Skip to main content

Linking Amplification DDoS Attacks to Booter Services

Part of the Lecture Notes in Computer Science book series (LNSC,volume 10453)

Abstract

We present techniques for attributing amplification DDoS attacks to the booter services that launched the attack. Our k-Nearest Neighbor (k-NN) classification algorithm is based on features that are characteristic for a DDoS service, such as the set of reflectors used by that service. This allows us to attribute DDoS attacks based on observations from honeypot amplifiers, augmented with training data from ground truth attack-to-services mappings we generated by subscribing to DDoS services and attacking ourselves in a controlled environment. Our evaluation shows that we can attribute DNS and NTP attacks observed by the honeypots with a precision of over 99% while still achieving recall of over 69% in the most challenging real-time attribution scenario. Furthermore, we develop a similarly precise technique that allows a victim to attribute an attack based on a slightly different set of features that can be extracted from a victim’s network traces. Executing our k-NN classifier over all attacks observed by the honeypots shows that 25.53% (49,297) of the DNS attacks can be attributed to 7 booter services and 13.34% (38,520) of the NTP attacks can be attributed to 15 booter services. This demonstrates the potential benefits of DDoS attribution to identify harmful DDoS services and victims of these services.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-66332-6_19
  • Chapter length: 23 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   64.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-66332-6
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   84.99
Price excludes VAT (USA)
Fig. 1.

Notes

  1. 1.

    Our ethical framework for these measurements is based on previous studies that have used this methodology [7, 20].

  2. 2.

    To put this into perspective: Previous studies of these booters have shown that they have thousands of paid subscribers and generate revenues of over $10,000 per month [7, 19].

  3. 3.

    The idea behind this is to imprint a unique fingerprint on each scanner. Letting each scanner find 24 IP addresses maximizes the total number of fingerprints.

  4. 4.

    To avoid unintentionally advertising booter services covered in this study, we replace the name of booter services by the first three letters of their domain name. The last letter is replaced by a number in the case of name collisions.

  5. 5.

    To account for fluctuation in TTLs due to route changes, we apply smoothing to the histograms using a binomial kernel of width 6, which corresponds to a standard deviation of \(\sigma \approx 1.22\).

  6. 6.

    This effectively provides the entire confusion matrix for each experiment.

  7. 7.

    Results for CharGen and SSDP can be found in Sect. A.1.

References

  1. The Spoofer Project. http://spoofer.cmand.org

  2. Backes, M., Holz, T., Rossow, C., Rytilahti, T., Simeonovski, M., Stock, B.: On the feasibility of TTL-based filtering for DRDoS mitigation. In: Proceedings of the 19th International Symposium on Research in Attacks, Intrusions and Defenses (2016)

    Google Scholar 

  3. Bethencourt, J., Franklin, J., Vernon, M.: Mapping internet sensors with probe response attacks. In: Proceedings of the 14th Conference on USENIX Security Symposium (2005)

    Google Scholar 

  4. Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., Karir, M.: Taming the 800 pound gorilla: the rise and decline of NTP DDoS attacks. In: Proceedings of the Internet Measurement Conference 2014. ACM (2014)

    Google Scholar 

  5. Gilad, Y., Goberman, M., Herzberg, A., Sudkovitch, M.: CDN-on-Demand: an affordable DDoS defense via untrusted clouds. In: Proceedings of NDSS 2016 (2016)

    Google Scholar 

  6. Karami, M., McCoy, D.: Understanding the emerging threat of DDoS-as-a-service. In: LEET (2013)

    Google Scholar 

  7. Karami, M., Park, Y., McCoy, D.: Stress testing the booters: understanding and undermining the business of DDoS services. In: World Wide Web Conference (WWW). ACM (2016)

    Google Scholar 

  8. Krämer, L., Krupp, J., Makita, D., Nishizoe, T., Koide, T., Yoshioka, K., Rossow, C.: AmpPot: monitoring and defending against amplification DDoS attacks. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 615–636. Springer, Cham (2015). doi:10.1007/978-3-319-26362-5_28

    CrossRef  Google Scholar 

  9. Kreibich, C., Warfield, A., Crowcroft, J., Hand, S., Pratt, I.: Using packet symmetry to curtail malicious traffic. In: Proceedings of the 4th Workshop on Hot Topics in Networks (Hotnets-VI) (2005)

    Google Scholar 

  10. Krupp, J., Backes, M., Rossow, C.: Identifying the scan and attack infrastructures behind amplification DDoS attacks. In: Proceedings of the 23rd ACM Conference on Computer and Communications Security (CCS) (2016)

    Google Scholar 

  11. Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? reducing the impact of amplification DDoS attacks. In: Proceedings of the 23rd USENIX Security Symposium (2014)

    Google Scholar 

  12. Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Hell of a handshake: abusing TCP for reflective amplification DDoS attacks. In: Proceedings of the 8th USENIX Workshop on Offensive Technologies (WOOT 2014) (2014)

    Google Scholar 

  13. A. Networks. Worldwide Infrastructure Security Report (2015). https://www.arbornetworks.com/images/documents/WISR2016_EN_Web.pdf

  14. Ferguson, P., Senie, D.: BCP 38 on Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing (2000). http://tools.ietf.org/html/bcp.38

  15. Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. Comput. Commun. Rev. (2001)

    Google Scholar 

  16. Perrig, A., Song, D., Yaar, A.: StackPi: A New Defense Mechanism against IP Spoofing and DDoS Attacks. Technical report (2003)

    Google Scholar 

  17. Prince, M.: The DDoS That Almost Broke the Internet (2013). https://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet/

  18. Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: Proceedings of NDSS 2014 (2014)

    Google Scholar 

  19. Santanna, J., Durban, R., Sperotto, A., Pras, A.: Inside booters: an analysis on operational databases. In: 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015)

    Google Scholar 

  20. Santanna, J.J., van Rijswijk-Deij, R., Hofstede, R., Sperotto, A., Wierbosch, M., Granville, L.Z., Pras, A.: Booters - an analysis of DDoS-As-a-Service attacks. In: 14th IFIP/IEEE International Symposium on Integrated Network Management (IM) (2015)

    Google Scholar 

  21. Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical network support for IP traceback. In: ACM SIGCOMM Computer Communication Review, vol. 30. ACM (2000)

    Google Scholar 

  22. Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Kent, S.T., Strayer, W.T.: Hash-based IP traceback. In: ACM SIGCOMM Computer Communication Review, vol. 31. ACM (2001)

    Google Scholar 

  23. Song, D.X., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. In: Proceedings of the 20th Annual Joint Conference of the IEEE Computer and Communications Societies. IEEE (2001)

    Google Scholar 

  24. Sun, X., Torres, R., Rao, S.: DDoS attacks by subverting membership management in P2P systems. In: Proceedings of the 3rd IEEE Workshop on Secure Network Protocols (NPSec) (2007)

    Google Scholar 

  25. Sun, X., Torres, R., Rao, S.: On the feasibility of exploiting P2P systems to launch DDoS attacks. J. Peer-to-Peer Networking Appl. 3 (2010)

    Google Scholar 

  26. van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks - a comprehensive measurement study. In: Proceedings of the Internet Measurement Conference 2014. ACM (2014)

    Google Scholar 

  27. Wang, A., Mohaisen, A., Chang, W., Chen, S.: Capturing DDoS attack dynamics behind the scenes. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 205–215. Springer, Cham (2015). doi:10.1007/978-3-319-20550-2_11

    CrossRef  Google Scholar 

  28. Wang, X., Reiter, M.K.: Mitigating bandwidth-exhaustion attacks using congestion puzzles. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS) (2004)

    Google Scholar 

  29. Welzel, A., Rossow, C., Bos, H.: On measuring the impact of DDoS botnets. In: Proceedings of the 7th European Workshop on Systems Security (EuroSec) (2014)

    Google Scholar 

  30. Yaar, A., Perrig, A., Song, D.: Pi: a path identification mechanism to defend against DDoS attacks. In: Proceedings of the IEEE Symposium on Security and Privacy (S&P) (2003)

    Google Scholar 

Download references

Acknowledgements

This work was supported in part by the German Federal Ministry of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA) under grant 16KIS0656, by the European Union’s Horizon 2020 research and innovation program under grant agreement No. 700176, by the US National Science Foundation under grant 1619620, and by a gift from Google. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Johannes Krupp .

Editor information

Editors and Affiliations

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (txt 2 KB)

A Appendix

A Appendix

1.1 A.1 Additional Experimental Results

Table 5. Victim-driven experimental results for CharGen and SSDP

Table 5 shows our experimental results for victim-driven attribution for CharGen (precision 92.86%, recall 89.24%) and SSDP (precision 92.15%, recall 81.41%).

Rights and permissions

Reprints and Permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Krupp, J., Karami, M., Rossow, C., McCoy, D., Backes, M. (2017). Linking Amplification DDoS Attacks to Booter Services. In: Dacier, M., Bailey, M., Polychronakis, M., Antonakakis, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2017. Lecture Notes in Computer Science(), vol 10453. Springer, Cham. https://doi.org/10.1007/978-3-319-66332-6_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-66332-6_19

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-66331-9

  • Online ISBN: 978-3-319-66332-6

  • eBook Packages: Computer ScienceComputer Science (R0)