Into the DDoS maelstrom: a longitudinal study of a scrubbing service

Distributed denial-of-service (DDoS) attacks are nowadays easy and cheap to carry out, and have become bigger and more frequent over the last years. Cloud-based scrubbers have emerged as a service which victims can hire on demand to fend off attacks. There are many industry players, but not much insights into their operations. This work unravels for the first time the inner workings of a DDoS scrubber — NaWas— a non-profit scrubber in the Netherlands. We analyze 1800+ DDoS attacks spanning over a period of 22 months, and show that while most attacks are not very large, they are still large enough to disrupt services and likely to disturb links. We estimate the collateral damage incurred by DDoS attacks, and demonstrate that the number of victims of is at least quadratically larger (IP2) than the targeted addresses. Last, by correlating attacks metadata with authoritative DNS traffic, we show that DDoS attacks leave fingerprints on DNS traffic, which, in turn can be used to detect DDoS attacks at early stages, even if attackers attempt to deceive DNS based detection.

[1]  Aiko Pras,et al.  A High-Performance, Scalable Infrastructure for Large-Scale Active DNS Measurements , 2016, IEEE Journal on Selected Areas in Communications.

[2]  Alberto Dainotti,et al.  Millions of targets under attack: a macroscopic characterization of the DoS ecosystem , 2017, Internet Measurement Conference.

[3]  Giovane C. M. Moura,et al.  ENTRADA: A high-performance network traffic data streaming warehouse , 2016, NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium.

[4]  I. Lazar,et al.  The state of the Internet , 2000 .

[5]  Daniel Kopp,et al.  DDoS Hide & Seek: On the Effectiveness of a Booter Services Takedown , 2019, Internet Measurement Conference.

[6]  Mark Allman,et al.  Comments on DNS Robustness , 2018, Internet Measurement Conference.

[7]  Damon McCoy,et al.  Understanding the Emerging Threat of DDoS-as-a-Service , 2013, LEET.

[8]  John S. Heidemann,et al.  When the internet sleeps: correlating diurnal networks with external factors , 2014, Internet Measurement Conference.

[9]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information , 2008, RFC.

[10]  Aiko Pras,et al.  A First Joint Look at DoS Attacks and BGP Blackholing in the Wild , 2018, Internet Measurement Conference.

[11]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[12]  Giovane C. M. Moura,et al.  nDEWS: A new domains early warning system for TLDs , 2016, NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium.

[13]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information , 2013, RFC.

[14]  Paul E. Hoffman,et al.  DNS Terminology , 2015, RFC.

[15]  Marcin Nawrocki,et al.  Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs , 2019, Internet Measurement Conference.

[16]  Aiko Pras,et al.  Measuring the Adoption of DDoS Protection Services , 2016, Internet Measurement Conference.

[17]  Wouter Joosen,et al.  Herding Vulnerable Cats: A Statistical Approach to Disentangle Joint Responsibility for Web Security in Shared Hosting , 2017, CCS.

[18]  Aiko Pras,et al.  Booters — An analysis of DDoS-as-a-service attacks , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[19]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[20]  Giovane C. M. Moura,et al.  Cache Me If You Can: Effects of DNS Time-to-Live , 2019, Internet Measurement Conference.

[21]  Paul V. Mockapetris,et al.  Domain names: Concepts and facilities , 1983, RFC.

[22]  Susan Hares,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[23]  Damon McCoy,et al.  Stress Testing the Booters: Understanding and Undermining the Business of DDoS Services , 2016, WWW.

[24]  Giovane C. M. Moura,et al.  Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event , 2016, Internet Measurement Conference.

[25]  Giovane C. M. Moura,et al.  Increasing DNS Security and Stability through a Control Plane for Top-Level Domain Operators , 2017, IEEE Communications Magazine.

[26]  Giovane C. M. Moura,et al.  When the Dike Breaks: Dissecting DNS Defenses During DDoS , 2018, Internet Measurement Conference.