Skip to main content
SpringerLink
Log in

Measuring and Analyzing Trends in Recent Distributed Denial of Service Attacks

  • Conference paper
  • First Online:
Information Security Applications (WISA 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10144))

Included in the following conference series:

Abstract

Internet DDoS attacks are prevalent but hard to defend against, partially due to the volatility of the attacking methods and patterns used by attackers. Understanding the latest of DDoS attacks can provide new insights for effective defense. But most of existing understandings are based on indirect traffic measures (e.g., backscatters) or traffic seen locally (e.g., in an ISP or from a botnet). In this study, we present an in-depth study based on 50,704 different Internet DDoS attacks directly observed in a seven-month period. These attacks were launched by 674 botnets from 23 different botnet families with a total of 9026 victim IPs belonging to 1074 organizations in 186 countries. In this study, we conduct some initial analysis mainly from the perspectives of these attacks’ targets and sources. Our analysis reveals several interesting findings about today’s Internet DDoS attacks. Some highlights include: (1) while 40% of the targets were attacked only once, 20% of the targets were attacked more than 100 times (2) most of the attacks are not massive in terms of number of participating nodes but they often last long, (3) most of these attacks are not widely distributed, but rather being highly regionalized. These findings add to the existing literature on the understanding of today’s Internet DDoS attacks, and offer new insights for designing effective defense schemes at different levels.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. A ddos attack could cost $1 million before mitigation even starts, October 2013. http://bit.ly/MUXadv

  2. NetAcuity and NetAcuity Edge IP Location Technology, February 2014. http://www.digitalelement.com/

  3. Akella, A., Bharambe, A., Reiter, M., Seshan, S.: Detecting DDoS Attacks on ISP Networks. In: ACM SIGMOD/PODS MPDS (2003)

    Google Scholar 

  4. Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D., et al.: The internet motion sensor-a distributed blackhole monitoring system. In: Proceeding of NDSS (2005)

    Google Scholar 

  5. Casado, M., Garfinkel, T., Cui, W., Paxson, V., Savage, S.: Opportunistic measurement: extracting insight from spurious traffic. In: Proceeding of ACM Hotnets (2005)

    Google Scholar 

  6. Chang, W., Mohaisen, A., Wang, A., Chen, S.: Measuring botnets in the wild: some new trends. In: Proceeding of ACM ASIA CCS (2015)

    Google Scholar 

  7. Chen, Y., Hwang, K., Ku, W.S.: Collaborative detection of DDoS attacks over multiple network domains. IEEE TPDS (2007)

    Google Scholar 

  8. Cisco: Cisco Catalyst 6500 Series Intrusion Detection System, February 2014. http://bit.ly/1hspyy9

  9. Feinstein, L., Schnackenberg, D., Balupari, R., Kindred, D.: Statistical approaches to DDoS attack detection and response. In: DARPA Information Survivability Conference and Exposition (2003)

    Google Scholar 

  10. Huang, Y., Geng, X., Whinston, A.B.: Defeating DDoS attacks by fixing the incentive chain. ACM ToIT 1 (2007)

    Google Scholar 

  11. Info Security Magazine: Spamhaus suffers largest ddos attack in history - entire internet affected, March 2013. http://bit.ly/1bfx3ZH

  12. Ioannidis, J., Bellovin, S.M.: Implementing pushback: router-based defense against DDoS attacks. In: Proceeding of NDSS (2002). https://www.cs.columbia.edu/~smb/papers/pushback-impl.pdf

  13. Jin, S., Yeung, D.: A covariance analysis model for DDoS attack detection. IEEE ICC (2004)

    Google Scholar 

  14. Kang, M.S., Lee, S.B., Gligor, V.D.: The crossfire attack. In: Proceeding of IEEE S&P (2013)

    Google Scholar 

  15. Keromytis, A.D., Misra, A.D., Rubenstein, D.: SOS: an architecture for mitigating DDoS attacks. IEEE JSAC (2004)

    Google Scholar 

  16. Lee, K., Kim, J., Kwon, K.H., Han, Y., Kim, S.: DDoS attack detection method using cluster analysis. Expert systems with applications (2008)

    Google Scholar 

  17. Li, J., Mirkovic, J., Wang, M., Reiher, P., Zhang, L.: Save: source address validity enforcement protocol. In: Proceeding of IEEE ICCC (2002)

    Google Scholar 

  18. Li, M.: Change trend of averaged Hurst parameter of traffic under DDOS flood attacks. Computers and Security (2006)

    Google Scholar 

  19. Mao, Z.M., Sekar, V., Spatscheck, O., van der Merwe, J., Vasudevan, R.: Analyzing large DDoS attacks using multiple data sources. In: Proceeding of ACM SIGCOMM LSAD (2006)

    Google Scholar 

  20. Mirkovic, J., Prier, G., Reiher, P.: Attacking DDoS at the source. In: Proceeding of IEEE ICNP, November 2002

    Google Scholar 

  21. Mohaisen, A., Alrawi, O., Larson, M., McPherson, D.: Towards a methodical evaluation of antivirus scans and labels. In: Information Security Applications (2014)

    Google Scholar 

  22. Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring internet denial-of-service activity. ACM TOCS 24(2), 115–139 (2006)

    Article  Google Scholar 

  23. Nadji, Y., Antonakakis, M., Perdisci, R., Dagon, D., Lee, W.: Beheading hydras: performing effective botnet takedowns. In: Proceeding of ACM SIGSAC, November 2013

    Google Scholar 

  24. Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proceeding of ACM IMC (2004)

    Google Scholar 

  25. Park, K., Lee, H.: On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law Internets. In: Proceeding of ACM SIGCOMM (2001)

    Google Scholar 

  26. Schuchard, M., Mohaisen, A., Kune, D.F., Hopper, N., Kim, Y., Vasserman, E.Y.: Losing control of the internet: using the data plane to attack the control plane. In: Proceeding of NDSS (2011)

    Google Scholar 

  27. Sekar, V., Duffield, N., Spatscheck, O., van der Merwe, J., Zhang, H.: Lads: large-scale automated DDoS detection system. In: Proceeding of USENIX ATC (2006)

    Google Scholar 

  28. Stavrou, A., Keromytis, A.D.: Countering DoS attacks with stateless multipath overlays. In: Proceeding of ACM CCS (2005)

    Google Scholar 

  29. Studer, A., Perrig, A.: The coremelt attack. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 37–52. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04444-1_3

    Chapter  Google Scholar 

  30. Thomas, N.: Cyber security in East Asia: governing anarchy. Asian Secur. 5(1), 3–23 (2009)

    Article  Google Scholar 

  31. Vaughan-Nichols, S.J.: Worst DDoS attack of all time hits french site, February 2014. http://zd.net/1kFDurZ

  32. Vrable, M., Ma, J., Chen, J., Moore, D., Vandekieft, E., Snoeren, A.C., Voelker, G.M., Savage, S.: Scalability, fidelity, and containment in the potemkin virtual honeyfarm. ACM SIGOPS 5, 148–162 (2005)

    Article  Google Scholar 

  33. Walfish, M., Vutukuru, M., Balakrishnan, H., Karger, D., Shenke, S.: DDoS defense by offense. In: Proceeding of SIGCOMM (2006)

    Google Scholar 

  34. Wang, A., Mohaisen, A., Chang, W., Chen, S.: Capturing DDoS attack dynamics behind the scenes. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 205–215. Springer, Heidelberg (2015). doi:10.1007/978-3-319-20550-2_11

    Chapter  Google Scholar 

  35. Wang, A., Mohaisen, A., Chang, W., Chen, S.: Delving into internet DDoS attacks by botnets: characterization and analysis. In: Proceeding of IEEE DSN (2015)

    Google Scholar 

  36. Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Huston, G.: Internet background radiation revisited. In: Proceeding of ACM IMC (2010)

    Google Scholar 

  37. Xu, K., Zhang, Z.L., Bhattacharyya, S.: Profiling internet backbone traffic: behavior models and applications. In: ACM SIGCOMM CCR. No. 4 (2005)

    Google Scholar 

  38. Yaar, A., Perrig, A., Song, D.: SIFF: a stateless internet flow filter to mitigate DDoS flooding attacks. In: Proceeding of IEEE S&P (2004)

    Google Scholar 

  39. Yaar, A., Perrig, A., Song, D.: StackPi: new packet marking and filtering mechanisms for DDoS and IP spoofing defense. IEEE JSAC (2006)

    Google Scholar 

  40. Zou, C.C., Gong, W., Towsley, D., Gao, L.: The monitoring and early detection of internet worms. IEEE/ACM TON 5, 961–974 (2005)

    Article  Google Scholar 

Download references

Acknowledgement

We would like to thank anonymous reviewers for their comments. This work was supported in part by an ARO grant W911NF-15-1-0262, NSF grant CNS-1524462, and the Global Research Lab. (GRL) Program of the National Research Foundation (NRF) funded by Ministry of Science, ICT (Information and Communication Technologies) and Future Planning (NRF-2016K1A1A2912757).

Author information

Authors and Affiliations

  1. George Mason University, Fairfax, USA

    An Wang, Wentao Chang & Songqing Chen

  2. SUNY Buffalo, Buffalo, USA

    Aziz Mohaisen

Authors
  1. An Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aziz Mohaisen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wentao Chang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Songqing Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to An Wang .

Editor information

Editors and Affiliations

  1. ETRI, Daejeon, Korea (Republic of)

    Dooho Choi

  2. Secure-IC, S.A.S., Paris, France

    Sylvain Guilley

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Wang, A., Mohaisen, A., Chang, W., Chen, S. (2017). Measuring and Analyzing Trends in Recent Distributed Denial of Service Attacks. In: Choi, D., Guilley, S. (eds) Information Security Applications. WISA 2016. Lecture Notes in Computer Science(), vol 10144. Springer, Cham. https://doi.org/10.1007/978-3-319-56549-1_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-56549-1_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-56548-4

  • Online ISBN: 978-3-319-56549-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation