research-article

Public Access

Millions of targets under attack: a macroscopic characterization of the DoS ecosystem

Authors:

Mattijs Jonker,

Johannes Krupp,

Christian Rossow,

Alberto DainottiAuthors Info & Claims

IMC '17: Proceedings of the 2017 Internet Measurement Conference

Pages 100 - 113

https://doi.org/10.1145/3131365.3131383

Published: 01 November 2017 Publication History

Abstract

Denial-of-Service attacks have rapidly increased in terms of frequency and intensity, steadily becoming one of the biggest threats to Internet stability and reliability. However, a rigorous comprehensive characterization of this phenomenon, and of countermeasures to mitigate the associated risks, faces many infrastructure and analytic challenges. We make progress toward this goal, by introducing and applying a new framework to enable a macroscopic characterization of attacks, attack targets, and DDoS Protection Services (DPSs). Our analysis leverages data from four independent global Internet measurement infrastructures over the last two years: backscatter traffic to a large network telescope; logs from amplification honeypots; a DNS measurement platform covering 60% of the current namespace; and a DNS-based data set focusing on DPS adoption. Our results reveal the massive scale of the DoS problem, including an eye-opening statistic that one-third of all / 24 networks recently estimated to be active on the Internet have suffered at least one DoS attack over the last two years. We also discovered that often targets are simultaneously hit by different types of attacks. In our data, Web servers were the most prominent attack target; an average of 3% of the Web sites in .com, .net, and .org were involved with attacks, daily. Finally, we shed light on factors influencing migration to a DPS.

References

[1]

Pierluigi Paganini. The hosting provider OVH continues to face massive DDoS attacks launched by a botnet composed at least of 150000 IoT devices. http://securityaffairs.co/wordpress/51726/cyber-crime/ovh-hit-botnet-iot.html, September 2016.

[2]

José Jair Santanna, Roland van Rijswijk-Deij, Anna Sperotto, Rick Hofstede, Mark Wierbosch, Lisandro Zambenedetti Granville, and Aiko Pras. Booters - An Analysis of DDoS-as-a-Service Attacks. In Proceedings of the 14th IFIP/IEEE International Symposium on Integrated Network Management (IM'15), 2015.

[3]

Scott Hilton. Dyn Analysis Summary Of Friday October 21 Attack. http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/, October 2016.

[4]

Giovane C.M. Moura, Ricardo de O. Schmidt, John Heidemann, Wouter B. de Vries, Moritz Muller, Lan Wei, and Cristian Hesselman. Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. In Proceedings of the 2016 ACM Internet Measurement Conference (IMC'16), 2016.

Digital Library

[5]

Mattijs Jonker, Anna Sperotto, Roland van Rijswijk-Deij, Ramin Sadre, and Aiko Pras. Measuring the Adoption of DDoS Protection Services. In Proceedings of the 2016 ACM Internet Measurement Conference (IMC'16), pages 279--285, 2016.

Digital Library

[6]

UCSD Network Telescope, 2010. http://www.caida.org/projects/network_telescope/.

[7]

Lukas Krämer, Johannes Krupp, Daisuke Makita, Tomomi Nishizoe, Takashi Koide, Katsunari Yoshioka, and Christian Rossow. AmpPot: Monitoring and Defending Against Amplification DDoS Attacks. In International Workshop on Recent Advances in Intrusion Detection (RAID'15), pages 615--636, 2015.

Digital Library

[8]

Sebastian Zander, Lachlan L.H. Andrew, and Grenville Armitage. Capturing Ghosts: Predicting the Used IPv4 Space by Inferring Unobserved Addresses. In Proceedings of the 2014 ACM Conference on Internet Measurement Conference (IMC'14), 2014.

Digital Library

[9]

Philipp Richter, Georgios Smaragdakis, David Plonka, and Arthur Berger. Beyond Counting: New Perspectives on the Active IPv4 Address Space. In Proceedings of the 2016 ACM Internet Measurement Conference (IMC'16), 2016.

