Skip to main content
SpringerLink
Log in

On Inferring and Characterizing Large-Scale Probing and DDoS Campaigns

  • Chapter
  • First Online:
Book cover Computer and Network Security Essentials

Abstract

The explosive growth, complexity, adoption, and dynamism of cyberspace over the last decade have radically altered the globe. A plethora of nations have been at the very forefront of this change, fully embracing the opportunities provided by the advancements in science and technology in order to fortify the economy and to increase the productivity of everyday’s life. However, the significant dependence on cyberspace has indeed brought new risks that often compromise, exploit, and damage invaluable data and systems. Thus, the capability to proactively infer malicious activities is of paramount importance. In this context, generating cyber threat intelligence related to probing/scanning and Distributed Denial of Service (DDoS) activities renders an effective tactic to achieve the latter.

In this chapter, we investigate such malicious activities by uniquely analyzing real Internet-scale traffic targeting network telescopes or darknets, which are defined by routable, allocated yet unused Internet Protocol (IP) addresses. Specifically, we infer and characterize their independent events as well as address the problem of large-scale orchestrated campaigns, which render a new era of such stealthy and debilitating events. We conclude this chapter by highlighting some research gaps that pave the way for future work.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 139.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Government of Canada. (2010). Canada’s cyber security strategy report, http://www.capb.ca/uploads/files/documents/Cyber_Security_Strategy.pdf.

  2. Hinde, S. (2003). The law, cybercrime, risk assessment and cyber protection. Computers & Security, 22, 90–95.

    Article  Google Scholar 

  3. Bou-Harb, E., Debbabi, M., & Assi, C. (2013). A statistical approach for fingerprinting probing activities. In 2013 Eighth International Conference on Availability, Reliability and Security (ARES) (pp. 21–30), Sept 2013.

    Google Scholar 

  4. Bou-Harb, E., Lakhdari, N. -E., Binsalleeh, H., & Debbabi, M. (2014). Multidimensional investigation of source port 0 probing. Digital Investigation, 11(Supplement 2), S114–S123; Fourteenth Annual {DFRWS} Conference.

    Google Scholar 

  5. Bhuyan, M. H., Bhattacharyya, D. K., & Kalita, J. K. (2010). Surveying port scans and their detection methodologies. The Computer Journal, 54(10), 1565–1581.

    Article  Google Scholar 

  6. Bou-Harb, E., Debbabi, M., & Assi, C. (2014). Cyber scanning: A comprehensive survey. IEEE Communications Surveys & Tutorials, 16(3), 1496–1519.

    Article  Google Scholar 

  7. Rossow, C. (2014). Amplification hell: Revisiting network protocols for DDoS abuse. In NDSS.

    Google Scholar 

  8. Fachkha, C., & Debbabi, M. (2016). Darknet as a source of cyber intelligence: Survey, taxonomy, and characterization. IEEE Communications Surveys & Tutorials, 18(2), 1197–1227.

    Article  Google Scholar 

  9. Moore, D., Shannon, C., Voelker, G. M., & Savage, S. (2004). Network Telescopes: Technical Report. Department of Computer Science and Engineering, University of California, San Diego.

    Google Scholar 

  10. Bou-Harb, E., Assi, C., & Debbabi, M. (2016). Csc-detector: A system to infer large-scale probing campaigns. IEEE Transactions on Dependable and Secure Computing, PP(99), 1

    Google Scholar 

  11. Bou-Harb, E., Debbabi, M., & Assi, C. (2013). A systematic approach for detecting and clustering distributed cyber scanning. Computer Networks, 57(18), 3826–3839

    Article  Google Scholar 

  12. Peng, C. -K., Buldyrev, S. V., Havlin, S., Simons, M., Stanley, H. E., & Goldberger, A. L. (1994). Mosaic organization of DNA nucleotides. Phys. Rev. E, 49, 1685–1689.

    Article  Google Scholar 

  13. Bou-Harb, E., Debbabi, M., & Assi, C. (2014). On fingerprinting probing activities. Computers & Security, 43, 35–48.

    Article  Google Scholar 

  14. Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Huston, G. (2010). Internet background radiation revisited. In Proceedings of the 10th Annual Conference on Internet Measurement (pp 62–74). New York, NY: ACM.

    Chapter  Google Scholar 

  15. Bou-Harb, E., Debbabi, M., & Assi, C. (2014) Behavioral analytics for inferring large-scale orchestrated probing events. In 2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS) (pp. 506–511). New York, NY: IEEE.

    Chapter  Google Scholar 

  16. Moore, D., Voelker, G. M., & Savage, S. (2001). Inferring internet denial-of-service activity. Technical Report, DTIC Document.

    Google Scholar 

  17. Li, Z., Goyal, A., Chen, Y., & Paxson, V. (2011). Towards situational awareness of large-scale botnet probing events. IEEE Transactions on Information Forensics and Security, 6(1), 175–188.

    Article  Google Scholar 

  18. Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., & Savage, S. (2006). Inferring internet denial-of-service activity. ACM Transactions on Computer Systems (TOCS), 24(2), 115–139

    Article  Google Scholar 

  19. Kornblum, J. (2006). Identifying almost identical files using context triggered piecewise hashing. Digital Investigation, 3(Supplement), 91–97; The Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS’06).

    Google Scholar 

  20. Lilliefors, H. W. (1967). On the Kolmogorov-Smirnov test for normality with mean and variance unknown. Journal of the American Statistical Association, 62(318), 399–402.

    Article  Google Scholar 

  21. Li, Z., Goyal, A., Chen, Y., & Paxson, V. (2011). Towards situational awareness of large-scale botnet probing events. IEEE Transactions on Information Forensics and Security, 6(1), 175–188

    Article  Google Scholar 

  22. Jin, Y., Simon, G., Xu, K., Zhang, Z.-L., & Kumar, V. (2007). Gray’s anatomy: Dissecting scanning activities using IP gray space analysis. In Usenix SysML07.

    Google Scholar 

  23. Jin, Y., Zhang, Z. -L., Xu, K., Cao, F., & Sahu, S. (2007). Identifying and tracking suspicious activities through IP gray space analysis. In Proceedings of the 3rd Annual ACM Workshop on Mining Network Data, MineNet’07 (pp. 7–12). New York, NY: ACM.

    Chapter  Google Scholar 

  24. Li, Z., Goyal, A., Chen, Y., & Paxson, V. (2009). Automating analysis of large-scale botnet probing events. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS’09 (pp. 11–22). New York, NY: ACM.

    Google Scholar 

  25. Yegneswaran, V., Barford, P., & Paxson, V. (2005). Using honeynets for internet situational awareness. In Proceedings of ACM Hotnets IV.

    Google Scholar 

  26. Dainotti, A., King, A., Claffy, K., Papale, F., & Pescapé, A. (2014). Analysis of a “/0” Stealth Scan from a Botnet. IEEE/ACM Transactions on Networking, 23, 341–354.

    Article  Google Scholar 

  27. Internet Census 2012-Port scanning /0 using insecure embedded devices, http://tinyurl.com/c8af8lt.

  28. Benoit, D., Trudel, A. (2007). World’s first web census. International Journal of Web Information Systems, 3(4), 378.

    Article  Google Scholar 

  29. Heidemann, J., Pradkin, Y., Govindan, R., Papadopoulos, C., Bartlett, G., & Bannister, J. (2008). Census and survey of the visible internet. In Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, IMC’08 (pp. 169–182). New York, NY: ACM.

    Chapter  Google Scholar 

  30. Pryadkin, Y., Lindell, R., Bannister, J., & Govindan, R. (2004). An empirical evaluation of ip address space occupancy. USC/ISI Technical Report ISI-TR, 598.

    Google Scholar 

  31. Cui, A., & Stolfo, S. J. (2010). A quantitative analysis of the insecurity of embedded network devices: Results of a wide-area scan. In Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC’10 (pp. 97–106). New York, NY: ACM.

    Google Scholar 

  32. Leonard, D., & Loguinov, D. (2010). Demystifying service discovery: Implementing an internet-wide scanner. In The 10th ACM SIGCOMM Conference on Internet Measurement. New York, NY: ACM.

    Google Scholar 

  33. Gu, G., Porras, P., Yegneswaran, V., Fong, M., & Lee, W. (2007). Bothunter: Detecting malware infection through ids-driven dialog correlation. In Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, SS’07 (pp. 12:1–12:16). Berkeley, CA: USENIX Association.

    Google Scholar 

  34. Goebel, J., & Holz, T. (2007). Rishi: Identify bot contaminated hosts by irc nickname evaluation. In Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets (USENIX HotBots), Cambridge, MA (pp. 8–8).

    Google Scholar 

  35. Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., & Kirda, E. (2009). Automatically generating models for botnet detection. In M. Backes, & P. Ning, (Eds.), Computer security – ESORICS 2009. Lecture notes in computer science (Vol. 5789, pp. 232–249). Berlin: Springer.

    Google Scholar 

  36. Tegeler, F., Fu, X., Vigna, G., & Kruegel, C. (2012). Botfinder: Finding bots in network traffic without deep packet inspection. In Proceedings of the 8th International Conference on Emerging Networking Experiments and Technologies, CoNEXT’12 (pp. 349–360). New York, NY: ACM.

    Chapter  Google Scholar 

Download references

Acknowledgements

The authors would like to acknowledge the computer security lab at Concordia University, Canada where most of the presented work was conducted. The authors are also grateful to the anonymous reviewers for their insightful comments and suggestions.

Author information

Authors and Affiliations

  1. Cyber Threat Intelligence Lab, Florida Atlantic University, Boca Raton, FL, USA

    Elias Bou-Harb

  2. University of Dubai, Dubai, United Arab Emirates

    Claude Fachkha

Authors
  1. Elias Bou-Harb
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Claude Fachkha
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Elias Bou-Harb .

Editor information

Editors and Affiliations

  1. University of Detroit Mercy, Detroit, Michigan, USA

    Kevin Daimi

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG

About this chapter

Cite this chapter

Bou-Harb, E., Fachkha, C. (2018). On Inferring and Characterizing Large-Scale Probing and DDoS Campaigns. In: Daimi, K. (eds) Computer and Network Security Essentials. Springer, Cham. https://doi.org/10.1007/978-3-319-58424-9_26

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-58424-9_26

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-58423-2

  • Online ISBN: 978-3-319-58424-9

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation