Skip to main content
Springer Nature Link
Log in

DDoS Never Dies? An IXP Perspective on DDoS Amplification Attacks

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2021)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 12671))

Included in the following conference series:

  • 2225 Accesses

Abstract

DDoS attacks remain a major security threat to the continuous operation of Internet edge infrastructures, web services, and cloud platforms. While a large body of research focuses on DDoS detection and protection, to date we ultimately failed to eradicate DDoS altogether. Yet, the landscape of DDoS attack mechanisms is even evolving, demanding an updated perspective on DDoS attacks in the wild. In this paper, we identify up to 2608 DDoS amplification attacks at a single day by analyzing multiple Tbps of traffic flows at a major IXP with a rich ecosystem of different networks. We observe the prevalence of well-known amplification attack protocols (e.g., NTP, CLDAP), which should no longer exist given the established mitigation strategies. Nevertheless, they pose the largest fraction on DDoS amplification attacks within our observation and we witness the emergence of DDoS attacks using recently discovered amplification protocols (e.g., OpenVPN, ARMS, Ubiquity Discovery Protocol). By analyzing the impact of DDoS on core Internet infrastructure, we show that DDoS can overload backbone-capacity and that filtering approaches in prior work omit 97% of the attack traffic.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
€32.70 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
EUR 29.95
Price includes VAT (France)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
EUR 74.89
Price includes VAT (France)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
EUR 94.94
Price includes VAT (France)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Jim Troutman via Twitter. https://twitter.com/troutman/status/1090212243197870081. Accessed 26 May 2020

  2. Akamai: Prolexic Technologies by Akamai (2018). https://www.akamai.com/us/en/cloud-security.jsp

  3. Akamai: State of the Internet Security Report (Attack Spotlight: Memcached) (2018). https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/soti-summer-2018-attack-spotlight.pdf

  4. Alerts, A.S.: Memcached-fueled 1.3 tbps attacks (2018). https://blogs.akamai.com/2018/03/memcached-fueled-13-tbps-attacks.html

  5. Antonakakis, M., et al.: Understanding the mirai botnet. In: USENIX Security Symposium (2017)

    Google Scholar 

  6. BBC: ‘Hacking attacks’ hit Russian political sites (2012). http://www.bbc.com/news/technology-16032402

  7. Beverly, R., Berger, A., Hyun, Y., Claffy, K.: Understanding the efficacy of deployed internet source address validation filtering. In: ACM IMC (2009)

    Google Scholar 

  8. Beverly, R., Bauer, S.: The spoofer project: inferring the extent of internet source address filtering on the internet. In: Steps to Reducing Unwanted Traffic on the Internet Workshop (2005)

    Google Scholar 

  9. Bjarnason, S., Dobbins, R.: Netscout - A Call to ARMS: Apple Remote Management Service UDP Reflection/Amplification DDoS Attacks (2020). http://de.netscout.com/blog/asert/call-arms-apple-remote-management-service-udp

  10. Blenn, N., Ghiëtte, V., Doerr, C.: Quantifying the spectrum of denial-of-service attacks through internet backscatter. In: International Conference on Availability, Reliability and Security (2017)

    Google Scholar 

  11. Bou-Harb, E., Lakhdari, N.E., Binsalleeh, H., Debbabi, M.: Multidimensional investigation of source port 0 probing. Digit. Investig. 11, 114–123 (2014)

    Article  Google Scholar 

  12. Brownlee, N., Claffy, K.C., Nemeth, E.: DNS measurements at a root server. In: IEEE GLOBECOM (2001)

    Google Scholar 

  13. Burke, I.D., Herbert, A., Mooi, R.: Using network flow data to analyse distributed reflection denial of service (DRDoS) attacks, as observed on the south african national research and education network (SANReN): a postmortem analysis of the memcached attack on the SANReN. In: Annual Conference of the South African Institute of Computer Scientists and Information Technologists (2018)

    Google Scholar 

  14. Büscher, A., Holz, T.: Tracking DDoS attacks: insights into the business of disrupting the web. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (2012)

    Google Scholar 

  15. Cimpanu, C.: ZDNet - Protocol used by 630,000 devices can be abused for devastating DDoS attacks. www.zdnet.com/article/protocol-used-by-630000-devices-can-be-abused-for-devastating-ddos-attacks/. Accessed 26 May 2020

  16. Cisco: Implementing BGP Flowspec (2018). https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k_r5-2/routing/configuration/guide/b_routing_cg52xasr9k/b_routing_cg52xasr9k_chapter_011.html

  17. Cloudflare: Memcached DDoS Attack. https://www.cloudflare.com/learning/ddos/memcached-ddos-attack/

  18. Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., Karir, M.: Taming the 800 pound gorilla: the rise and decline of NTP DDoS attacks. In: ACM IMC (2014)

    Google Scholar 

  19. DE-CIX: DE-CIX GlobePEER Remote (2018). https://www.de-cix.net/de/de-cix-service-world/globepeer-remote

  20. Dietzel, C., Feldmann, A., King, T.: Blackholing at IXPs: on the effectiveness of DDoS mitigation in the wild. In: Karagiannis, T., Dimitropoulos, X. (eds.) PAM 2016. LNCS, vol. 9631, pp. 319–332. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30505-9_24

    Chapter  Google Scholar 

  21. Dietzel, C., Wichtlhuber, M., Smaragdakis, G., Feldmann, A.: Stellar: network attack mitigation using advanced blackholing. In: ACM CoNEXT (2018)

    Google Scholar 

  22. Feldmann, A., et al.: The lockdown effect: implications of the COVID-19 pandemic on internet traffic. In: ACM IMC (2020)

    Google Scholar 

  23. Gillman, D., Lin, Y., Maggs, B., Sitaraman, R.K.: Protecting websites from attack with secure delivery networks. IEEE Comput. Mag. 48(4), 26–34 (2015)

    Article  Google Scholar 

  24. Giotsas, V., Smaragdakis, G., Dietzel, C., Richter, P., Feldmann, A., Berger, A.: Inferring BGP blackholing activity in the internet. In: ACM IMC (2017)

    Google Scholar 

  25. Hart, J.: Rapid7 - Understanding Ubiquiti Discovery Service Exposures. http://blog.rapid7.com/2019/02/01/ubiquiti-discovery-service-exposures/. Accessed 26 May 2020

  26. Hohlfeld, O.: Operating a DNS-based active internet observatory. In: ACM SIGCOMM Poster (2018)

    Google Scholar 

  27. Interfax-Ukraine: Poroshenko reports on DDoS-attacks on Ukrainian CEC from Russia on Feb. 24–25 (2019). https://www.kyivpost.com/ukraine-politics/poroshenko-reports-on-ddos-attacks-on-ukrainian-cec-from-russia-on-feb-24-25.html

  28. Jonker, M., King, A., Krupp, J., Rossow, C., Sperotto, A., Dainotti, A.: Millions of targets under attack: a macroscopic characterization of the DoS ecosystem. In: ACM IMC (2017)

    Google Scholar 

  29. Jonker, M., Sperotto, A., van Rijswijk-Deij, R., Sadre, R., Pras, A.: Measuring the adoption of DDoS protection services. In: ACM IMC (2016)

    Google Scholar 

  30. Jonker, M., Pras, A., Dainotti, A., Sperotto, A.: A first joint look at DoS atacks and BGP blackholing in the wild. In: ACM IMC (2018)

    Google Scholar 

  31. Karami, M., McCoy, D.: Rent to pwn: analyzing commodity booter DDoS services. Usenix Login 38(6), 20–23 (2013)

    Google Scholar 

  32. Kopp, D., Wichtlhuber, M., Poese, I., de Santanna, J.J.C., Hohlfeld, O., Dietzel, C.: DDoS hide & seek: on the effectiveness of a booter services takedown. In: ACM IMC (2019)

    Google Scholar 

  33. Krämer, L., et al.: AmpPot: monitoring and defending against amplification DDoS attacks. In: International Workshop on Recent Advances in Intrusion Detection (2015)

    Google Scholar 

  34. Krebs, B.: KrebsOnSecurity Hit With Record DDoS (2016). https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos

  35. Lakhina, A., Crovella, M., Diot, C.: Characterization of network-wide anomaliesin traffic flows. In: ACM IMC (2004)

    Google Scholar 

  36. Lichtblau, F., Streibelt, F., Krüger, T., Richter, P., Feldmann, A.: Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses. In: ACM IMC (2017)

    Google Scholar 

  37. Luchs, M., Doerr, C.: The curious case of port 0. In: IFIP Networking (2019)

    Google Scholar 

  38. Luckie, M., Beverly, R., Koga, R., Keys, K., Kroll, J.A., Claffy, K.: Network hygiene, incentives, and regulation: deployment of source address validation in the internet. In: ACM SIGSAC Conference on Computer and Communications Security (2019)

    Google Scholar 

  39. Maghsoudlou, A., Gasser, O., Feldmann, A.: Zeroing in on port 0 traffic in the wild. In: PAM (2021)

    Google Scholar 

  40. Mohamed, J.: Daily Mirror: Hackers attack the Stock Exchange: Cyber criminals take down website for more than two hours as part of protest against world’s banks (2016). http://www.dailymail.co.uk/news/article-3625656/Hackers-attack-Stock-Exchange-Cyber-criminals-website-two-hours-protest-against-world-s-banks.html

  41. Moore, D., Voelker, G., Savage, S.: Inferring internet denial-of-service activity. In: USENIX Security Symposium (2001)

    Google Scholar 

  42. Morales, C.: NETSCOUT Arbor Confirms 1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon Us (2018). https://asert.arbornetworks.com/netscout-arbor-confirms-1-7-tbps-ddos-attack-terabit-attack-era-upon-us/

  43. Moura, G.C.M., Hesselman, C., Schaapman, G., Boerman, N., de Weerdt, O.: Into the DDoS maelstrom: a longitudinal study of a scrubbing service. In: European Symposium on Security and Privacy Workshops (2020)

    Google Scholar 

  44. MSK-IX: Protection against DDoS-attacks by blackholing. www.msk-ix.ru/eng/routeserver.html#blackhole

  45. Nawrocki, M., Blendin, J., Dietzel, C., Schmidt, T.C., Wählisch, M.: Down the black hole: dismantling operational practices of BGP blackholing at IXPs. In: ACM IMC (2019)

    Google Scholar 

  46. NETIX: Blackholing. www.netix.net/services/14/NetIX-Blackholing

  47. Netscout: Netscout Threat Intelligence Report (2020–02) (2020). https://www.netscout.com/sites/default/files/2020-02/SECR_001_EN-2001_Web.pdf

  48. NOKIA: Filter Policies (2020). https://documentation.nokia.com/html/0_add-h-f/93-0073-HTML/7750_SR_OS_Router_Configuration_Guide/filters.html. Accessed 24 May 2020

  49. null001: OpenVPN service is used for UDP reflection amplification DDoS attack. http://13.58.107.157/archives/8190

  50. Prince, M.: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It) (2013). https://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho/

  51. Prince, M.: Technical Details Behind a 400Gbps NTP Amplification DDoS Attack (2014). https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/

  52. Reynolds, J., Postel, J.: Assigned numbers (1984). https://tools.ietf.org/html/rfc900

  53. Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: NDSS (2014)

    Google Scholar 

  54. Ryba, F.J., Orlinski, M., Wählisch, M., Rossow, C., Schmidt, T.C.: Amplification and DRDoS Attack Defense-A Survey and New Perspectives. arXiv preprint arXiv:1505.07892 (2015)

  55. Sachdeva, M., Kumar, K., Singh, G., Singh, K.: Performance analysis of web service under DDoS attacks. In: IEEE International Advance Computing Conference (2009)

    Google Scholar 

  56. Singh, K., Singh, A.: Memcached DDoS exploits: operations, vulnerabilities, preventions and mitigations. In: International Conference on Computing, Communication and Security (2018)

    Google Scholar 

  57. Technologies, A.: 2018 State of the Internet/Security: A Year in Review (2018). https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/2018-state-of-the-internet-security-a-year-in-review.pdf

  58. Thomas, D.R., Clayton, R., Beresford, A.R.: 1000 days of UDP amplification DDoS attacks. In: APWG Symposium on Electronic Crime Research (2017)

    Google Scholar 

  59. Times, N.Y.: Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool (2017). https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html

  60. Trammel, B.: Private conversation (2021)

    Google Scholar 

  61. Traynor, I.: Russia accused of unleashing cyberwar to disable Estonia (2007). https://www.theguardian.com/world/2007/may/17/topstories3.russia

  62. US-CERT: UDP-Based Amplification Attacks (2018). https://www.us-cert.gov/ncas/alerts/TA14-017A

  63. Vissers, T., Goethem, T.V., Joosen, W., Nikiforakis, N.: Maneuvering around clouds: bypassing cloud-based security providers. In: ACM CCS (2015)

    Google Scholar 

  64. Vissers, T., Somasundaram, T.S., Pieters, L., Govindarajan, K., Hellinckx, P.: DDoS defense system for web services in a cloud environment. Futur. Gener. Comput. Syst. 37, 37–45 (2014)

    Article  Google Scholar 

  65. ZDNet: GitHub hit with the largest DDoS attack ever seen (2018). https://www.zdnet.com/article/github-was-hit-with-the-largest-ddos-attack-ever-seen/

  66. ZDNet: Memcached ddos: The biggest, baddest denial of service attacker yet (2018). https://www.zdnet.com/article/memcached-ddos-the-biggest-baddest-denial-of-service-attacker-yet/

Download references

Acknowledgments

We thank the anonymous reviewers and our shepherd, Amogh Dhamdhere (Amazon Web Services), for their constructive comments. We further thank Mark Schloesser and CrowdStrike for their comments and for providing honeypot data. This work was supported by the German Federal Ministry of Education and Research (BMBF) project AIDOS (16KIS0975K, 16KIS0976).

Author information

Authors and Affiliations

  1. DE-CIX, Cologne, Germany

    Daniel Kopp & Christoph Dietzel

  2. MPI for Informatics, Saarbrücken, Germany

    Christoph Dietzel

  3. Brandenburg University of Technology, Cottbus, Germany

    Oliver Hohlfeld

Authors
  1. Daniel Kopp
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christoph Dietzel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Oliver Hohlfeld
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel Kopp .

Editor information

Editors and Affiliations

  1. Brandenburg University of Technology (BTU), Cottbus, Germany

    Oliver Hohlfeld

  2. Telefonica Research, Barcelona, Spain

    Andra Lutu

  3. Iribe Center, University of Maryland, College Park, MD, USA

    Dave Levin

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kopp, D., Dietzel, C., Hohlfeld, O. (2021). DDoS Never Dies? An IXP Perspective on DDoS Amplification Attacks. In: Hohlfeld, O., Lutu, A., Levin, D. (eds) Passive and Active Measurement. PAM 2021. Lecture Notes in Computer Science(), vol 12671. Springer, Cham. https://doi.org/10.1007/978-3-030-72582-2_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-72582-2_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-72581-5

  • Online ISBN: 978-3-030-72582-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation