A review of amplification-based distributed denial of service attacks and their mitigation

Abstract

The rise of Distributed Denial of Service (DDoS) attacks have been steady in terms of the frequency and the impact of the attack. Traditionally, the attackers required control of a huge amount of resources to launch an attack. This has changed with the use of reflectors and amplifiers in DDoS attacks. A recent shift consisted of using other protocols than the traditional NTP and DNS protocols which were heavily used for ADDoS. In this paper, we review and organize amplification-based DDoS (ADDoS) attacks and associated countermeasures into a new taxonomy. Furthermore, we present a modus operandi of ADDoS attacks and analyze how it differs from traditional DDoS attacks. We also investigate how accessible ADDoS are for attackers with average resources. We survey readily available open-source scripts on GitHub and also the ADDoS features available in hire-to-DDoS platforms. We believe that accessibility and low-cost of hire-to-DDoS platforms are the major reasons for the increase of amplification-based DDoS attacks. Lastly, we provide a list of future directions that might be interesting for the community to focus on.

Introduction

The ability to perform distributed Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks to halt services on the Internet has been on the rise in recent years (Khalimonenko Alexander et al., 2018). Individuals with little effort and minimal cost can launch gigabytes of data using simple web interfaces provided by DDoS-for-hire services. To make attacks even easier, some of these services provide mobile applications to their customers (Google Play Store, 2018). Huge attacks launched by individuals with minimal technical knowledge and financial resources from user-friendly platforms is a current trend, according to Kaspersky (Makrushin Denis, 2017).

One of the recent and prominent methods of DDoS attacks is the Amplification-based DDoS (ADDoS). The recent 1.3 Tbps “memcached” reflection attack was an ADDoS example (Akamai, 2018). The size of the reflection attacks continues to grow due to the ability to use reflectors and amplifiers, resulting in more severe damage. The Network Security Labs at 360’s famous DDoSMon tool reported a surge of increase in memcached UDP amplifiers and reflector as shown in Fig. 1 (Yang, 2018).

In 2018, US based Security Company Cybereason reported that attackers embedded short ransom note and payment address details into the junk traffic of memcached servers (Krebsonsecurity, 2018). This makes it evident that the motive of amplification-based DDoS attacks range from taking down a competitor to severe crimes like extortion. The ransom note is shown in Fig. 2.

The impact of amplification-based DDoS attacks are even worse when the target resides on the Cloud. Economic Denial of Sustainability (EDoS), aka Fraudulent Resource Consumption (FRC), is a completely new type of DDoS attacks that targets cloud-hosted victims (Naresh Kumar, Sujatha, Kalva, Nagori, Katukojwala, Kumar, 2012, Vivinsandar, 2012). The Cloud’s resources are set to auto-scale up and down to manage cost effectively based on the requirements. DDoS attack’s potential effect would first and foremost lead to increasing usage of more resources in the Cloud (due to auto scaling), which in turn will increase the cost of the owner of the Cloud. Larger attacks can lead to a point of unavailability of services.

Modern botnets are not limited of personal computers, but include also handheld and IoT devices to increase their generated traffic (Akamai, 2021). Akamai released their report showing various headlines that caused serious disruption based on IoT devices. All of them such as Mirai, XOR and Spike were more than 300 Gbps, which indicates the trend in the volume of attack as shown in Fig. 3 (Akamai, 2021). We focus on understanding the major difference between a traditional and amplified DDoS attack in the next section.

Our contributions in this paper are as follows:

• While several surveys reviewed DoS and DDoS attack and defense mechanisms, only few focused on Amplification-based DDoS (ADDoS). We provide an up-to-date survey of amplification-based DDoS attack.

• We categorize notable ADDoS work and provide a new taxonomy for better understanding the subject and its’ complexities.

• Using the existing literature, we derive a 4-step methodology that ADDoS attackers follow in order to perform ADDoS.

• We survey readily available open source scripts that could be used to launch an ADDoS. Furthermore, we investigate some of the DDoS tools available online which have amplification-based attacks as a feature in them. Both the free scripts and the cheap DDoS tools (with amplification attack feature) sheds light into the ease of launching an ADDoS attack. We show that the ease of launching an ADDoS attack is a significant factor in the rise of of amplification-based attacks.

The rest of this paper is organized as follows: Section 2 reviews how traditional DDoS attacks are carried out and discusses how those attacks can be carried on or from the cloud. Section 3 focuses on understanding the fundamentals of ADDoS and how an attack is initiated by an attacker. Section 4 analyzes the work done in the area and provides a taxonomy of ADDoS based on attack and countermeasures. Section 5 reviews the accessibility of ADDoS in terms of availability of resource and the cost of carrying out an attack. Finally, Section 6 concludes the paper with the major research direction that we were able to derive.