AmpPot: Monitoring and Defending Against Amplification DDoS Attacks

  • Lukas Krämer
  • Johannes Krupp
  • Daisuke Makita
  • Tomomi Nishizoe
  • Takashi Koide
  • Katsunari Yoshioka
  • Christian RossowEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9404)


The recent amplification DDoS attacks have swamped victims with huge loads of undesired traffic, sometimes even exceeding hundreds of Gbps attack bandwidth. We analyze these amplification attacks in more detail. First, we inspect the reconnaissance step, i.e., how both researchers and attackers scan for amplifiers that are open for abuse. Second, we design AmpPot, a novel honeypot that tracks amplification attacks. We deploy 21 honeypots to reveal previously-undocumented insights about the attacks. We find that the vast majority of attacks are short-lived and most victims are attacked only once. Furthermore, 96 % of the attacks stem from single sources, which is also confirmed by our detailed analysis of four popular Linux-based DDoS botnets.


Destination Port Game Server Attack Traffic Attack Packet Attack Source 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34, 39–53 (2004)CrossRefGoogle Scholar
  2. 2.
    Specht, S.M., Lee, R.B.: Distributed denial of service: taxonomies of attacks, tools, and countermeasures. In: Proceedings of the International Conference on Parallel and Distributed Computing (and Communications) Systems (ISCA PDCS), San Francisco, CA (2004)Google Scholar
  3. 3.
    Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. ACM SIGCOMM Comput. Commun. Rev. 31(3), 38–47 (2001)CrossRefGoogle Scholar
  4. 4.
    Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: Proceedings of the 2014 Network and Distributed System Security (NDSS) Symposium (2014)Google Scholar
  5. 5.
    Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: Proceedings of the 22nd USENIX Security Symposium, Washington, D.C., USA (2013)Google Scholar
  6. 6.
  7. 7.
    Graham, R.D.: MASSCAN: mass IP port scanner (2014).
  8. 8.
    Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? Reducing the impact of amplification DDoS attacks. In: Proceedings of the 23rd USENIX Security Symposium (2014)Google Scholar
  9. 9.
    Welzel, A., Rossow, C., Bos, H.: On measuring the impact of DDoS botnets. In: Proceedings of the 7th European Workshop on Systems Security (EuroSec) (2014)Google Scholar
  10. 10.
    Santanna, J., Durban, R., Sperotto, A., Pras, A.: Inside booters: an analysis on operational databases. In: 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015)Google Scholar
  11. 11.
    Urakawa, J., Sawaya, Y., Yamada, A., Kubota, A., Makita, D., Yoshioka, K., Matsumoto, T.: An early scale estimation of DRDoS attack monitoring honeypot traffic. In: Proceedings of the 32nd Symposium on Cryptography and Information Security (2015)Google Scholar
  12. 12.
    Büscher, A., Holz, T.: Tracking DDoS attacks: insights into the business of disrupting the web. In: Proceedings of the 5th USENIX LEET, San Jose, CA, USA (2012)Google Scholar
  13. 13.
    Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., Karir, M.: Taming the 800 pound gorilla: the rise and decline of NTP DDoS attacks. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 435–448. ACM (2014)Google Scholar
  14. 14.
    van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks - a comprehensive measurement study. In: Proceedings of the Internet Measurement Conference 2014, Vancouver, BC, Canada. ACM Press (2014)Google Scholar
  15. 15.
    Karami, M., McCoy, D.: Understanding the emerging threat of DDoS-as-a-service. In: Presented as part of the 6th USENIX Workshop on Large-Scale Exploits and Emergent Threats (2013)Google Scholar
  16. 16.
    Provos, N., Holz, T.: Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Pearson Education, New Delhi (2007)Google Scholar
  17. 17.
    Baecher, P., Koetter, M., Holz, T., Dornseif, M., Freiling, F.C.: The nepenthes platform: an efficient approach to collect malware. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 165–184. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  18. 18.
    Kreibich, C., Crowcroft, J.: Honeycomb: creating intrusion detection signatures using honeypots. ACM SIGCOMM Comput. Commun. Rev. 34, 51–56 (2004)CrossRefGoogle Scholar
  19. 19.
    Nazario, J.: PhoneyC: A virtual client honeypot. In: Proceedings of USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET) (2009)Google Scholar
  20. 20.
    Durumeric, Z., Bailey, M., Halderman, J.A.: An internet-wide view of internet-wide scanning. In: USENIX Security Symposium (2014)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Lukas Krämer
    • 1
  • Johannes Krupp
    • 1
  • Daisuke Makita
    • 2
    • 3
  • Tomomi Nishizoe
    • 2
  • Takashi Koide
    • 2
  • Katsunari Yoshioka
    • 2
  • Christian Rossow
    • 1
    Email author
  1. 1.CISPASaarland UniversitySaarbrückenGermany
  2. 2.Yokohama National UniversityYokohamaJapan
  3. 3.National Institute of Information and Communications TechnologyKoganeiJapan

Personalised recommendations