Brasil vs Mundo: Uma Análise Comparativa de Ataques DDoS por Reflexão
Abstract
Distributed reflection denial of services (DRDoS) attacks are widespread on the Internet. These attacks offer several advantages to attackers, being very effective in crippling down individual hosts or even entire subnets. To detect, mitigate, and prevent DRDoS attacks, it is important to understand how they work, and what are their traffic characteristics. This paper presents a comparative analysis of DRDoS attacks against victims in Brazil and in the rest of the world. We analyze 190 days of traffic collected using a honeypot, with over 204 k DRDoS attacks. We describe and contrast several characteristics of DRDoS traffic, including an in-depth analysis of carpet bombing attacks. We conclude that attacks against Brazilian victims are less intense and sophisticated than attacks against other victims, which may indicate that the local scene may worsen if attackers improve their tactics and tools.References
Arbor (2018). Um balanço dos ataques DDoS ao Brasil no primeiro semestre deste ano. https://bit.ly/2EKEElw
CERT.br (2019a). Estatísticas de noticações de IPs e ASNs permitindo amplicação. https://www.cert.br/stats/amplificadores/.
CERT.br (2019b). Incidentes reportados ao CERT.br – janeiro a dezembro de 2018 – análise de alguns fatos de interesse observados neste período. https://www.cert.br/stats/incidentes/2018-jan-dec/analise.html.
Cymru (2019). DNS research at Team Cymru. http://dnsresearch.cymru.com/.
Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., and Karir, M. (2014). Taming the 800 pound gorilla: The rise and decline of NTP DDoS attacks. In Proceedings of the 2014 Conference on Internet Measurement Conference, pages 435–448. ACM.
DDoSMon (2019). Insight into global DDoS threat landscape. https://ddosmon.net/insight/.
Fachkha, C., Bou-Harb, E., and Debbabi, M. (2015). Inferring distributed reection denial of service attacks from darknet. Computer Communications, 62:59–71.
Heinrich, T., Longo, F. S., and Obelheiro, R. R. (2017). Experiências com um honeypot DNS: Caracterização e evolução do tráfego malicioso. In XVII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg).
Jonker, M., King, A., Krupp, J., Rossow, C., Sperotto, A., and Dainotti, A. (2017). Millions of targets under attack: a macroscopic characterization of the DoS ecosystem. In Proceedings of the 2017 Internet Measurement Conference, pages 100–113. ACM.
Kottler, S. (2018). February 28th DDoS incident report. https://githubengineering.com/ddos-incident-report/.
Krämer, L., Krupp, J., Makita, D., Nishizoe, T., Koide, T., Yoshioka, K., and Rossow, C. (2015). AmpPot: Monitoring and defending against amplication DDoS attacks. In International Workshop on Recent Advances in Intrusion Detection, pages 615–636. Springer.
Krupp, J., Karami, M., Rossow, C., McCoy, D., and Backes, M. (2017). Linking amplication DDoS attacks to booter services. In International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), pages 427–449.
Majkowski, M. (2018). Memcrashed – major amplification attacks from UDP port 11211. https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/.
Manseld-Devine, S. (2015). The growth and evolution of DDoS. Network Security, 2015(10):13–20.
Nazario, J. (2008). DDoS attack evolution. Network Security, 2008(7):7–10.
NETSCOUT (2019). Dawn of the terrorbit era. Threat intelligence report 2H 2018. https://www.netscout.com/.
Noroozian, A., Korczyínski, M., Ga˜nan, C. H., Makita, D., Yoshioka, K., and van Eeten, M. (2016). Who gets the boot? analyzing victimization by DDoS-as-a-Service. In International Symposium on Research in Attacks, Intrusions, and Defenses, pages 368– 389. Springer.
OpenNTP (2019). OpenNTPProject.org – NTP scanning project. http://openntpproject.org/.
Paxson, V. (2001). An analysis of using reectors for distributed denial-of-service attacks. ACM SIGCOMM Computer Communication Review, 31(3):38–47.
Rossow, C. (2014). Amplication hell: Revisiting network protocols for DDoS abuse. In Network and Distributed System Security Symposium (NDSS).
Santanna, J. J., van Rijswijk-Deij, R., Hofstede, R., Sperotto, A., Wierbosch, M., Granville, L. Z., and Pras, A. (2015). Booters – an analysis of DDoS-as-a-service attacks. In Integrated Network Management (IM), 2015 IFIP/IEEE International Symposium on, pages 243–251. IEEE.
Thomas, D. R., Clayton, R., and Beresford, A. R. (2017). 1000 days of UDP amplication DDoS attacks. In APWG Symposium on Electronic Crime Research (eCrime), pages 79–84. IEEE.
Wang, A., Chang, W., Chen, S., and Mohaisen, A. (2018). Delving into Internet DDoS attacks by botnets: Characterization and analysis. IEEE/ACM Trans. Netw., 26(6):2843– 2855.
Welzel, A., Rossow, C., and Bos, H. (2014). On measuring the impact of DDoS botnets. In Proceedings of the Seventh European Workshop on System Security, page 3. ACM.
Zand, A., Modelo-Howard, G., Tongaonkar, A., Lee, S.-J., Kruegel, C., and Vigna, G. (2017). Demystifying DDoS as a service. IEEE Communications Magazine, 55(7):14– 21.
CERT.br (2019a). Estatísticas de noticações de IPs e ASNs permitindo amplicação. https://www.cert.br/stats/amplificadores/.
CERT.br (2019b). Incidentes reportados ao CERT.br – janeiro a dezembro de 2018 – análise de alguns fatos de interesse observados neste período. https://www.cert.br/stats/incidentes/2018-jan-dec/analise.html.
Cymru (2019). DNS research at Team Cymru. http://dnsresearch.cymru.com/.
Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., and Karir, M. (2014). Taming the 800 pound gorilla: The rise and decline of NTP DDoS attacks. In Proceedings of the 2014 Conference on Internet Measurement Conference, pages 435–448. ACM.
DDoSMon (2019). Insight into global DDoS threat landscape. https://ddosmon.net/insight/.
Fachkha, C., Bou-Harb, E., and Debbabi, M. (2015). Inferring distributed reection denial of service attacks from darknet. Computer Communications, 62:59–71.
Heinrich, T., Longo, F. S., and Obelheiro, R. R. (2017). Experiências com um honeypot DNS: Caracterização e evolução do tráfego malicioso. In XVII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais (SBSeg).
Jonker, M., King, A., Krupp, J., Rossow, C., Sperotto, A., and Dainotti, A. (2017). Millions of targets under attack: a macroscopic characterization of the DoS ecosystem. In Proceedings of the 2017 Internet Measurement Conference, pages 100–113. ACM.
Kottler, S. (2018). February 28th DDoS incident report. https://githubengineering.com/ddos-incident-report/.
Krämer, L., Krupp, J., Makita, D., Nishizoe, T., Koide, T., Yoshioka, K., and Rossow, C. (2015). AmpPot: Monitoring and defending against amplication DDoS attacks. In International Workshop on Recent Advances in Intrusion Detection, pages 615–636. Springer.
Krupp, J., Karami, M., Rossow, C., McCoy, D., and Backes, M. (2017). Linking amplication DDoS attacks to booter services. In International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), pages 427–449.
Majkowski, M. (2018). Memcrashed – major amplification attacks from UDP port 11211. https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/.
Manseld-Devine, S. (2015). The growth and evolution of DDoS. Network Security, 2015(10):13–20.
Nazario, J. (2008). DDoS attack evolution. Network Security, 2008(7):7–10.
NETSCOUT (2019). Dawn of the terrorbit era. Threat intelligence report 2H 2018. https://www.netscout.com/.
Noroozian, A., Korczyínski, M., Ga˜nan, C. H., Makita, D., Yoshioka, K., and van Eeten, M. (2016). Who gets the boot? analyzing victimization by DDoS-as-a-Service. In International Symposium on Research in Attacks, Intrusions, and Defenses, pages 368– 389. Springer.
OpenNTP (2019). OpenNTPProject.org – NTP scanning project. http://openntpproject.org/.
Paxson, V. (2001). An analysis of using reectors for distributed denial-of-service attacks. ACM SIGCOMM Computer Communication Review, 31(3):38–47.
Rossow, C. (2014). Amplication hell: Revisiting network protocols for DDoS abuse. In Network and Distributed System Security Symposium (NDSS).
Santanna, J. J., van Rijswijk-Deij, R., Hofstede, R., Sperotto, A., Wierbosch, M., Granville, L. Z., and Pras, A. (2015). Booters – an analysis of DDoS-as-a-service attacks. In Integrated Network Management (IM), 2015 IFIP/IEEE International Symposium on, pages 243–251. IEEE.
Thomas, D. R., Clayton, R., and Beresford, A. R. (2017). 1000 days of UDP amplication DDoS attacks. In APWG Symposium on Electronic Crime Research (eCrime), pages 79–84. IEEE.
Wang, A., Chang, W., Chen, S., and Mohaisen, A. (2018). Delving into Internet DDoS attacks by botnets: Characterization and analysis. IEEE/ACM Trans. Netw., 26(6):2843– 2855.
Welzel, A., Rossow, C., and Bos, H. (2014). On measuring the impact of DDoS botnets. In Proceedings of the Seventh European Workshop on System Security, page 3. ACM.
Zand, A., Modelo-Howard, G., Tongaonkar, A., Lee, S.-J., Kruegel, C., and Vigna, G. (2017). Demystifying DDoS as a service. IEEE Communications Magazine, 55(7):14– 21.
Published
2019-09-02
How to Cite
HEINRICH, Tiago; OBELHEIRO, Rafael.
Brasil vs Mundo: Uma Análise Comparativa de Ataques DDoS por Reflexão. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 19. , 2019, São Paulo.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2019
.
p. 239-252.
DOI: https://doi.org/10.5753/sbseg.2019.13975.
