skip to main content
10.1145/3278681.3278701acmotherconferencesArticle/Chapter ViewAbstractPublication PageshtConference Proceedingsconference-collections
research-article

Using network flow data to analyse distributed reflection denial of service (DRDoS) attacks, as observed on the South African national research and education network (SANReN): a postmortem analysis of the memcached attack on the SANReN

Published: 26 September 2018 Publication History

Abstract

Distributed Denial of Service (DDoS) attacks cause significant disruption on critical networks within South Africa. Timely detection and mitigation is a key concern for the SANReN Cyber Security Incident Response Team (CSIRT). This paper presents an analysis on the Memcached reflection DDoS attack which occurred in February 2018. The attack was the largest DDoS attack to date. By analysing the attack and the impact it had on the SANReN network, this paper aims to show how network flow data can be used to detect network attacks, and perform post attack analysis to prevent future network attacks. The attack time-line is divided into three main phases: pre-attack, peek attack period and post attack residue.

References

[1]
Akamai CSIRT Alerts. 2018. Memcached-fueled 1.3 Tbps attacks. https://blogs.akamai.com/2018/03/memcached-fueled-13-tbps-attacks.html. Date published2018-03-01. Date accessed 2018-03-05.
[2]
B. Claise, B. Trammell, and P. Aitken. 2013. Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information. STD 77. RFC Editor. http://www.rfc-editor.org/rfc/rfc7011.txt.
[3]
Jakub Czyz, Michael Kallitsis, Manaf Gharaibeh, Christos Papadopoulos, Michael Bailey, and Manish Karir. 2014. Taming the 800 pound gorilla: The rise and decline of NTP DDoS attacks. In Proceedings of the 2014 Conference on Internet Measurement Conference. ACM, 435--448.
[4]
DDoSMon. 2018. Real-time Memcached-based UDP Reflection/Amplification Attack Monitoring. Technical Report. DDoSMon. https://ddosmon.net/memcached_amplification_attack, published 2018-03-26. Date accessed 2018-03-28.
[5]
Christian Dietz. 2013. Passive Remote Detection of Network Address Translation (NAT) by using NetFlow. Master's thesis. Hochschule Darmstadt, University of Applied Sciences.
[6]
Kevin Draai and Roderick Mooi. 2015. Implementing perfSONAR in the South African National Research and Education Network. (2015).
[7]
Brad Fitzpatrick. 2004. Distributed caching with memcached. Linux journal 124 (2004), 5.
[8]
Steve Gibson. 2002. Distributed reflection denial of service. Technical Report. Technical Report, Gibson Research Corporation.
[9]
Mark Graham. 2017. An IPFIX Primer. Technical Report. BotProbe. https://www.researchgate.net/publication/320740474_An_IPFIX_Primer. Date published2017-10-15. Date accessed 2018-02-22.
[10]
Rick Hofstede, Pavel Čeleda, Brian Trammell, Idilio Drago, Ramin Sadre, Anna Sperotto, and Aiko Pras. 2014. Flow monitoring explained: From packet capture to data analysis with NetFlow and ipfix. IEEE Communications Surveys & Tutorials Volume 16, 4 (2014), 2037--2064.
[11]
Barry Irwin. 2012. A network telescope perspective of the Conficker outbreak. In Information Security for South Africa (ISSA), 2012. IEEE, 1--8.
[12]
Brian Kerbs. 2018. Powerful New DDoS Method Adds Extortion. https://krebsonsecurity.com/tag/memcached-attack/. Date published 2018-03-02. Date accessed 2018-03-05.
[13]
Sanjeev Kumar. 2007. Smurf-based distributed denial of service (ddos) attack amplification in internet. In Internet Monitoring and Protection, 2007. ICIMP 2007. Second International Conference on. IEEE, 25--25.
[14]
Michael J Martin. 2002. Router Expert: Smurf/Fraggle Attack Defense Using SACLS. Networking Tips and Newsletters, www.searchnetwork.techtarget.com (2002).
[15]
D. Mills, J. Martin, J. Burbank, and W. Kasch. 2010. Network Time Protocol Version 4: Protocol and Algorithms Specification. RFC 5905. RFC Editor. http://www.rfc-editor.org/rfc/rfc5905.txt http://www.rfc-editor.org/rfc/rfc5905.txt.
[16]
Iyatiti Mokube and Michele Adams. 2007. Honeypots: concepts, approaches, and challenges. In Proceedings of the 45th annual southeast regional conference. ACM, 321--326.
[17]
Matt Ploessel. 2018. ATTACKERS INCLUDE RANSOM NOTE IN AMPLIFIED DDOS ATTACKS THAT USE MEMCACHED SERVERS. Technical Report. Cyber Reason. https://www.cybereason.com/blog/memcached-ddos-attack, published2018-03-02. Date accessed 2018-03-28.
[18]
Ajith Harshana Ranabahu and E Michael Maximilien. 2009. A best practice model for cloud middleware systems. (2009).
[19]
D Senie and P Ferguson. 1998. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. Network (1998).
[20]
SHODAN. 2018. SHODAN - Memcached - ZA. Technical Report. SHODAN. https://www.shodan.io/report/4m45wTZw, published 2018-03-12. Date accessed 2018-03-28.
[21]
Stephen M Specht and Ruby B Lee. 2004. Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures. In ISCA PDCS. 543--550.
[22]
Lance Spitzner. 2003. Honeypots: Catching the insider threat. In Computer Security Applications Conference, 2003. Proceedings. 19th Annual. IEEE, 170--179.
[23]
Avinash Sridharan, Tao Ye, and Supratik Bhattacharyya. 2006. Connectionless port scan detection on the backbone. In Performance, Computing, and Communications Conference, 2006. IPCCC 2006. 25th IEEE International. IEEE, 10--pp.
[24]
US-CERT. 2018. Alert (TA14-017A) - UDP-Based Amplification Attacks. https://www.us-cert.gov/ncas/alerts/TA14-017A. Date accessed 14 March 2018.

