Identifying the Scan and Attack Infrastructures Behind Amplification DDoS Attacks

Amplification DDoS attacks have gained popularity and become a serious threat to Internet participants. However, little is known about where these attacks originate, and revealing the attack sources is a non-trivial problem due to the spoofed nature of the traffic. In this paper, we present novel techniques to uncover the infrastructures behind amplification DDoS attacks. We follow a two-step approach to tackle this challenge: First, we develop a methodology to impose a fingerprint on scanners that perform the reconnaissance for amplification attacks that allows us to link subsequent attacks back to the scanner. Our methodology attributes over 58% of attacks to a scanner with a confidence of over 99.9%. Second, we use Time-to-Live-based trilateration techniques to map scanners to the actual infrastructures launching the attacks. Using this technique, we identify 34 networks as being the source for amplification attacks at 98\% certainty.

[1]  Nasser Yazdani,et al.  DDPM: Dynamic Deterministic Packet Marking for IP Traceback , 2006, 2006 14th IEEE International Conference on Networks.

[2]  Nirwan Ansari,et al.  A practical and robust inter-domain marking scheme for IP traceback , 2007, Comput. Networks.

[3]  Xin Zhang,et al.  SCION: Scalability, Control, and Isolation on Next-Generation Networks , 2011, 2011 IEEE Symposium on Security and Privacy.

[4]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[5]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[6]  Philip N. Klein,et al.  Using router stamping to identify the source of IP packets , 2000, CCS.

[7]  Aiko Pras,et al.  Booters — An analysis of DDoS-as-a-service attacks , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[8]  Micah Adler,et al.  Efficient probabilistic packet marking , 2005, 13TH IEEE International Conference on Network Protocols (ICNP'05).

[9]  Jung-Min Park,et al.  A Divide-and-Conquer Strategy for Thwarting Distributed Denial-of-Service Attacks , 2007, IEEE Transactions on Parallel and Distributed Systems.

[10]  Yao Zhang,et al.  SIBRA: Scalable Internet Bandwidth Reservation Architecture , 2015, NDSS.

[11]  Damon McCoy,et al.  Stress Testing the Booters: Understanding and Undermining the Business of DDoS Services , 2016, WWW.

[12]  T Sivakumar,et al.  DDoS: Survey of Traceback Methods , 2009 .

[13]  Wolfgang Stadje,et al.  THE COLLECTOR'S PROBLEM WITH GROUP DRAWINGS , 1990 .

[14]  Nirwan Ansari,et al.  On deterministic packet marking , 2007, Comput. Networks.

[15]  Michael Bailey,et al.  Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks , 2014, Internet Measurement Conference.

[16]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[17]  Jun Li,et al.  Large-Scale IP Traceback in High-Speed Internet: Practical Techniques and Information-Theoretic Foundation , 2008, IEEE/ACM Transactions on Networking.

[18]  Christian Rossow,et al.  Exit from Hell? Reducing the Impact of Amplification DDoS Attacks , 2014, USENIX Security Symposium.

[19]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[20]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[21]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[22]  Lukas Krämer,et al.  AmpPot: Monitoring and Defending Against Amplification DDoS Attacks , 2015, RAID.

[23]  Aiko Pras,et al.  Inside booters: An analysis on operational databases , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[24]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[25]  Kamil Saraç,et al.  Single packet IP traceback in AS-level partial deployment scenario , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[26]  R. Clayton How much did shutting down McColo help ? , 2009 .

[27]  G. Manimaran,et al.  An Efficient Probabilistic Packet Marking Scheme for IP Traceback , 2004, NETWORKING.

[28]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[29]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[30]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[31]  Kamil Saraç,et al.  Single packet IP traceback in AS-level partial deployment scenario , 2007, Int. J. Secur. Networks.

[32]  Dawn Xiaodong Song,et al.  StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense , 2006, IEEE Journal on Selected Areas in Communications.

[33]  Ruby B. Lee,et al.  Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures , 2004, PDCS.

[34]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.