Taming the 800 Pound Gorilla

Czyz, Jakub; Kallitsis, Michael; Gharaibeh, Manaf; Papadopoulos, Christos; Bailey, Michael; Karir, Manish

doi:10.1145/2663716.2663717

Cited by 109 publications

(24 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Czyz et al [4] examined five datasets on NTP attacks dating from 2013 and 2014. They found that the volume of NTP attack traffic rose rapidly but fell after February 2014, possibly due to reconfiguration of NTP servers to prevent amplified reflection.…”

Section: Related Workmentioning

confidence: 99%

1000 days of UDP amplification DDoS attacks

Thomas

Clayton

Beresford

2017

2017 APWG Symposium on Electronic Crime Research (eCrime)

View full text Add to dashboard Cite

Distributed Denial of Service (DDoS) attacks employing reflected UDP amplification are regularly used to disrupt networks and systems. The amplification allows one rented server to generate significant volumes of data, while the reflection hides the identity of the attacker. Consequently this is an attractive, low risk, strategy for criminals bent on vandalism and extortion. To measure the uptake of this strategy we analyse the results of running a network of honeypot UDP reflectors (median size 65 nodes) from July 2014 onwards. We explore the life cycle of attacks that use our reflectors, from the scanning phase used to detect our honeypot machines, through to their use in attacks. We see a median of 1 450 malicious scanners per day across all UDP protocols, and have recorded details of 5.18 million subsequent attacks involving in excess of 3.31 trillion packets. Using a capture-recapture statistical technique, we estimate that our reflectors can see between 85.1% and 96.6% of UDP reflection attacks over our measurement period.

show abstract

Section: Related Workmentioning

confidence: 99%

1000 days of UDP amplification DDoS attacks

Thomas

Clayton

Beresford

2017

2017 APWG Symposium on Electronic Crime Research (eCrime)

View full text Add to dashboard Cite

show abstract

“…There is support through NTP to compare internal diagnostics of server synchronization quality to select a preferred peer and to inform clients, but the performance of this mechanism is variable and does not in any case constitute independent validation. From the perspective of the typical client, judging its server is inherently 1 The interesting question of exactly how large this proportion is has become much harder to answer following the blocking of diagnostic NTP queries since late 2013, due to their exploitation in DDOS attack amplification [2].…”

Section: Introductionmentioning

confidence: 99%

Rot at the roots? Examining public timing infrastructure

Vijayalayan

Veitch

2016

IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications

View full text Add to dashboard Cite

Timekeeping is central to network measurement. In typical systems, its accuracy is ultimately dependent on the forest of timeservers accessible over the network, whose roots are the stratum-1 timeservers, which benefit from reference hardware. It is essential that these servers are accurate and reliable, and it is commonly assumed that this is the case. We put this belief to the test through an examination of around 100 publicly accessible stratum-1 servers, using datasets spanning over 3 years, collected in a testbed with reference timestamping. We develop a methodology capable of disambiguating the effects of routing changes, congestion related variability, and server anomalies on timestamps. We use it to make a first assessment of the health of (public) network timing, by reporting on the type, severity, and frequency of anomalies we encounter.

show abstract

“…Research shows that some botnets use recognizable values for the source port, TTL, or DNS values [13]. For example, the ports 80 and 123 are often found paired with NTP (port 123) attacks [12], [13], [17] and make up more than 50% of the attacks together. Protocol specific observations show that source port selection differs among protocols [16]: attacks using CharGen, QOTD, RIP, and SSDP exhibit a hard-coded, stable paired port almost exclusively while NTP and DNS attacks show a larger range of randomized ports (about 50%).…”

Section: Detecting Attacksmentioning

confidence: 99%

“…This observation confirms common expectations, which assume attackers choose protocols that allow for high amplification and provide a rich amplifier infrastructure. NTP, for example, does not only provide the highest amplification factor and many amplifiers but also megaamplifiers [17], i.e., hosts that exhibit a significantly larger amplification factor due to their configuration, making this protocol most appealing for attacks.…”

Section: Evading Threshold-based Detectionmentioning

confidence: 99%

SoK: A Data-driven View on Methods to Detect Reflective Amplification DDoS Attacks Using Honeypots

Nawrocki¹,

Kristoff²,

Hiesgen³

et al. 2023

Preprint

View full text Add to dashboard Cite

In this paper, we revisit the use of honeypots for detecting reflective amplification attacks. These measurement tools require careful design of both data collection and data analysis including cautious threshold inference. We survey common amplification honeypot platforms as well as the underlying methods to infer attack detection thresholds and to extract knowledge from the data. By systematically exploring the threshold space, we find most honeypot platforms produce comparable results despite their different configurations. Moreover, by applying data from a large-scale honeypot deployment, network telescopes, and a real-world baseline obtained from a leading DDoS mitigation provider, we question the fundamental assumption of honeypot research that convergence of observations can imply their completeness. Conclusively we derive guidance on precise, reproducible honeypot research, and present open challenges.

show abstract

Taming the 800 Pound Gorilla

Cited by 109 publications

References 13 publications

1000 days of UDP amplification DDoS attacks

1000 days of UDP amplification DDoS attacks

Rot at the roots? Examining public timing infrastructure

SoK: A Data-driven View on Methods to Detect Reflective Amplification DDoS Attacks Using Honeypots

Contact Info

Product

Resources

About