Um Estudo de Correlação de Ataques DRDoS com Fatores Externos Visando Dados de Honeypots
Resumo
Nos últimos anos ataques DRDoS viraram notícia, considerando o volume de tráfego que atacantes conseguem gerar através de refletores. Os ataques exploram diferentes estratégias, com a possibilidade de utilizar muitos protocolos para a amplificação do tráfego. Visando estudar a influência de fatores externos em ataques DRDoS, este trabalho utiliza dados coletados por honeypots para identificar períodos de intensos ataques DRDoS e tenta associar fatores externos a esses períodos. Ao todo foram investigados 13 países que concentram mais ataques em cada continente, e para diversos períodos foi possível associar fatores externos, como eventos políticos e COVID-19.
Palavras-chave:
Ataques de Amplificação, Caracterização de Redes, Ataques Distribuídos de Negação de Serviço
Referências
7News (2021). Snap two-week shutdown of construction industry confirmed after violent Melbourne protest. https://bit.ly/3xAhKYx.
Anagnostopoulos, M., Kambourakis, G., Kopanos, P., Louloudakis, G., and Gritzalis, S. (2013). DNS amplification attack revisited. Computers & Security, 39:475–485.
AustraliaNaviation (2019). Exercise talisman sabre formally launched on USS Reagan. https://bit.ly/3n0bHYo.
Beswick, E. (2021). Germany extends and tightens lockdown restrictions to January 31. https://bit.ly/3bfjYFv.
Brown, N. and McMah, L. (2020). NSW What northern beaches outbreak means for Christmas borders. https://bit.ly/3Ol9hjn.
Daragahi, B. (2020). Riot police crack down on spontaneous demonstrations against President Sisi in cities across Egypt. https://bit.ly/3xFgoM6.
Ercan, E. M. and Selçuk, A. A. (2021). A study on exploitable DRDoS amplifiers in Europe. International Journal of Information Security Science, 10(2):26–41.
Fachkha, C., Bou-Harb, E., and Debbabi, M. (2015). Inferring distributed reflection denial of service attacks from darknet. Computer Communications, 62:59–71.
GovHK (2021). New telecoms law to take effect. https://bit.ly/3n1fwNa.
Griffin, D. (2021). Assault on democracy paths to insurrection. https://cnn.it/3NfcNug.
Heinrich, T., Longo, F., and Obelheiro, R. R. (2017). Experiências com um honeypot DNS: Caracterização e evoluão do tráfego malicioso. In Anais do XVII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 292–305, Brasília, DF, Brasil. SBC.
Heinrich, T. and Obelheiro, R. R. (2019). Brasil vs Mundo: Uma análise comparativa de ataques DDoS por reflexão. In Anais do XIX Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, pages 239–252, São Paulo, SP, Brasil. SBC.
Heinrich, T., Obelheiro, R. R., and Maziero, C. A. (2021). New kids on the DRDoS block: Characterizing multiprotocol and carpet bombing attacks. In Proceedings of the 22nd International Conference on Passive and Active Network Measurement, pages 269–283, Cottbus, Alemanha. Springer.
HeraldLIVE (2021). It is official, Port Elizabeth has a new name - Gqeberha. https://bit.ly/3N2Xjt5.
Kopp, D., Dietzel, C., and Hohlfeld, O. (2021). DDoS never dies? An IXP perspective on DDoS amplification attacks. In Proceedings of the 22nd International Conference on Passive and Active Network Measurement, pages 284–301, Cottbus, Alemanha. Springer.
Krämer, L., Krupp, J., Makita, D., Nishizoe, T., Koide, T., Yoshioka, K., and Rossow, C. (2015). AmpPot: Monitoring and defending against amplification DDoS attacks. In Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses, pages 615–636, Kyoto, Japão. Springer.
Kührer, M., Hupperich, T., Rossow, C., and Holz, T. (2014). Exit from hell? Reducing the impact of amplification DDoS attacks. In Proceedings of the USENIX Security Symposium, San Diego, CA, EUA. USENIX.
Liotti, J. (2019). Vidal decidio que no adelantara las elecciones en Buenos Aires. https://bit.ly/2GaFPMK.
