Skip to main content
SpringerLink
Log in

New Kids on the DRDoS Block: Characterizing Multiprotocol and Carpet Bombing Attacks

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2021)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 12671))

Included in the following conference series:

Abstract

Distributed reflection denial of service (DRDoS) attacks are widespread on the Internet. DRDoS attacks exploit mostly UDP-based protocols to achieve traffic amplification and provide an extra layer of indirection between attackers and their victims, and a single attack can reach hundreds of Gbps. Recent trends in DRDoS include multiprotocol amplification attacks, which exploit several protocols at the same time, and carpet bombing attacks, which target multiple IP addresses in the same subnet instead of a single address, in order to evade detection. Such attacks have been reported in the wild, but have not been discussed in the scientific literature so far. This paper describes the first research on the characterization of both multiprotocol and carpet bombing DRDoS attacks. We developed MP-H, a honeypot that implements nine different protocols commonly used in DRDoS attacks, and used it for data collection. Over a period of 731 days, our honeypot received 1.8 TB of traffic, containing nearly 20.7 billion requests, and was involved in more than 1.4 million DRDoS attacks, including over 13.7 thousand multiprotocol attacks. We describe several features of multiprotocol attacks and compare them to monoprotocol attacks that occurred in the same period, and characterize the carpet bombing attacks seen by our honeypot.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Anagnostopoulos, M., Kambourakis, G., Kopanos, P., Louloudakis, G., Gritzalis, S.: DNS amplification attack revisited. Comput. Secur. 39, 475–485 (2013)

    Article  Google Scholar 

  2. Arteaga, J., Mejia, W.: CLDAP reflection DDoS, April 2017. https://bit.ly/3kqyIku

  3. Cimpanu, C.: The CoAP protocol is the next big thing for DDoS attacks. ZDNet, December 2018. https://zd.net/333hymy

  4. Cymru, T.: DNS research at Team Cymru (2020). http://dnsresearch.cymru.com/

  5. Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., Karir, M.: Taming the 800 pound gorilla: the rise and decline of NTP DDoS attacks. In: Internet Measurement Conference, pp. 435–448. ACM (2014)

    Google Scholar 

  6. DDoSMon: Insight into global DDoS threat landscape, April 2019. https://ddosmon.net/insight/

  7. Fachkha, C., Bou-Harb, E., Debbabi, M.: Inferring distributed reflection denial of service attacks from darknet. Comput. Commun. 62, 59–71 (2015)

    Article  Google Scholar 

  8. Jonker, M., King, A., Krupp, J., Rossow, C., Sperotto, A., Dainotti, A.: Millions of targets under attack: a macroscopic characterization of the DoS ecosystem. In: Internet Measurement Conference, pp. 100–113. ACM, New York (2017)

    Google Scholar 

  9. Krämer, L., et al.: AmpPot: monitoring and defending against amplification DDoS attacks. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 615–636. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_28

    Chapter  Google Scholar 

  10. Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? Reducing the impact of amplification DDoS attacks. In: USENIX Security Symposium (2014)

    Google Scholar 

  11. Majkowski, M.: Stupidly simple DDoS protocol (SSDP) generates 100 Gbps DDoS, June 2017. https://bit.ly/35lq2W0

  12. Majkowski, M.: Memcrashed - major amplification attacks from UDP port 11211, February 2018. https://bit.ly/2HvD4Ix

  13. Mansfield-Devine, S.: The growth and evolution of DDoS. Netw. Secur. 2015(10), 13–20 (2015)

    Article  Google Scholar 

  14. MaxMind: GeoLite2 database, October 2020. https://www.maxmind.com/

  15. McAuley, C.: Following the crumbs: deconstructing the CLDAP DDoS reflection attack, November 2016. https://bit.ly/3mgR08h

  16. Mertens, X.: Port scanners: the good and the bad, September 2015. https://bit.ly/3lQmFNF

  17. Nazario, J.: DDoS attack evolution. Netw. Secur. 2008(7), 7–10 (2008)

    Article  Google Scholar 

  18. NETSCOUT: CoAP attacks in the wild, January 2019. aSERT blog. https://bit.ly/2HqNxou

  19. NETSCOUT: Dawn of the terrorbit era. Threat intelligence report 2H 2018 (2019). https://www.netscout.com/

  20. NETSCOUT: Netscout threat intelligence report for the first half of 2020 (2020). https://bit.ly/3mh3Tzb

  21. NETSCOUT, Arbor: Insight into the global threat landscape, October 2017. Netscout Arbor’s 13th Annual Worldwide Infrastructure Security Report

    Google Scholar 

  22. Noroozian, A., Korczyński, M., Gañan, C.H., Makita, D., Yoshioka, K., van Eeten, M.: Who gets the boot? Analyzing victimization by DDoS-as-a-service. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 368–389. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_17

    Chapter  Google Scholar 

  23. OpenNTP: OpenNTPProject.org - NTP Scanning Project (2020). http://openntpproject.org/

  24. Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. ACM SIGCOMM Comput. Commun. Rev. 31(3), 38–47 (2001)

    Article  Google Scholar 

  25. van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 449–460. ACM (2014)

    Google Scholar 

  26. Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: Network and Distributed System Security Symposium (NDSS) (2014)

    Google Scholar 

  27. Rudman, L., Irwin, B.: Characterization and analysis of NTP amplification-based DDoS attacks. In: Information Security for South Africa (ISSA). IEEE (2015)

    Google Scholar 

  28. TCPDUMP: TCPDUMP/LIBPCAP public repository (2020). https://www.tcpdump.org/

  29. Thomas, D.R., Clayton, R., Beresford, A.R.: 1000 days of UDP amplification DDoS attacks. In: APWG Symposium on Electronic Crime Research (eCrime), pp. 79–84. IEEE (2017)

    Google Scholar 

Download references

Acknowledgments

We thank the anonymous reviewers and our shepherd Bradley Reaves, for their helpful comments in reviewing this paper. This research was supported by FAPESC and UDESC, and financed in part by the Coordenação de Aperfeiçoamento de Pessoal de Nível Superior – Brasil (CAPES) – Finance Code 001.

Author information

Authors and Affiliations

  1. Federal University of Paraná, Curitiba, Brazil

    Tiago Heinrich & Carlos A. Maziero

  2. Graduate Program in Applied Computing, UDESC, Joinville, Brazil

    Rafael R. Obelheiro

Authors
  1. Tiago Heinrich
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rafael R. Obelheiro
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Carlos A. Maziero
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tiago Heinrich .

Editor information

Editors and Affiliations

  1. Brandenburg University of Technology (BTU), Cottbus, Germany

    Oliver Hohlfeld

  2. Telefonica Research, Barcelona, Spain

    Andra Lutu

  3. Iribe Center, University of Maryland, College Park, MD, USA

    Dave Levin

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Heinrich, T., Obelheiro, R.R., Maziero, C.A. (2021). New Kids on the DRDoS Block: Characterizing Multiprotocol and Carpet Bombing Attacks. In: Hohlfeld, O., Lutu, A., Levin, D. (eds) Passive and Active Measurement. PAM 2021. Lecture Notes in Computer Science(), vol 12671. Springer, Cham. https://doi.org/10.1007/978-3-030-72582-2_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-72582-2_16

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-72581-5

  • Online ISBN: 978-3-030-72582-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation