Identifying the Scan and Attack Infrastructures Behind Amplification DDoS Attacks
| Title | Identifying the Scan and Attack Infrastructures Behind Amplification DDoS Attacks |
| Publication Type | Conference Paper |
| Year of Publication | 2016 |
| Authors | Krupp, Johannes, Backes, Michael, Rossow, Christian |
| Conference Name | Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security |
| Date Published | October 2016 |
| Publisher | ACM |
| Conference Location | New York, NY, USA |
| ISBN Number | 978-1-4503-4139-4 |
| Keywords | amplification denial-of-service, attribution, honey pots, honeypots, Human Behavior, network scanner, pubcrawl, Resiliency, Scalability, selective response |
| Abstract | Amplification DDoS attacks have gained popularity and become a serious threat to Internet participants. However, little is known about where these attacks originate, and revealing the attack sources is a non-trivial problem due to the spoofed nature of the traffic. In this paper, we present novel techniques to uncover the infrastructures behind amplification DDoS attacks. We follow a two-step approach to tackle this challenge: First, we develop a methodology to impose a fingerprint on scanners that perform the reconnaissance for amplification attacks that allows us to link subsequent attacks back to the scanner. Our methodology attributes over 58% of attacks to a scanner with a confidence of over 99.9%. Second, we use Time-to-Live-based trilateration techniques to map scanners to the actual infrastructures launching the attacks. Using this technique, we identify 34 networks as being the source for amplification attacks at 98\textbackslash% certainty. |
| URL | https://dl.acm.org/doi/10.1145/2976749.2978293 |
| DOI | 10.1145/2976749.2978293 |
| Citation Key | krupp_identifying_2016 |