Abstract
We present techniques for attributing amplification DDoS attacks to the booter services that launched the attack. Our k-Nearest Neighbor (k-NN) classification algorithm is based on features that are characteristic for a DDoS service, such as the set of reflectors used by that service. This allows us to attribute DDoS attacks based on observations from honeypot amplifiers, augmented with training data from ground truth attack-to-services mappings we generated by subscribing to DDoS services and attacking ourselves in a controlled environment. Our evaluation shows that we can attribute DNS and NTP attacks observed by the honeypots with a precision of over 99% while still achieving recall of over 69% in the most challenging real-time attribution scenario. Furthermore, we develop a similarly precise technique that allows a victim to attribute an attack based on a slightly different set of features that can be extracted from a victim’s network traces. Executing our k-NN classifier over all attacks observed by the honeypots shows that 25.53% (49,297) of the DNS attacks can be attributed to 7 booter services and 13.34% (38,520) of the NTP attacks can be attributed to 15 booter services. This demonstrates the potential benefits of DDoS attribution to identify harmful DDoS services and victims of these services.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
The idea behind this is to imprint a unique fingerprint on each scanner. Letting each scanner find 24 IP addresses maximizes the total number of fingerprints.
- 4.
To avoid unintentionally advertising booter services covered in this study, we replace the name of booter services by the first three letters of their domain name. The last letter is replaced by a number in the case of name collisions.
- 5.
To account for fluctuation in TTLs due to route changes, we apply smoothing to the histograms using a binomial kernel of width 6, which corresponds to a standard deviation of \(\sigma \approx 1.22\).
- 6.
This effectively provides the entire confusion matrix for each experiment.
- 7.
Results for CharGen and SSDP can be found in Sect. A.1.
References
The Spoofer Project. http://spoofer.cmand.org
Backes, M., Holz, T., Rossow, C., Rytilahti, T., Simeonovski, M., Stock, B.: On the feasibility of TTL-based filtering for DRDoS mitigation. In: Proceedings of the 19th International Symposium on Research in Attacks, Intrusions and Defenses (2016)
Bethencourt, J., Franklin, J., Vernon, M.: Mapping internet sensors with probe response attacks. In: Proceedings of the 14th Conference on USENIX Security Symposium (2005)
Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., Karir, M.: Taming the 800 pound gorilla: the rise and decline of NTP DDoS attacks. In: Proceedings of the Internet Measurement Conference 2014. ACM (2014)
Gilad, Y., Goberman, M., Herzberg, A., Sudkovitch, M.: CDN-on-Demand: an affordable DDoS defense via untrusted clouds. In: Proceedings of NDSS 2016 (2016)
Karami, M., McCoy, D.: Understanding the emerging threat of DDoS-as-a-service. In: LEET (2013)
Karami, M., Park, Y., McCoy, D.: Stress testing the booters: understanding and undermining the business of DDoS services. In: World Wide Web Conference (WWW). ACM (2016)
Krämer, L., Krupp, J., Makita, D., Nishizoe, T., Koide, T., Yoshioka, K., Rossow, C.: AmpPot: monitoring and defending against amplification DDoS attacks. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 615–636. Springer, Cham (2015). doi:10.1007/978-3-319-26362-5_28
Kreibich, C., Warfield, A., Crowcroft, J., Hand, S., Pratt, I.: Using packet symmetry to curtail malicious traffic. In: Proceedings of the 4th Workshop on Hot Topics in Networks (Hotnets-VI) (2005)
Krupp, J., Backes, M., Rossow, C.: Identifying the scan and attack infrastructures behind amplification DDoS attacks. In: Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS) (2016)
Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? reducing the impact of amplification DDoS attacks. In: Proceedings of the 23rd USENIX Security Symposium (2014)
Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Hell of a handshake: abusing TCP for reflective amplification DDoS attacks. In: Proceedings of the 8th USENIX Workshop on Offensive Technologies (WOOT 2014) (2014)
A. Networks. Worldwide Infrastructure Security Report (2015). https://www.arbornetworks.com/images/documents/WISR2016_EN_Web.pdf
Ferguson, P., Senie, D.: BCP 38 on Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing (2000). http://tools.ietf.org/html/bcp.38
Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. Comput. Commun. Rev. (2001)
Perrig, A., Song, D., Yaar, A.: StackPi: A New Defense Mechanism against IP Spoofing and DDoS Attacks. Technical report (2003)
Prince, M.: The DDoS That Almost Broke the Internet (2013). https://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/
Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: Proceedings of NDSS 2014 (2014)
Santanna, J., Durban, R., Sperotto, A., Pras, A.: Inside booters: an analysis on operational databases. In: 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015)
Santanna, J.J., van Rijswijk-Deij, R., Hofstede, R., Sperotto, A., Wierbosch, M., Granville, L.Z., Pras, A.: Booters - an analysis of DDoS-As-a-Service attacks. In: 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015)
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical network support for IP traceback. In: ACM SIGCOMM Computer Communication Review, vol. 30. ACM (2000)
Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Kent, S.T., Strayer, W.T.: Hash-based IP traceback. In: ACM SIGCOMM Computer Communication Review, vol. 31. ACM (2001)
Song, D.X., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. In: Proceedings of the 20th Annual Joint Conference of the IEEE Computer and Communications Societies. IEEE (2001)
Sun, X., Torres, R., Rao, S.: DDoS attacks by subverting membership management in P2P systems. In: Proceedings of the 3rd IEEE Workshop on Secure Network Protocols (NPSec) (2007)
Sun, X., Torres, R., Rao, S.: On the feasibility of exploiting P2P systems to launch DDoS attacks. J. Peer-to-Peer Networking Appl. 3 (2010)
van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks - a comprehensive measurement study. In: Proceedings of the Internet Measurement Conference 2014. ACM (2014)
Wang, A., Mohaisen, A., Chang, W., Chen, S.: Capturing DDoS attack dynamics behind the scenes. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 205–215. Springer, Cham (2015). doi:10.1007/978-3-319-20550-2_11
Wang, X., Reiter, M.K.: Mitigating bandwidth-exhaustion attacks using congestion puzzles. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS) (2004)
Welzel, A., Rossow, C., Bos, H.: On measuring the impact of DDoS botnets. In: Proceedings of the 7th European Workshop on Systems Security (EuroSec) (2014)
Yaar, A., Perrig, A., Song, D.: Pi: a path identification mechanism to defend against DDoS attacks. In: Proceedings of the IEEE Symposium on Security and Privacy (S&P) (2003)
Acknowledgements
This work was supported in part by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA) under grant 16KIS0656, by the European Union’s Horizon 2020 research and innovation program under grant agreement No. 700176, by the US National Science Foundation under grant 1619620, and by a gift from Google. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
1 Electronic supplementary material
Below is the link to the electronic supplementary material.
A Appendix
A Appendix
1.1 A.1 Additional Experimental Results
Table 5 shows our experimental results for victim-driven attribution for CharGen (precision 92.86%, recall 89.24%) and SSDP (precision 92.15%, recall 81.41%).
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Krupp, J., Karami, M., Rossow, C., McCoy, D., Backes, M. (2017). Linking Amplification DDoS Attacks to Booter Services. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_19
Download citation
DOI: https://doi.org/10.1007/978-3-319-66332-6_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66331-9
Online ISBN: 978-3-319-66332-6
eBook Packages: Computer ScienceComputer Science (R0)