Cited By

View all
  • (2024)Utilisation of a Virtual Honeynet to Proactively Secure the South African National Research and Education Network Against CyberattacksSouth African Computer Science and Information Systems Research Trends10.1007/978-3-031-64881-6_24(404-420)Online publication date: 8-Jul-2024
  • (2022)An Anomaly Detection Method of Time Series Data for Cyber-Physical Integrated Energy System Based on Time-Frequency Feature PredictionEnergies10.3390/en1515556515:15(5565)Online publication date: 31-Jul-2022
  • (2021)DDoS Never Dies? An IXP Perspective on DDoS Amplification AttacksPassive and Active Measurement10.1007/978-3-030-72582-2_17(284-301)Online publication date: 30-Mar-2021

Index Terms

  1. Using network flow data to analyse distributed reflection denial of service (DRDoS) attacks, as observed on the South African national research and education network (SANReN): a postmortem analysis of the memcached attack on the SANReN

        Recommendations

        Comments

        Information & Contributors

        Information

        Published In

        cover image ACM Other conferences
        SAICSIT '18: Proceedings of the Annual Conference of the South African Institute of Computer Scientists and Information Technologists
        September 2018
        362 pages
        ISBN:9781450366472
        DOI:10.1145/3278681
        © 2018 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        Published: 26 September 2018

        Permissions

        Request permissions for this article.

        Check for updates

        Author Tags

        1. national infrastructure
        2. network attack analysis
        3. network monitoring

        Qualifiers

        • Research-article

        Conference

        SAICSIT '18

        Acceptance Rates

        Overall Acceptance Rate 187 of 439 submissions, 43%

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • Downloads (Last 12 months)9
        • Downloads (Last 6 weeks)1
        Reflects downloads up to 10 Feb 2025

        Other Metrics

        Citations

        Cited By

        View all
        • (2024)Utilisation of a Virtual Honeynet to Proactively Secure the South African National Research and Education Network Against CyberattacksSouth African Computer Science and Information Systems Research Trends10.1007/978-3-031-64881-6_24(404-420)Online publication date: 8-Jul-2024
        • (2022)An Anomaly Detection Method of Time Series Data for Cyber-Physical Integrated Energy System Based on Time-Frequency Feature PredictionEnergies10.3390/en1515556515:15(5565)Online publication date: 31-Jul-2022
        • (2021)DDoS Never Dies? An IXP Perspective on DDoS Amplification AttacksPassive and Active Measurement10.1007/978-3-030-72582-2_17(284-301)Online publication date: 30-Mar-2021

        View Options

        Login options

        View options

        PDF

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Figures

        Tables

        Media

        Share

        Share

        Share this Publication link

        Share on social media