Digital Library

[10]

Christian Rossow. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In NDSS, 2014.

[11]

Jakub Czyz, Michael Kallitsis, Manaf Gharaibeh, Christos Papadopoulos, Michael Bailey, and Manish Karir. Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks. In Proceedings of the 2014 ACM Internet Measurement Conference (IMC'14), pages 435--448, 2014.

Digital Library

[12]

Matthew Sargent, John Kristoff, Vern Paxson, and Mark Allman. On the Potential Abuse of IGMP. ACM SIGCOMM Computer Communication Review, 47(1), 2017.

Digital Library

[13]

Roland van Rijswijk-Deij, Anna Sperotto, and Aiko Pras. DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In Proceedings of the 2014 ACM Internet Measurement Conference (IMC'14), pages 449--460, 2014.

Digital Library

[14]

Jelena Mirkovic, Sven Dietrich, David Dittrich, and Peter Reiher. Internet Denial of Service: Attack and Defense Mechanisms (Radia Perlman Computer Networking and Security). 2004.

Digital Library

[15]

Mehmud Abliz. Internet Denial of Service Attacks and Defense Mechanisms. Technical Report TR-11-178, March 2011.

[16]

Erik Nygren, Ramesh K. Sitaraman, and Jennifer Sun. The Akamai Network: A Platform for High-performance Internet Applications. ACM SIGOPS Operating Systems Review, 44(3):2--19, 2010.

Digital Library

[17]

David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, and Stefan Savage. Inferring Internet Denial-of-service Activity. ACM Transactions on Computer Systems, 24(2):115--139, 2006.

Digital Library

[18]

Alistair King. Corsaro, 2012. http://www.caida.org/tools/measurement/corsaro/.

[19]

Alistair King. Corsaro RS DoS Plugin, 2012. https://www.caida.org/tools/measurement/corsaro/docs/plugins.html#plugins_dos.

[20]

Digital Element. Netacuity edge premium edition. http://www.digitalelement.com/solutions/netacuity-edge-premium.

[21]

Routeviews Prefix to AS mappings Dataset (pfx2as) for IPv4 and IPv6. http://www.caida.org/data/routing/routeviews-prefix2as.xml.

[22]

Roland van Rijswijk-Deij, Mattijs Jonker, Anna Sperotto, and Aiko Pras. A High-Performance, Scalable Infrastructure for Large-Scale Active DNS Measurements. IEEE Journal on Selected Areas in Communications (JSAC), 34(6):1877--1888, 2016.

[23]

Apache Parquet, 2014. http://parquet.io/.

[24]

The Domain Name Industry Brief. https://www.verisign.com/en_US/innovation/dnib/index.xhtml. Accessed: 2017-05-01.

[25]

Rick Holland and Ed Ferrara. The Forrester Wave^™: DDoS Services Providers (Q3 2015). Forrester Research, Inc., July 2015.

[26]

Alberto Dainotti, Karyn Benson, Alistair King, Bradley Huffaker, Eduard Glatz, Xenofontas Dimitropoulos, Philipp Richter, Alessandro Finamore, and Alex C. Snoeren. Lost in Space: Improving Inference of IPv4 Address Space Utilization. IEEE Journal on Selected Areas in Communications (JSAC), 34(6):1862--1876, 2016.

[27]

Lost in Space: Supplemental: Country Inequality (Interactive). http://www.caida.org/publications/papers/2016/lost_in_space/supplemental/country_inequality/.

[28]

D. Thomas, R. Clayton, and A. Beresford. 1000 days of UDP amplification DDoS attacks. In APWG Symposium on Electronic Crime Research (eCrime 2017), 2017.

[29]

Z. Morley Mao, Vyas Sekar, Oliver Spatscheck, Jacobus van der Merwe, and Rangarajan Vasudevan. Analyzing Large DDoS Attacks Using Multiple Data Sources. In Proceedings of the 2006 SIGCOMM Workshop on Large-scale Attack Defense (LSAD'06), pages 161--168, 2006.

