1000 days of UDP amplification DDoS attacks

Thomas, Daniel; Clayton, Richard; Beresford, Alastair R.

doi:10.1109/ecrime.2017.7945057

Cited by 53 publications

(62 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The attack logs of three prominent booters 1 from 2014, 2016, and 2017/2018 all 1 Of the 285 414 attacks for booter.io recorded between 2014-03-24 and 2014-09-07, 261 968 (91%) are for method names indicating UDP reflection (UDP, CHARGEN, UDPLAG). Of the 169 845 attacks recorded between 2016-05-01 and 2016-07-23 for vDOS 123 751 (72%) are for method names indicating UDP reflection (DNS, NTP, SNMP, PORTMAP) [61]. Of the 412 059 attacks recorded for Webstresser ( §2.5) between 2017-10-18 and 2018-02-26, 339 181 (82%) were probably UDP reflection attacks based on their name.…”

Section: Datasetsmentioning

confidence: 99%

“…The dataset is of victim IPs seen by a large number of honeypot machines roped into attacks using the protocols QOTD, CHARGEN, time, DNS, PORTMAP, NTP, LDAP, MSSQL Monitor, MDNS, and SSDP. Full details of the dataset are provided by Thomas et al along with a statistical analysis to show high levels of coverage for many of these UDP protocols [61]. For analysis we group flows of packets to the same victim IP or prefix for the same protocol until there is a gap of at least 15 minutes with no packets being received by any sensor.…”

Section: Datasetsmentioning

confidence: 99%

“…Protocols appear to go in and out of vogue at different times and there are short term spikes. From analysis of booter attack logs we know that booters experiment with switching to different protocols, or perhaps choose not to reflect packets off the honeypots providing our dataset [61], which may explain these spikes. The steady rise in attack numbers from the beginning of 2017 to the end of 2018 appears to be largely driven by an increase in attacks using the LDAP protocol which is the only protocol with consistent growth over time.…”

Section: Analysing By Udp Protocolmentioning

confidence: 99%

“…The first is a dataset of victims of reflected UDP amplification attacks, a technique widely used by booters, which covers a five-year period from 2014. This dataset is known to have good coverage of many widely abused protocols [61]. The second dataset is of self-reported DoS attack numbers collected from booter websites.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Booting the Booters

Collier

Thomas

Clayton

et al. 2019

Proceedings of the Internet Measurement Conference

Self Cite

View full text Add to dashboard Cite

Illegal booter services offer denial of service (DoS) attacks for a fee of a few tens of dollars a month. Internationally, police have implemented a range of different types of intervention aimed at those using and offering booter services, including arrests and website takedown. In order to measure the impact of these interventions we look at the usage reports that booters themselves provide and at measurements of reflected UDP DoS attacks, leveraging a five year measurement dataset that has been statistically demonstrated to have very high coverage. We analysed time series data (using a negative binomial regression model) to show that several interventions have had a statistically significant impact on the number of attacks. We show that, while there is no consistent effect of highly-publicised court cases, takedowns of individual booters precede significant, but short-lived, reductions in recorded attack numbers. However, more wide-ranging disruptions have much longer effects. The closure of HackForums' booter market reduced attacks for 13 weeks globally (and for longer in particular countries) and the FBI's coordinated operation in December 2018, which involved both takedowns and arrests, reduced attacks by a third for at least 10 weeks and resulted in lasting change to the structure of the booter market. CCS CONCEPTS• Networks → Denial-of-service attacks; • Social and professional topics → Computer crime; • Security and privacy → Social aspects of security and privacy; • Mathematics of computing → Time series analysis.

show abstract

Section: Datasetsmentioning

confidence: 99%

Section: Datasetsmentioning

confidence: 99%

Section: Analysing By Udp Protocolmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Booting the Booters

Collier

Thomas

Clayton

et al. 2019

Proceedings of the Internet Measurement Conference

Self Cite

View full text Add to dashboard Cite

show abstract

“…converting bitcoin to PayPal) can be used for money laundering [35]. Other illicit activities include trading online stolen accounts [18], hacking Massively Multiplayer Online (MMO) games for profit [13], or advertising booter services, technically offered as "Service Stress Tools", but which are actually used for DDoS attacks [41].…”

Section: Scraping Underground Forumsmentioning

confidence: 99%

CrimeBB

Pastrana

Thomas

Hutchings

et al. 2018

Proceedings of the 2018 World Wide Web Conference on World Wide Web - WWW '18

Self Cite

View full text Add to dashboard Cite

Underground forums allow criminals to interact, exchange knowledge, and trade in products and services. They also provide a pathway into cybercrime, tempting the curious to join those already motivated to obtain easy money. Analysing these forums enables us to better understand the behaviours of offenders and pathways into crime. Prior research has been valuable, but limited by a reliance on datasets that are incomplete or outdated. More complete data, going back many years, allows for comprehensive research into the evolution of forums and their users. We describe CrimeBot, a crawler designed around the particular challenges of capturing data from underground forums. CrimeBot is used to update and maintain CrimeBB, a dataset of more than 48m posts made from 1m accounts in 4 different operational forums over a decade. This dataset presents a new opportunity for large-scale and longitudinal analysis using up-to-date information. We illustrate the potential by presenting a case study using CrimeBB, which analyses which activities lead new actors into engagement with cybercrime. CrimeBB is available to other academic researchers under a legal agreement, designed to prevent misuse and provide safeguards for ethical research. CCS CONCEPTS• Information systems → Web crawling; • Security and privacy → Social aspects of security and privacy;

show abstract

Characterizing Eve: Analysing Cybercrime Actors in a Large Underground Forum

Pastrana

Hutchings

Caines

et al. 2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Underground forums contain many thousands of active users, but the vast majority will be involved, at most, in minor levels of deviance. The number who engage in serious criminal activity is small. That being said, underground forums have played a significant role in several recent high-profile cybercrime activities. In this work we apply data science approaches to understand criminal pathways and characterize key actors related to illegal activity in one of the largest and longestrunning underground forums. We combine the results of a logistic regression model with k-means clustering and social network analysis, verifying the findings using topic analysis. We identify variables relating to forum activity that predict the likelihood a user will become an actor of interest to law enforcement, and would therefore benefit the most from intervention. This work provides the first step towards identifying ways to deter the involvement of young people away from a career in cybercrime.

show abstract

1000 days of UDP amplification DDoS attacks

Cited by 53 publications

References 17 publications

Booting the Booters

Booting the Booters

CrimeBB

Characterizing Eve: Analysing Cybercrime Actors in a Large Underground Forum

Contact Info

Product

Resources

About