A Correlation Study of DRDoS Attacks with External Factors Using Honeypots Data
Abstract
In recent years DRDoS attacks make headlines when considering the volume of traffic that attackers manage to generate through reflectors. The attacks exploit different strategies, with the possibility of using many protocols for traffic amplification. Aiming to study the influence of external factors in DRDoS attacks, this work uses data collected by honeypots to identify periods of intense DRDoS attacks and tries to associate external factors to these periods. We investigated 13 countries that concentrate the most attacks in each continent and were able to associate external factors, such as political events and COVID-19, with many periods.
Keywords:
Amplification Attacks, Network Characterization, Distributed Denial of Service Attacks
References
7News (2021). Snap two-week shutdown of construction industry confirmed after violent Melbourne protest. https://bit.ly/3xAhKYx.
Anagnostopoulos, M., Kambourakis, G., Kopanos, P., Louloudakis, G., and Gritzalis, S. (2013). DNS amplification attack revisited. Computers & Security, 39:475–485.
AustraliaNaviation (2019). Exercise talisman sabre formally launched on USS Reagan. https://bit.ly/3n0bHYo.
Beswick, E. (2021). Germany extends and tightens lockdown restrictions to January 31. https://bit.ly/3bfjYFv.
Brown, N. and McMah, L. (2020). NSW What northern beaches outbreak means for Christmas borders. https://bit.ly/3Ol9hjn.
Daragahi, B. (2020). Riot police crack down on spontaneous demonstrations against President Sisi in cities across Egypt. https://bit.ly/3xFgoM6.
Ercan, E. M. and Selçuk, A. A. (2021). A study on exploitable DRDoS amplifiers in Europe. International Journal of Information Security Science, 10(2):26–41.
Fachkha, C., Bou-Harb, E., and Debbabi, M. (2015). Inferring distributed reflection denial of service attacks from darknet. Computer Communications, 62:59–71.
GovHK (2021). New telecoms law to take effect. https://bit.ly/3n1fwNa.
Griffin, D. (2021). Assault on democracy paths to insurrection. https://cnn.it/3NfcNug.
Heinrich, T., Longo, F., and Obelheiro, R. R. (2017). Experiências com um honeypot DNS: Caracterização e evoluão do tráfego malicioso. In Anais do XVII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 292–305, Brasília, DF, Brasil. SBC.
Heinrich, T. and Obelheiro, R. R. (2019). Brasil vs Mundo: Uma análise comparativa de ataques DDoS por reflexão. In Anais do XIX Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, pages 239–252, São Paulo, SP, Brasil. SBC.
Heinrich, T., Obelheiro, R. R., and Maziero, C. A. (2021). New kids on the DRDoS block: Characterizing multiprotocol and carpet bombing attacks. In Proceedings of the 22nd International Conference on Passive and Active Network Measurement, pages 269–283, Cottbus, Alemanha. Springer.
HeraldLIVE (2021). It is official, Port Elizabeth has a new name - Gqeberha. https://bit.ly/3N2Xjt5.
Kopp, D., Dietzel, C., and Hohlfeld, O. (2021). DDoS never dies? An IXP perspective on DDoS amplification attacks. In Proceedings of the 22nd International Conference on Passive and Active Network Measurement, pages 284–301, Cottbus, Alemanha. Springer.
Krämer, L., Krupp, J., Makita, D., Nishizoe, T., Koide, T., Yoshioka, K., and Rossow, C. (2015). AmpPot: Monitoring and defending against amplification DDoS attacks. In Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses, pages 615–636, Kyoto, Japão. Springer.
Kührer, M., Hupperich, T., Rossow, C., and Holz, T. (2014). Exit from hell? Reducing the impact of amplification DDoS attacks. In Proceedings of the USENIX Security Symposium, San Diego, CA, EUA. USENIX.
Liotti, J. (2019). Vidal decidio que no adelantara las elecciones en Buenos Aires. https://bit.ly/2GaFPMK.
Localcouncils (2019a). About your 2019 local elections. https://bit.ly/3zLoQMA.
Localcouncils (2019b). About your 2019 local elections. https://bit.ly/39yfw3U.
Mills, J. (2019). New prime minister will be announced on july 23. https://bit.ly/3HLz8hJ.
Murphy, K. and Butler, J. (2022). Anthony Albanese commits to anti-corruption watchdog by end of 2022, if Labor wins election. https://bit.ly/3O3HrrB.
NETSCOUT (2020). Netscout threat intelligence report for the first half of 2020. https://bit.ly/3mh3Tzb.
NETSCOUT and Arbor (2017). Insight into the global threat landscape. Netscout Arbor’s 13th Annual Worldwide Infrastructure Security Report.
Noroozian, A., Korczynski, M., Gañan, C., Makita, D., Yoshioka, K., and van Eeten, M. (2016). Who gets the boot? Analyzing victimization by DDoS-as-a-Service. In Proceedings of the 19th International Symposium on Research in Attacks, Intrusions, and Defenses, pages 368–389, Paris, França. Springer.
Paxson, V. (2001). An analysis of using reflectors for distributed denial-of-service attacks. ACM SIGCOMM Computer Communication Review, 31(3):38–47.
Press, A. (2019). Hong Kong’s delayed legislative elections set for December. https://bit.ly/3b5gaX7.
Press, A. (2020). Anti-corona extremists try to storm German parliament. https://bit.ly/3N2B0DY.
Rey, D. (2021). Argentine health minister resigns amid vaccine scandal. https://bit.ly/3xxshDU.
Rossow, C. (2014). Amplification hell: Revisiting network protocols for DDoS abuse. In Proceedings of the Network and Distributed System Security Symposium, pages 1–15, San Diego, CA, EUA. Internet Society.
Rudman, L. and Irwin, B. (2015). Characterization and analysis of NTP amplification-based DDoS attacks. In Proceedings of the Information Security for South Africa, Joanesburgo, África do Sul. IEEE.
Saunokonoko, M. (2020). Shock and awe: Victoria declares state of disaster, six-week Melbourne curfew and stage four restrictions. https://bit.ly/3zIvhA5.
Seyfort, S. and Zagon, C. (2021). More than 200 arrests made on third day of Melbourne protests. https://bit.ly/3tLUbLc.
Stuff (2020). Jacinda Ardern delays election to October 17 amid coronavirus outbreak. https://bit.ly/3xDglAv.
Thomas, D. R., Clayton, R., and Beresford, A. R. (2017). 1000 days of UDP amplification DDoS attacks. In Proceedings of the APWG Symposium on Electronic Crime Research, pages 79–84, Scottsdale, AZ, EUA. IEEE.
Thomas, L. and Carraud, S. (2019). French violence flares as yellow vest protests enter fourth month. https://reut.rs/3y0p6pO.
Anagnostopoulos, M., Kambourakis, G., Kopanos, P., Louloudakis, G., and Gritzalis, S. (2013). DNS amplification attack revisited. Computers & Security, 39:475–485.
AustraliaNaviation (2019). Exercise talisman sabre formally launched on USS Reagan. https://bit.ly/3n0bHYo.
Beswick, E. (2021). Germany extends and tightens lockdown restrictions to January 31. https://bit.ly/3bfjYFv.
Brown, N. and McMah, L. (2020). NSW What northern beaches outbreak means for Christmas borders. https://bit.ly/3Ol9hjn.
Daragahi, B. (2020). Riot police crack down on spontaneous demonstrations against President Sisi in cities across Egypt. https://bit.ly/3xFgoM6.
Ercan, E. M. and Selçuk, A. A. (2021). A study on exploitable DRDoS amplifiers in Europe. International Journal of Information Security Science, 10(2):26–41.
Fachkha, C., Bou-Harb, E., and Debbabi, M. (2015). Inferring distributed reflection denial of service attacks from darknet. Computer Communications, 62:59–71.
GovHK (2021). New telecoms law to take effect. https://bit.ly/3n1fwNa.
Griffin, D. (2021). Assault on democracy paths to insurrection. https://cnn.it/3NfcNug.
Heinrich, T., Longo, F., and Obelheiro, R. R. (2017). Experiências com um honeypot DNS: Caracterização e evoluão do tráfego malicioso. In Anais do XVII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 292–305, Brasília, DF, Brasil. SBC.
Heinrich, T. and Obelheiro, R. R. (2019). Brasil vs Mundo: Uma análise comparativa de ataques DDoS por reflexão. In Anais do XIX Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, pages 239–252, São Paulo, SP, Brasil. SBC.
Heinrich, T., Obelheiro, R. R., and Maziero, C. A. (2021). New kids on the DRDoS block: Characterizing multiprotocol and carpet bombing attacks. In Proceedings of the 22nd International Conference on Passive and Active Network Measurement, pages 269–283, Cottbus, Alemanha. Springer.
HeraldLIVE (2021). It is official, Port Elizabeth has a new name - Gqeberha. https://bit.ly/3N2Xjt5.
Kopp, D., Dietzel, C., and Hohlfeld, O. (2021). DDoS never dies? An IXP perspective on DDoS amplification attacks. In Proceedings of the 22nd International Conference on Passive and Active Network Measurement, pages 284–301, Cottbus, Alemanha. Springer.
Krämer, L., Krupp, J., Makita, D., Nishizoe, T., Koide, T., Yoshioka, K., and Rossow, C. (2015). AmpPot: Monitoring and defending against amplification DDoS attacks. In Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses, pages 615–636, Kyoto, Japão. Springer.
Kührer, M., Hupperich, T., Rossow, C., and Holz, T. (2014). Exit from hell? Reducing the impact of amplification DDoS attacks. In Proceedings of the USENIX Security Symposium, San Diego, CA, EUA. USENIX.
Liotti, J. (2019). Vidal decidio que no adelantara las elecciones en Buenos Aires. https://bit.ly/2GaFPMK.
Localcouncils (2019a). About your 2019 local elections. https://bit.ly/3zLoQMA.
Localcouncils (2019b). About your 2019 local elections. https://bit.ly/39yfw3U.
Mills, J. (2019). New prime minister will be announced on july 23. https://bit.ly/3HLz8hJ.
Murphy, K. and Butler, J. (2022). Anthony Albanese commits to anti-corruption watchdog by end of 2022, if Labor wins election. https://bit.ly/3O3HrrB.
NETSCOUT (2020). Netscout threat intelligence report for the first half of 2020. https://bit.ly/3mh3Tzb.
NETSCOUT and Arbor (2017). Insight into the global threat landscape. Netscout Arbor’s 13th Annual Worldwide Infrastructure Security Report.
Noroozian, A., Korczynski, M., Gañan, C., Makita, D., Yoshioka, K., and van Eeten, M. (2016). Who gets the boot? Analyzing victimization by DDoS-as-a-Service. In Proceedings of the 19th International Symposium on Research in Attacks, Intrusions, and Defenses, pages 368–389, Paris, França. Springer.
Paxson, V. (2001). An analysis of using reflectors for distributed denial-of-service attacks. ACM SIGCOMM Computer Communication Review, 31(3):38–47.
Press, A. (2019). Hong Kong’s delayed legislative elections set for December. https://bit.ly/3b5gaX7.
Press, A. (2020). Anti-corona extremists try to storm German parliament. https://bit.ly/3N2B0DY.
Rey, D. (2021). Argentine health minister resigns amid vaccine scandal. https://bit.ly/3xxshDU.
Rossow, C. (2014). Amplification hell: Revisiting network protocols for DDoS abuse. In Proceedings of the Network and Distributed System Security Symposium, pages 1–15, San Diego, CA, EUA. Internet Society.
Rudman, L. and Irwin, B. (2015). Characterization and analysis of NTP amplification-based DDoS attacks. In Proceedings of the Information Security for South Africa, Joanesburgo, África do Sul. IEEE.
Saunokonoko, M. (2020). Shock and awe: Victoria declares state of disaster, six-week Melbourne curfew and stage four restrictions. https://bit.ly/3zIvhA5.
Seyfort, S. and Zagon, C. (2021). More than 200 arrests made on third day of Melbourne protests. https://bit.ly/3tLUbLc.
Stuff (2020). Jacinda Ardern delays election to October 17 amid coronavirus outbreak. https://bit.ly/3xDglAv.
Thomas, D. R., Clayton, R., and Beresford, A. R. (2017). 1000 days of UDP amplification DDoS attacks. In Proceedings of the APWG Symposium on Electronic Crime Research, pages 79–84, Scottsdale, AZ, EUA. IEEE.
Thomas, L. and Carraud, S. (2019). French violence flares as yellow vest protests enter fourth month. https://reut.rs/3y0p6pO.
Published
2022-09-12
How to Cite
HEINRICH, Tiago; WILL, Newton C.; OBELHEIRO, Rafael R.; MAZIERO, Carlos A..
A Correlation Study of DRDoS Attacks with External Factors Using Honeypots Data. In: BRAZILIAN SYMPOSIUM ON INFORMATION AND COMPUTATIONAL SYSTEMS SECURITY (SBSEG), 22. , 2022, Santa Maria.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2022
.
p. 358-371.
DOI: https://doi.org/10.5753/sbseg.2022.225328.