Digital Library

[30]

An Wang, Aziz Mohaisen, Wentao Chang, and Songqing Chen. Delving into Internet DDoS Attacks by Botnets: Characterization and Analysis. In Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'15), pages 379--390, 2015.

Digital Library

[31]

F5 Networks, Inc. 2016 DDoS Attack Trends. November 2016.

[32]

Darren Anstee, Paul Bowen, C.F. Chui, and Gary Sockrider. Worldwide Infrastructure Security Report. Arbor Networks, Inc., 2016.

[33]

Martin McKeay et al. The Q4 2016 State of the Internet / Security Report. Akamai, 2017.

[34]

DDoS Threat Landscape Report 2015--2016. Imperva, Inc., August 2016.

[35]

Arne Welzel, Christian Rossow, and Herbert Bos. Delving into Internet DDoS Attacks by Botnets: Characterization and Analysis. In Proceedings of the 7th European Workshop on System Security (EuroSec'14), pages 3:1--3:6, 2014.

Digital Library

[36]

Arman Noroozian, Maciej Korczyński, Carlos Hernandez Gañan, Daisuke Makita, Katsunari Yoshioka, and Michel van Eeten. Who gets the boot? analyzing victimization by ddos-as-a-service. In Proc. of the 19th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID 2016), 2016.

[37]

Stephanie Weagle. Financial Impact of Mirai DDoS Attack on Dyn Revealed in New Data. https://www.corero.com/blog/797-financial-impact-of-mirai-ddos-attack-on-dyn-revealed-in-new-data.html, February 2017.

[38]

Matthew Prince. Technical Details Behind a 400Gbps NTP Amplification DDoS Attack. https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/, February 2014.

[39]

Swati Khandelwal. 602 Gbps! This May Have Been the Largest DDoS Attack in History. http://thehackernews.com/2016/01/biggest-ddos-attack.html, January 2016.

[40]

Sharad Agarwaly, Travis Dawson, and Christos Tryfonasy. DDoS Mitigation via Regional Cleaning Centers. Sprint ATL Research Report RR04-ATL-013177, January 2004.

Cited By

Pan YAscheman ARossow CBalzarotti DXu W(2024)Loopy hell(ow)Proceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698914(235-252)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698914
Sharma NArora BZiyad SSingh PSingh Y(2024)A Holistic review and performance evaluation of unsupervised learning methods for network anomaly detectionInternational Journal on Smart Sensing and Intelligent Systems10.2478/ijssis-2024-001617:1Online publication date: 19-May-2024
https://doi.org/10.2478/ijssis-2024-0016
Yazdani RResing MSperotto A(2024)Glossy Mirrors: On the Role of Open Resolvers in Reflection and Amplification DDoS Attacks2024 20th International Conference on Network and Service Management (CNSM)10.23919/CNSM62983.2024.10814438(1-9)Online publication date: 28-Oct-2024
https://doi.org/10.23919/CNSM62983.2024.10814438
Show More Cited By

Index Terms

Millions of targets under attack: a macroscopic characterization of the DoS ecosystem
1. Networks
  1. Network properties
    1. Network security
      1. Denial-of-service attacks
  2. Network services
    1. Network management
2. Security and privacy
  1. Network security
    1. Web protocol security
  2. Security services

Recommendations

DoSTRACK: a system for defending against DoS attacks
SAC '09: Proceedings of the 2009 ACM symposium on Applied Computing

Denial of service (DoS) attacks are one of the complex problems in the current Internet. In this paper, we propose a system, DoSTRACK, that can efficiently deal with the TCP SYN and reflection Distributed Denial of Service (DDoS) attacks. We also ...
Evaluation of TFTP DDoS amplification attack

Web threats are becoming a major issue for both governments and companies. Generally, web threats increased as much as 600% during last year (WebSense, 2013). This appears to be a significant issue, since many major businesses seem to provide these ...
Enhanced-Adaptive Pattern Attack Recognition Technique E-APART Against EDoS Attacks in Cloud Computing

Cloud Computing is most widely used in current technology. It provides a higher availability of resources to greater number of end users. In the cloud era, security has develop a reformed source of worries. Distributed Denial of Service DDoS and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '17: Proceedings of the 2017 Internet Measurement Conference

November 2017

509 pages

ISBN:9781450351188

DOI:10.1145/3131365

General Chairs:
Steve Uhlig
Queen Mary University of London
,
Olaf Maennel
Tallinn University of Technology

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 November 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

IMC '17

Sponsor:

IMC '17: Internet Measurement Conference

November 1 - 3, 2017

London, United Kingdom

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

84
Total Citations
View Citations
1,227
Total Downloads

Downloads (Last 12 months)345
Downloads (Last 6 weeks)41

Reflects downloads up to 14 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Pan YAscheman ARossow CBalzarotti DXu W(2024)Loopy hell(ow)Proceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698914(235-252)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698914
Sharma NArora BZiyad SSingh PSingh Y(2024)A Holistic review and performance evaluation of unsupervised learning methods for network anomaly detectionInternational Journal on Smart Sensing and Intelligent Systems10.2478/ijssis-2024-001617:1Online publication date: 19-May-2024
https://doi.org/10.2478/ijssis-2024-0016
Yazdani RResing MSperotto A(2024)Glossy Mirrors: On the Role of Open Resolvers in Reflection and Amplification DDoS Attacks2024 20th International Conference on Network and Service Management (CNSM)10.23919/CNSM62983.2024.10814438(1-9)Online publication date: 28-Oct-2024
https://doi.org/10.23919/CNSM62983.2024.10814438
Alsheavi AHawbani AOthman WWANG XQaid GZhao LAl-Dubai AZhi LIsmail AJhaveri RAlsamhi SAl-qaness M(2024)IoT Authentication Protocols: Challenges, and Comparative AnalysisACM Computing Surveys10.1145/3703444Online publication date: 30-Nov-2024
https://dl.acm.org/doi/10.1145/3703444
Mirsadeghi SLuo BLiao XXu JKirda ELie D(2024)Poster: In-switch Defense against DNS Amplification DDoS AttacksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3691404(4964-4966)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3691404
Gigis PHandley MVissicchio SSekar VYu MSeneviratne AVeitch D(2024)Bad Packets Come Back, Worse Ones Don'tProceedings of the ACM SIGCOMM 2024 Conference10.1145/3651890.3672259(311-326)Online publication date: 4-Aug-2024
https://dl.acm.org/doi/10.1145/3651890.3672259
Hiesgen RNawrocki MBarcellos MKopp DHohlfeld OChan EDobbins RDoerr CRossow CThomas DJonker MMok RLuo XKristoff JSchmidt TWählisch Mclaffy kVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)The Age of DDoScovery: An Empirical Comparison of Industry and Academic DDoS AssessmentsProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688451(259-279)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688451
Gao MMok RCarisimo ELi EKulkarni Sclaffy kVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)DarkSim: A similarity-based time-series analytic framework for darknet trafficProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688426(241-258)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688426
Xu HColmenares JBarcelo PSanchez-Pi NMeliou ASudarshan S(2024)Bouncer: Admission Control with Response Time Objectives for Low-latency Online Data SystemsCompanion of the 2024 International Conference on Management of Data10.1145/3626246.3653384(400-413)Online publication date: 9-Jun-2024
https://dl.acm.org/doi/10.1145/3626246.3653384
Gioacchini LMellia MVassio LDrago IMilan GHouidi ZRossi D(2024)Cross-Network Embeddings Transfer for Traffic AnalysisIEEE Transactions on Network and Service Management10.1109/TNSM.2023.332944221:3(2686-2699)Online publication date: Jun-2024
https://doi.org/10.1109/TNSM.2023.3329442
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents