Millions of targets under attack: a macroscopic characterization of the DoS ecosystem

Denial-of-Service attacks have rapidly increased in terms of frequency and intensity, steadily becoming one of the biggest threats to Internet stability and reliability. However, a rigorous comprehensive characterization of this phenomenon, and of countermeasures to mitigate the associated risks, faces many infrastructure and analytic challenges. We make progress toward this goal, by introducing and applying a new framework to enable a macroscopic characterization of attacks, attack targets, and DDoS Protection Services (DPSs). Our analysis leverages data from four independent global Internet measurement infrastructures over the last two years: backscatter traffic to a large network telescope; logs from amplification honeypots; a DNS measurement platform covering 60% of the current namespace; and a DNS-based data set focusing on DPS adoption. Our results reveal the massive scale of the DoS problem, including an eye-opening statistic that one-third of all / 24 networks recently estimated to be active on the Internet have suffered at least one DoS attack over the last two years. We also discovered that often targets are simultaneously hit by different types of attacks. In our data, Web servers were the most prominent attack target; an average of 3% of the Web sites in .com, .net, and .org were involved with attacks, daily. Finally, we shed light on factors influencing migration to a DPS.

[1]  Lachlan L. H. Andrew,et al.  Capturing ghosts: predicting the used IPv4 space by inferring unobserved addresses , 2014, Internet Measurement Conference.

[2]  Alberto Dainotti,et al.  Lost in Space: Improving Inference of IPv4 Address Space Utilization , 2016, IEEE Journal on Selected Areas in Communications.

[3]  Aiko Pras,et al.  Booters — An analysis of DDoS-as-a-service attacks , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[4]  Katsunari Yoshioka,et al.  Who Gets the Boot? Analyzing Victimization by DDoS-as-a-Service , 2016, RAID.

[5]  Georgios Smaragdakis,et al.  Beyond Counting: New Perspectives on the Active IPv4 Address Space , 2016, Internet Measurement Conference.

[6]  Aiko Pras,et al.  A High-Performance, Scalable Infrastructure for Large-Scale Active DNS Measurements , 2016, IEEE Journal on Selected Areas in Communications.

[7]  Alastair R. Beresford,et al.  1000 days of UDP amplification DDoS attacks , 2017, 2017 APWG Symposium on Electronic Crime Research (eCrime).

[8]  Lukas Krämer,et al.  AmpPot: Monitoring and Defending Against Amplification DDoS Attacks , 2015, RAID.

[9]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[10]  Aziz Mohaisen,et al.  Delving into Internet DDoS Attacks by Botnets: Characterization and Analysis , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[11]  Michael Bailey,et al.  Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks , 2014, Internet Measurement Conference.

[12]  S. Agarwal,et al.  DDoS Mitigation via Regional Cleaning Centers , 2003 .

[13]  Ramesh K. Sitaraman,et al.  The Akamai network: a platform for high-performance internet applications , 2010, OPSR.

[14]  Herbert Bos,et al.  On measuring the impact of DDoS botnets , 2014, EuroSec '14.

[15]  Vyas Sekar,et al.  Analyzing large DDoS attacks using multiple data sources , 2006, LSAD '06.

[16]  Aiko Pras,et al.  DNSSEC and its potential for DDoS attacks: a comprehensive measurement study , 2014, Internet Measurement Conference.

[17]  Giovane C. M. Moura,et al.  Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event , 2016, Internet Measurement Conference.

[18]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[19]  M. Abliz Internet Denial of Service Attacks and Defense Mechanisms , 2011 .

[20]  Vern Paxson,et al.  On the Potential Abuse of IGMP , 2017, CCRV.

[21]  Aiko Pras,et al.  Measuring the Adoption of DDoS Protection Services , 2016, Internet Measurement Conference.