US-CERT: UDP-Based Amplification Attacks (2018). https://www.us-cert.gov/ncas/alerts/TA14-017A

63.

Vissers, T., Goethem, T.V., Joosen, W., Nikiforakis, N.: Maneuvering around clouds: bypassing cloud-based security providers. In: ACM CCS (2015)

64.

Vissers, T., Somasundaram, T.S., Pieters, L., Govindarajan, K., Hellinckx, P.: DDoS defense system for web services in a cloud environment. Futur. Gener. Comput. Syst. 37, 37–45 (2014)CrossRef

65.

ZDNet: GitHub hit with the largest DDoS attack ever seen (2018). https://www.zdnet.com/article/github-was-hit-with-the-largest-ddos-attack-ever-seen/

66.

ZDNet: Memcached ddos: The biggest, baddest denial of service attacker yet (2018). https://www.zdnet.com/article/memcached-ddos-the-biggest-baddest-denial-of-service-attacker-yet/

Title: DDoS Never Dies? An IXP Perspective on DDoS Amplification Attacks
Authors: Daniel Kopp
Christoph Dietzel
Oliver Hohlfeld
Publisher: Springer International Publishing
Book: Passive and Active Measurement
Print ISBN: 978-3-030-72581-5

Electronic ISBN: 978-3-030-72582-2

Copyright Year: 2021
DOI: https://doi.org/10.1007/978-3-030-72582-2_17

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner