Abstract
Internet DDoS attacks are prevalent but hard to defend against, partially due to the volatility of the attacking methods and patterns used by attackers. Understanding the latest of DDoS attacks can provide new insights for effective defense. But most of existing understandings are based on indirect traffic measures (e.g., backscatters) or traffic seen locally (e.g., in an ISP or from a botnet). In this study, we present an in-depth study based on 50,704 different Internet DDoS attacks directly observed in a seven-month period. These attacks were launched by 674 botnets from 23 different botnet families with a total of 9026 victim IPs belonging to 1074 organizations in 186 countries. In this study, we conduct some initial analysis mainly from the perspectives of these attacks’ targets and sources. Our analysis reveals several interesting findings about today’s Internet DDoS attacks. Some highlights include: (1) while 40% of the targets were attacked only once, 20% of the targets were attacked more than 100 times (2) most of the attacks are not massive in terms of number of participating nodes but they often last long, (3) most of these attacks are not widely distributed, but rather being highly regionalized. These findings add to the existing literature on the understanding of today’s Internet DDoS attacks, and offer new insights for designing effective defense schemes at different levels.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
A ddos attack could cost $1 million before mitigation even starts, October 2013. http://bit.ly/MUXadv
NetAcuity and NetAcuity Edge IP Location Technology, February 2014. http://www.digitalelement.com/
Akella, A., Bharambe, A., Reiter, M., Seshan, S.: Detecting DDoS Attacks on ISP Networks. In: ACM SIGMOD/PODS MPDS (2003)
Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D., et al.: The internet motion sensor-a distributed blackhole monitoring system. In: Proceeding of NDSS (2005)
Casado, M., Garfinkel, T., Cui, W., Paxson, V., Savage, S.: Opportunistic measurement: extracting insight from spurious traffic. In: Proceeding of ACM Hotnets (2005)
Chang, W., Mohaisen, A., Wang, A., Chen, S.: Measuring botnets in the wild: some new trends. In: Proceeding of ACM ASIA CCS (2015)
Chen, Y., Hwang, K., Ku, W.S.: Collaborative detection of DDoS attacks over multiple network domains. IEEE TPDS (2007)
Cisco: Cisco Catalyst 6500 Series Intrusion Detection System, February 2014. http://bit.ly/1hspyy9
Feinstein, L., Schnackenberg, D., Balupari, R., Kindred, D.: Statistical approaches to DDoS attack detection and response. In: DARPA Information Survivability Conference and Exposition (2003)
Huang, Y., Geng, X., Whinston, A.B.: Defeating DDoS attacks by fixing the incentive chain. ACM ToIT 1 (2007)
Info Security Magazine: Spamhaus suffers largest ddos attack in history - entire internet affected, March 2013. http://bit.ly/1bfx3ZH
Ioannidis, J., Bellovin, S.M.: Implementing pushback: router-based defense against DDoS attacks. In: Proceeding of NDSS (2002). https://www.cs.columbia.edu/~smb/papers/pushback-impl.pdf
Jin, S., Yeung, D.: A covariance analysis model for DDoS attack detection. IEEE ICC (2004)
Kang, M.S., Lee, S.B., Gligor, V.D.: The crossfire attack. In: Proceeding of IEEE S&P (2013)
Keromytis, A.D., Misra, A.D., Rubenstein, D.: SOS: an architecture for mitigating DDoS attacks. IEEE JSAC (2004)
Lee, K., Kim, J., Kwon, K.H., Han, Y., Kim, S.: DDoS attack detection method using cluster analysis. Expert systems with applications (2008)
Li, J., Mirkovic, J., Wang, M., Reiher, P., Zhang, L.: Save: source address validity enforcement protocol. In: Proceeding of IEEE ICCC (2002)
Li, M.: Change trend of averaged Hurst parameter of traffic under DDOS flood attacks. Computers and Security (2006)
Mao, Z.M., Sekar, V., Spatscheck, O., van der Merwe, J., Vasudevan, R.: Analyzing large DDoS attacks using multiple data sources. In: Proceeding of ACM SIGCOMM LSAD (2006)
Mirkovic, J., Prier, G., Reiher, P.: Attacking DDoS at the source. In: Proceeding of IEEE ICNP, November 2002
Mohaisen, A., Alrawi, O., Larson, M., McPherson, D.: Towards a methodical evaluation of antivirus scans and labels. In: Information Security Applications (2014)
Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring internet denial-of-service activity. ACM TOCS 24(2), 115–139 (2006)
Nadji, Y., Antonakakis, M., Perdisci, R., Dagon, D., Lee, W.: Beheading hydras: performing effective botnet takedowns. In: Proceeding of ACM SIGSAC, November 2013
Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proceeding of ACM IMC (2004)
Park, K., Lee, H.: On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets. In: Proceeding of ACM SIGCOMM (2001)
Schuchard, M., Mohaisen, A., Kune, D.F., Hopper, N., Kim, Y., Vasserman, E.Y.: Losing control of the internet: using the data plane to attack the control plane. In: Proceeding of NDSS (2011)
Sekar, V., Duffield, N., Spatscheck, O., van der Merwe, J., Zhang, H.: Lads: large-scale automated DDoS detection system. In: Proceeding of USENIX ATC (2006)
Stavrou, A., Keromytis, A.D.: Countering DoS attacks with stateless multipath overlays. In: Proceeding of ACM CCS (2005)
Studer, A., Perrig, A.: The coremelt attack. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 37–52. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04444-1_3
Thomas, N.: Cyber security in East Asia: governing anarchy. Asian Secur. 5(1), 3–23 (2009)
Vaughan-Nichols, S.J.: Worst DDoS attack of all time hits french site, February 2014. http://zd.net/1kFDurZ
Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A.C., Voelker, G.M., Savage, S.: Scalability, fidelity, and containment in the potemkin virtual honeyfarm. ACM SIGOPS 5, 148–162 (2005)
Walfish, M., Vutukuru, M., Balakrishnan, H., Karger, D., Shenke, S.: DDoS defense by offense. In: Proceeding of SIGCOMM (2006)
Wang, A., Mohaisen, A., Chang, W., Chen, S.: Capturing DDoS attack dynamics behind the scenes. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 205–215. Springer, Heidelberg (2015). doi:10.1007/978-3-319-20550-2_11
Wang, A., Mohaisen, A., Chang, W., Chen, S.: Delving into internet DDoS attacks by botnets: characterization and analysis. In: Proceeding of IEEE DSN (2015)
Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Huston, G.: Internet background radiation revisited. In: Proceeding of ACM IMC (2010)
Xu, K., Zhang, Z.L., Bhattacharyya, S.: Profiling internet backbone traffic: behavior models and applications. In: ACM SIGCOMM CCR. No. 4 (2005)
Yaar, A., Perrig, A., Song, D.: SIFF: a stateless internet flow filter to mitigate DDoS flooding attacks. In: Proceeding of IEEE S&P (2004)
Yaar, A., Perrig, A., Song, D.: StackPi: new packet marking and filtering mechanisms for DDoS and IP spoofing defense. IEEE JSAC (2006)
Zou, C.C., Gong, W., Towsley, D., Gao, L.: The monitoring and early detection of internet worms. IEEE/ACM TON 5, 961–974 (2005)
Acknowledgement
We would like to thank anonymous reviewers for their comments. This work was supported in part by an ARO grant W911NF-15-1-0262, NSF grant CNS-1524462, and the Global Research Lab. (GRL) Program of the National Research Foundation (NRF) funded by Ministry of Science, ICT (Information and Communication Technologies) and Future Planning (NRF-2016K1A1A2912757).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Wang, A., Mohaisen, A., Chang, W., Chen, S. (2017). Measuring and Analyzing Trends in Recent Distributed Denial of Service Attacks. In: Choi, D., Guilley, S. (eds) Information Security Applications. WISA 2016. Lecture Notes in Computer Science(), vol 10144. Springer, Cham. https://doi.org/10.1007/978-3-319-56549-1_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-56549-1_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-56548-4
Online ISBN: 978-3-319-56549-1
eBook Packages: Computer ScienceComputer Science (R0)