Advertisement

DoS Amplification Attacks – Protocol-Agnostic Detection of Service Abuse in Amplifier Networks

  • Timm BöttgerEmail author
  • Lothar Braun
  • Oliver Gasser
  • Felix von Eye
  • Helmut Reiser
  • Georg Carle
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9053)

Abstract

For many years Distributed Denial-of-Service attacks have been known to be a threat to Internet services. Recently a configuration flaw in NTP daemons led to attacks with traffic rates of several hundred Gbit/s. For those attacks a third party, the amplifier, is used to significantly increase the volume of traffic reflected to the victim. Recent research revealed more UDP-based protocols that are vulnerable to amplification attacks. Detecting such attacks from an abused amplifier network’s point of view has only rarely been investigated.

In this work we identify novel properties which characterize amplification attacks and allow to identify the illegitimate use of arbitrary services.

Their suitability for amplification attack detection is evaluated in large high-speed research networks. We prove that our approach is fully capable of detecting attacks that were already seen in the wild as well as capable of detecting attacks we conducted ourselves exploiting newly discovered vulnerabilities.

Keywords

Packet Size Similarity Factor Request Message Attack Detection Incoming Request 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    CloudFlare. https://www.cloudflare.com/ (last accessed: December 2014)
  2. 2.
    Özavci, F.: VOIP Wars: Return of the SIP, DEFCON 21, August 2013. http://www.defcon.org/images/defcon-21/dc-21-presentations/Ozavci/DEFCON-21-Ozavci-VoIP-Wars-Return-of-the-SIP-Updated.pdf (last accessed: December 2014)
  3. 3.
    Ferguson, P., Senie, D.: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827 (Best Current Practice), May 2000. http://www.ietf.org/rfc/rfc2827.txt, updated by RFC 3704
  4. 4.
    Kambourakis, G., Moschos, T., Geneiatakis, D., Gritzalis, S.: Detecting DNS amplification attacks. In: Lopez, J., Hämmerli, B.M. (eds.) CRITIS 2007. LNCS, vol. 5141, pp. 185–196. Springer, Heidelberg (2008) Google Scholar
  5. 5.
    nDPI-Homepage. http://www.ntop.org/products/ndpi/ (last accessed: December 2014)
  6. 6.
    Direct NIC Access - Gigabit and 10 Gigabit Ethernet Line-Rate Packet Capture and Injection. http://www.ntop.org/products/pf_ring/dna/ (last accessed: December 2014)
  7. 7.
    Postel, J.: Quote of the Day Protocol. RFC 865 (INTERNET STANDARD), May 1983. http://www.ietf.org/rfc/rfc865.txt
  8. 8.
    Prince, M.: The DDoS That Almost Broke the Internet, March 2013. http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet (last accessed: December 2014)
  9. 9.
    Rastegari, S., Saripan, M.I., Rasid, M.F.A.: Detection of Denial of Service Attacks against Domain Name System Using Neural Networks. International Journal of Computer Science Issues (IJCSI) 7(4) (2009)Google Scholar
  10. 10.
    Rossow, C.: Amplification hell: Revisiting network protocols for DDoS abuse. In: Proceedings of the 2014 Network and Distributed System Security (NDSS) Symposium, San Diego, CA, February 2014Google Scholar
  11. 11.
    Soluk, K.: NTP ATTACKS: Welcome to The Hockey Stick Era, February 2014. http://www.arbornetworks.com/asert/2014/02/ntp-attacks-welcome-to-the-hockey-stick-era/ (last accessed: December 2014)
  12. 12.
    Specht, S., Lee, R.: Distributed denial of service: Taxonomies of attacks, tool and countermeasures. In: Proceedings of the ISCA 17th International Conference on Parallel and Distributed Computing Systems, San Francisco, CA, September 2002Google Scholar
  13. 13.
    Spoofer Project: State of IP Spoofing. http://spoofer.cmand.org/summary.php (last accessed: December 2014)
  14. 14.
    Sun, C., Liu, B., Shi, L.: Efficient and low-cost hardware defense against DNS amplification attacks. In: IEEE Global Telecommunications Conference (GLOBECOM 2008). IEEE (2008)Google Scholar
  15. 15.
    Vuze homepage. http://www.vuze.com/ (last accessed: December 2014)
  16. 16.
    zlib Homepage. http://www.zlib.net/ (last accessed: December 2014)

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  • Timm Böttger
    • 1
    Email author
  • Lothar Braun
    • 1
  • Oliver Gasser
    • 1
  • Felix von Eye
    • 2
  • Helmut Reiser
    • 2
  • Georg Carle
    • 1
  1. 1.Technische Universität MünchenMunichGermany
  2. 2.Leibniz Supercomputing CentreMunichGermany

Personalised recommendations