Visualization of actionable knowledge to mitigate DRDoS attacks

Distributed Reflective Denial of Service attacks (DRDoS) represent an ever growing security threat. These attacks are characterized by spoofed UDP traffic that is sent to genuine machines, called amplifiers, whose response to the spoofed IP, i.e. the victim machine, is amplified and could be 500 times larger in size than the originating request. In this paper, we provide a method and a tool for Internet Service Providers (ISPs) to assess and visualize the amount of traffic that enters and leaves their network in case it contains innocent amplifiers. We show that amplified traffic usually goes undetected and can consume a significant bandwidth, even when a small number of amplifiers is present. The tool also enables ISPs to simulate various rule-based mitigation strategies and estimate their impact, based on real-world data obtained from amplification honeypots.

[1]  J. Alex Halderman,et al.  An Internet-Wide View of Internet-Wide Scanning , 2014, USENIX Security Symposium.

[2]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[3]  Michael Bailey,et al.  Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks , 2014, Internet Measurement Conference.

[4]  Jugal K. Kalita,et al.  An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection , 2015, Pattern Recognit. Lett..

[5]  Thomas C. Schmidt,et al.  Amplification and DRDoS Attack Defense - A Survey and New Perspectives , 2015, ArXiv.

[6]  J. Alex Halderman,et al.  A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[7]  Youngseok Lee,et al.  Toward scalable internet traffic measurement and analysis with Hadoop , 2013, CCRV.

[8]  Lukas Krämer,et al.  AmpPot: Monitoring and Defending Against Amplification DDoS Attacks , 2015, RAID.

[9]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[10]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[11]  Ali A. Ghorbani,et al.  A Survey of Visualization Systems for Network Security , 2012, IEEE Transactions on Visualization and Computer Graphics.

[12]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[13]  Kwan-Liu Ma,et al.  Case study: Interactive visualization for Internet security , 2002, IEEE Visualization, 2002. VIS 2002..

[14]  Damon McCoy,et al.  Understanding the Emerging Threat of DDoS-as-a-Service , 2013, LEET.

[15]  Jiwen Huo,et al.  KMVQL: a Graphical User Interface for Boolean Query Specification and Query Result Visualization , 2003 .

[16]  José Meseguer,et al.  Model-Checking DoS Amplification for VoIP Session Initiation , 2009, ESORICS.

[17]  Raheem A. Beyah,et al.  Visual firewall: real-time network security monitor , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[18]  Carole A. Goble,et al.  Kaleidoquery-A Flow-based Visual Language and its Evaluation , 2000, J. Vis. Lang. Comput..

[19]  Benjamin M. Good,et al.  Branch: an interactive, web-based tool for testing hypotheses and developing predictive models , 2015, Bioinform..

[20]  Kwan-Liu Ma,et al.  PortVis: a tool for port-based detection of security events , 2004, VizSEC/DMSEC '04.

[21]  Yifan Li,et al.  VisFlowConnect: netflow visualizations of link relationships for security situational awareness , 2004, VizSEC/DMSEC '04.

[22]  Manoj Kumar Singh,et al.  A Survey on Defense Mechanisms countering DDoS Attacks in the Network , 2013 .

[23]  Apache Kafka A high-throughput distributed messaging system . Kafka 0 . 9 . 0 Documentation 1 , 2022 .

[24]  Jarke J. van Wijk,et al.  BaobabView: Interactive construction and analysis of decision trees , 2011, 2011 IEEE Conference on Visual Analytics Science and Technology (VAST).

[25]  Luc Girardin An Eye on Network Intruder-Administrator Shootouts , 1999, Workshop on Intrusion Detection and Network Monitoring.

[26]  Penny Rheingans,et al.  Visualizing Network Security Events Using Compound Glyphs from a Service-Oriented Perspective , 2007, VizSEC.

[27]  Deborah A. Frincke,et al.  Intrusion and Misuse Detection in Large-Scale Systems , 2002, IEEE Computer Graphics and Applications.