Abstract
Distributed reflection denial of service (DRDoS) attacks are widespread on the Internet. DRDoS attacks exploit mostly UDP-based protocols to achieve traffic amplification and provide an extra layer of indirection between attackers and their victims, and a single attack can reach hundreds of Gbps. Recent trends in DRDoS include multiprotocol amplification attacks, which exploit several protocols at the same time, and carpet bombing attacks, which target multiple IP addresses in the same subnet instead of a single address, in order to evade detection. Such attacks have been reported in the wild, but have not been discussed in the scientific literature so far. This paper describes the first research on the characterization of both multiprotocol and carpet bombing DRDoS attacks. We developed MP-H, a honeypot that implements nine different protocols commonly used in DRDoS attacks, and used it for data collection. Over a period of 731 days, our honeypot received 1.8 TB of traffic, containing nearly 20.7 billion requests, and was involved in more than 1.4 million DRDoS attacks, including over 13.7 thousand multiprotocol attacks. We describe several features of multiprotocol attacks and compare them to monoprotocol attacks that occurred in the same period, and characterize the carpet bombing attacks seen by our honeypot.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Anagnostopoulos, M., Kambourakis, G., Kopanos, P., Louloudakis, G., Gritzalis, S.: DNS amplification attack revisited. Comput. Secur. 39, 475–485 (2013)
Arteaga, J., Mejia, W.: CLDAP reflection DDoS, April 2017. https://bit.ly/3kqyIku
Cimpanu, C.: The CoAP protocol is the next big thing for DDoS attacks. ZDNet, December 2018. https://zd.net/333hymy
Cymru, T.: DNS research at Team Cymru (2020). http://dnsresearch.cymru.com/
Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., Karir, M.: Taming the 800 pound gorilla: the rise and decline of NTP DDoS attacks. In: Internet Measurement Conference, pp. 435–448. ACM (2014)
DDoSMon: Insight into global DDoS threat landscape, April 2019. https://ddosmon.net/insight/
Fachkha, C., Bou-Harb, E., Debbabi, M.: Inferring distributed reflection denial of service attacks from darknet. Comput. Commun. 62, 59–71 (2015)
Jonker, M., King, A., Krupp, J., Rossow, C., Sperotto, A., Dainotti, A.: Millions of targets under attack: a macroscopic characterization of the DoS ecosystem. In: Internet Measurement Conference, pp. 100–113. ACM, New York (2017)
Krämer, L., et al.: AmpPot: monitoring and defending against amplification DDoS attacks. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 615–636. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_28
Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? Reducing the impact of amplification DDoS attacks. In: USENIX Security Symposium (2014)
Majkowski, M.: Stupidly simple DDoS protocol (SSDP) generates 100 Gbps DDoS, June 2017. https://bit.ly/35lq2W0
Majkowski, M.: Memcrashed - major amplification attacks from UDP port 11211, February 2018. https://bit.ly/2HvD4Ix
Mansfield-Devine, S.: The growth and evolution of DDoS. Netw. Secur. 2015(10), 13–20 (2015)
MaxMind: GeoLite2 database, October 2020. https://www.maxmind.com/
McAuley, C.: Following the crumbs: deconstructing the CLDAP DDoS reflection attack, November 2016. https://bit.ly/3mgR08h
Mertens, X.: Port scanners: the good and the bad, September 2015. https://bit.ly/3lQmFNF
Nazario, J.: DDoS attack evolution. Netw. Secur. 2008(7), 7–10 (2008)
NETSCOUT: CoAP attacks in the wild, January 2019. aSERT blog. https://bit.ly/2HqNxou
NETSCOUT: Dawn of the terrorbit era. Threat intelligence report 2H 2018 (2019). https://www.netscout.com/
NETSCOUT: Netscout threat intelligence report for the first half of 2020 (2020). https://bit.ly/3mh3Tzb
NETSCOUT, Arbor: Insight into the global threat landscape, October 2017. Netscout Arbor’s 13th Annual Worldwide Infrastructure Security Report
Noroozian, A., Korczyński, M., Gañan, C.H., Makita, D., Yoshioka, K., van Eeten, M.: Who gets the boot? Analyzing victimization by DDoS-as-a-service. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 368–389. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_17
OpenNTP: OpenNTPProject.org - NTP Scanning Project (2020). http://openntpproject.org/
Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. ACM SIGCOMM Comput. Commun. Rev. 31(3), 38–47 (2001)
van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 449–460. ACM (2014)
Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: Network and Distributed System Security Symposium (NDSS) (2014)
Rudman, L., Irwin, B.: Characterization and analysis of NTP amplification-based DDoS attacks. In: Information Security for South Africa (ISSA). IEEE (2015)
TCPDUMP: TCPDUMP/LIBPCAP public repository (2020). https://www.tcpdump.org/
Thomas, D.R., Clayton, R., Beresford, A.R.: 1000 days of UDP amplification DDoS attacks. In: APWG Symposium on Electronic Crime Research (eCrime), pp. 79–84. IEEE (2017)
Acknowledgments
We thank the anonymous reviewers and our shepherd Bradley Reaves, for their helpful comments in reviewing this paper. This research was supported by FAPESC and UDESC, and financed in part by the Coordenação de Aperfeiçoamento de Pessoal de Nível Superior – Brasil (CAPES) – Finance Code 001.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Heinrich, T., Obelheiro, R.R., Maziero, C.A. (2021). New Kids on the DRDoS Block: Characterizing Multiprotocol and Carpet Bombing Attacks. In: Hohlfeld, O., Lutu, A., Levin, D. (eds) Passive and Active Measurement. PAM 2021. Lecture Notes in Computer Science(), vol 12671. Springer, Cham. https://doi.org/10.1007/978-3-030-72582-2_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-72582-2_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-72581-5
Online ISBN: 978-3-030-72582-2
eBook Packages: Computer ScienceComputer Science (R0)