DDoS Never Dies? An IXP Perspective on DDoS Amplification Attacks

DDoS attacks remain a major security threat to the continuous operation of Internet edge infrastructures, web services, and cloud platforms. While a large body of research focuses on DDoS detection and protection, to date we ultimately failed to eradicate DDoS altogether. Yet, the landscape of DDoS attack mechanisms is even evolving, demanding an updated perspective on DDoS attacks in the wild. In this paper, we identify up to 2608 DDoS amplification attacks at a single day by analyzing multiple Tbps of traffic flows at a major IXP with a rich ecosystem of different networks. We observe the prevalence of wellknown amplification attack protocols (e.g., NTP, CLDAP), which should no longer exist given the established mitigation strategies. Nevertheless, they pose the largest fraction on DDoS amplification attacks within our observation and we witness the emergence of DDoS attacks using recently discovered amplification protocols (e.g., OpenVPN, ARMS, Ubiquity Discovery Protocol). By analyzing the impact of DDoS on core Internet infrastructure, we show that DDoS can overload backbone-capacity and that filtering approaches in prior work omit 97% of the attack traffic.

[1]  Kulvinder Singh,et al.  Memcached DDoS Exploits: Operations, Vulnerabilities, Preventions and Mitigations , 2018, 2018 IEEE 3rd International Conference on Computing, Communication and Security (ICCCS).

[2]  Evi Nemeth,et al.  DNS measurements at a root server , 2001, GLOBECOM'01. IEEE Global Telecommunications Conference (Cat. No.01CH37270).

[3]  Anja Feldmann,et al.  Zeroing in on Port 0 Traffic in the Wild , 2021, PAM.

[4]  Alastair R. Beresford,et al.  1000 days of UDP amplification DDoS attacks , 2017, 2017 APWG Symposium on Electronic Crime Research (eCrime).

[5]  Aiko Pras,et al.  A First Joint Look at DoS Attacks and BGP Blackholing in the Wild , 2018, Internet Measurement Conference.

[6]  Kannan Govindarajan,et al.  DDoS defense system for web services in a cloud environment , 2014, Future generations computer systems.

[7]  Thorsten Holz,et al.  Tracking DDoS Attacks: Insights into the Business of Disrupting the Web , 2012, LEET.

[8]  Damon McCoy,et al.  Rent to Pwn: Analyzing Commodity Booter DDoS Services , 2013, login Usenix Mag..

[9]  Daniel Kopp,et al.  DDoS Hide & Seek: On the Effectiveness of a Booter Services Takedown , 2019, Internet Measurement Conference.

[10]  Alberto Dainotti,et al.  Millions of targets under attack: a macroscopic characterization of the DoS ecosystem , 2017, Internet Measurement Conference.

[11]  Oliver Hohlfeld Operating a DNS-based Active Internet Observatory , 2018, SIGCOMM Posters and Demos.

[12]  Robert Beverly,et al.  The Spoofer Project: Inferring the Extent of Internet Source Address Filtering on the Internet , 2005, SRUTI.

[13]  Aiko Pras,et al.  Measuring the Adoption of DDoS Protection Services , 2016, Internet Measurement Conference.

[14]  Christian Doerr,et al.  Quantifying the Spectrum of Denial-of-Service Attacks through Internet Backscatter , 2017, ARES.

[15]  Robert Beverly,et al.  Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.

[16]  Lukas Krämer,et al.  AmpPot: Monitoring and Defending Against Amplification DDoS Attacks , 2015, RAID.

[17]  Marcin Nawrocki,et al.  Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs , 2019, Internet Measurement Conference.

[18]  Anja Feldmann,et al.  Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses , 2017, Internet Measurement Conference.

[19]  Christoph Dietzel,et al.  The Lockdown Effect: Implications of the COVID-19 Pandemic on Internet Traffic , 2020, Internet Measurement Conference.

[20]  Kuldip Singh,et al.  Performance Analysis of Web Service under DDoS Attacks , 2009, 2009 IEEE International Advance Computing Conference.

[21]  Anja Feldmann,et al.  Stellar: network attack mitigation using advanced blackholing , 2018, CoNEXT.

[22]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[23]  Thomas C. Schmidt,et al.  Amplification and DRDoS Attack Defense - A Survey and New Perspectives , 2015, ArXiv.

[24]  Giovane C. M. Moura,et al.  Into the DDoS maelstrom: a longitudinal study of a scrubbing service , 2020, 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW).

[25]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[26]  Mourad Debbabi,et al.  Multidimensional investigation of source port 0 probing , 2014, Digit. Investig..

[27]  Christian Doerr,et al.  The Curious Case of Port 0 , 2019, 2019 IFIP Networking Conference (IFIP Networking).

[28]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[29]  Ivan Daniel Burke,et al.  Using network flow data to analyse distributed reflection denial of service (DRDoS) attacks, as observed on the South African national research and education network (SANReN): a postmortem analysis of the memcached attack on the SANReN , 2018, SAICSIT.

[30]  Michael Bailey,et al.  Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks , 2014, Internet Measurement Conference.

[31]  Jon Postel,et al.  Assigned Numbers , 1979, RFC.

[32]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[33]  Wouter Joosen,et al.  Maneuvering Around Clouds: Bypassing Cloud-based Security Providers , 2015, CCS.

[34]  Robert Beverly,et al.  Network Hygiene, Incentives, and Regulation: Deployment of Source Address Validation in the Internet , 2019, CCS.

[35]  Bruce M. Maggs,et al.  Protecting Websites from Attack with Secure Delivery Networks , 2015, Computer.

[36]  Anja Feldmann,et al.  Blackholing at IXPs: On the Effectiveness of DDoS Mitigation in the Wild , 2016, PAM.

[37]  Anja Feldmann,et al.  Inferring BGP blackholing activity in the internet , 2017, Internet Measurement Conference.