Abstract
For many years Distributed Denial-of-Service attacks have been known to be a threat to Internet services. Recently a configuration flaw in NTP daemons led to attacks with traffic rates of several hundred Gbit/s. For those attacks a third party, the amplifier, is used to significantly increase the volume of traffic reflected to the victim. Recent research revealed more UDP-based protocols that are vulnerable to amplification attacks. Detecting such attacks from an abused amplifier network’s point of view has only rarely been investigated.
In this work we identify novel properties which characterize amplification attacks and allow to identify the illegitimate use of arbitrary services.
Their suitability for amplification attack detection is evaluated in large high-speed research networks. We prove that our approach is fully capable of detecting attacks that were already seen in the wild as well as capable of detecting attacks we conducted ourselves exploiting newly discovered vulnerabilities.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
CloudFlare. https://www.cloudflare.com/ (last accessed: December 2014)
Özavci, F.: VOIP Wars: Return of the SIP, DEFCON 21, August 2013. http://www.defcon.org/images/defcon-21/dc-21-presentations/Ozavci/DEFCON-21-Ozavci-VoIP-Wars-Return-of-the-SIP-Updated.pdf (last accessed: December 2014)
Ferguson, P., Senie, D.: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827 (Best Current Practice), May 2000. http://www.ietf.org/rfc/rfc2827.txt, updated by RFC 3704
Kambourakis, G., Moschos, T., Geneiatakis, D., Gritzalis, S.: Detecting DNS amplification attacks. In: Lopez, J., Hämmerli, B.M. (eds.) CRITIS 2007. LNCS, vol. 5141, pp. 185–196. Springer, Heidelberg (2008)
nDPI-Homepage. http://www.ntop.org/products/ndpi/ (last accessed: December 2014)
Direct NIC Access - Gigabit and 10 Gigabit Ethernet Line-Rate Packet Capture and Injection. http://www.ntop.org/products/pf_ring/dna/ (last accessed: December 2014)
Postel, J.: Quote of the Day Protocol. RFC 865 (INTERNET STANDARD), May 1983. http://www.ietf.org/rfc/rfc865.txt
Prince, M.: The DDoS That Almost Broke the Internet, March 2013. http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet (last accessed: December 2014)
Rastegari, S., Saripan, M.I., Rasid, M.F.A.: Detection of Denial of Service Attacks against Domain Name System Using Neural Networks. International Journal of Computer Science Issues (IJCSI) 7(4) (2009)
Rossow, C.: Amplification hell: Revisiting network protocols for DDoS abuse. In: Proceedings of the 2014 Network and Distributed System Security (NDSS) Symposium, San Diego, CA, February 2014
Soluk, K.: NTP ATTACKS: Welcome to The Hockey Stick Era, February 2014. http://www.arbornetworks.com/asert/2014/02/ntp-attacks-welcome-to-the-hockey-stick-era/ (last accessed: December 2014)
Specht, S., Lee, R.: Distributed denial of service: Taxonomies of attacks, tool and countermeasures. In: Proceedings of the ISCA 17th International Conference on Parallel and Distributed Computing Systems, San Francisco, CA, September 2002
Spoofer Project: State of IP Spoofing. http://spoofer.cmand.org/summary.php (last accessed: December 2014)
Sun, C., Liu, B., Shi, L.: Efficient and low-cost hardware defense against DNS amplification attacks. In: IEEE Global Telecommunications Conference (GLOBECOM 2008). IEEE (2008)
Vuze homepage. http://www.vuze.com/ (last accessed: December 2014)
zlib Homepage. http://www.zlib.net/ (last accessed: December 2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 IFIP International Federation for Information Processing
About this paper
Cite this paper
Böttger, T., Braun, L., Gasser, O., von Eye, F., Reiser, H., Carle, G. (2015). DoS Amplification Attacks – Protocol-Agnostic Detection of Service Abuse in Amplifier Networks. In: Steiner, M., Barlet-Ros, P., Bonaventure, O. (eds) Traffic Monitoring and Analysis. TMA 2015. Lecture Notes in Computer Science(), vol 9053. Springer, Cham. https://doi.org/10.1007/978-3-319-17172-2_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-17172-2_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17171-5
Online ISBN: 978-3-319-17172-2
eBook Packages: Computer ScienceComputer Science (R0)