Localcouncils (2019a). About your 2019 local elections. https://bit.ly/3zLoQMA.
Localcouncils (2019b). About your 2019 local elections. https://bit.ly/39yfw3U.
Mills, J. (2019). New prime minister will be announced on july 23. https://bit.ly/3HLz8hJ.
Murphy, K. and Butler, J. (2022). Anthony Albanese commits to anti-corruption watchdog by end of 2022, if Labor wins election. https://bit.ly/3O3HrrB.
NETSCOUT (2020). Netscout threat intelligence report for the first half of 2020. https://bit.ly/3mh3Tzb.
NETSCOUT and Arbor (2017). Insight into the global threat landscape. Netscout Arbor’s 13th Annual Worldwide Infrastructure Security Report.
Noroozian, A., Korczynski, M., Gañan, C., Makita, D., Yoshioka, K., and van Eeten, M. (2016). Who gets the boot? Analyzing victimization by DDoS-as-a-Service. In Proceedings of the 19th International Symposium on Research in Attacks, Intrusions, and Defenses, pages 368–389, Paris, França. Springer.
Paxson, V. (2001). An analysis of using reflectors for distributed denial-of-service attacks. ACM SIGCOMM Computer Communication Review, 31(3):38–47.
Press, A. (2019). Hong Kong’s delayed legislative elections set for December. https://bit.ly/3b5gaX7.
Press, A. (2020). Anti-corona extremists try to storm German parliament. https://bit.ly/3N2B0DY.
Rey, D. (2021). Argentine health minister resigns amid vaccine scandal. https://bit.ly/3xxshDU.
Rossow, C. (2014). Amplification hell: Revisiting network protocols for DDoS abuse. In Proceedings of the Network and Distributed System Security Symposium, pages 1–15, San Diego, CA, EUA. Internet Society.
Rudman, L. and Irwin, B. (2015). Characterization and analysis of NTP amplification-based DDoS attacks. In Proceedings of the Information Security for South Africa, Joanesburgo, África do Sul. IEEE.
Saunokonoko, M. (2020). Shock and awe: Victoria declares state of disaster, six-week Melbourne curfew and stage four restrictions. https://bit.ly/3zIvhA5.
Seyfort, S. and Zagon, C. (2021). More than 200 arrests made on third day of Melbourne protests. https://bit.ly/3tLUbLc.
Stuff (2020). Jacinda Ardern delays election to October 17 amid coronavirus outbreak. https://bit.ly/3xDglAv.
Thomas, D. R., Clayton, R., and Beresford, A. R. (2017). 1000 days of UDP amplification DDoS attacks. In Proceedings of the APWG Symposium on Electronic Crime Research, pages 79–84, Scottsdale, AZ, EUA. IEEE.
Thomas, L. and Carraud, S. (2019). French violence flares as yellow vest protests enter fourth month. https://reut.rs/3y0p6pO.
Anagnostopoulos, M., Kambourakis, G., Kopanos, P., Louloudakis, G., and Gritzalis, S. (2013). DNS amplification attack revisited. Computers & Security, 39:475–485.
AustraliaNaviation (2019). Exercise talisman sabre formally launched on USS Reagan. https://bit.ly/3n0bHYo.
Beswick, E. (2021). Germany extends and tightens lockdown restrictions to January 31. https://bit.ly/3bfjYFv.
Brown, N. and McMah, L. (2020). NSW What northern beaches outbreak means for Christmas borders. https://bit.ly/3Ol9hjn.
Daragahi, B. (2020). Riot police crack down on spontaneous demonstrations against President Sisi in cities across Egypt. https://bit.ly/3xFgoM6.
Ercan, E. M. and Selçuk, A. A. (2021). A study on exploitable DRDoS amplifiers in Europe. International Journal of Information Security Science, 10(2):26–41.
Fachkha, C., Bou-Harb, E., and Debbabi, M. (2015). Inferring distributed reflection denial of service attacks from darknet. Computer Communications, 62:59–71.
GovHK (2021). New telecoms law to take effect. https://bit.ly/3n1fwNa.
Griffin, D. (2021). Assault on democracy paths to insurrection. https://cnn.it/3NfcNug.
Heinrich, T., Longo, F., and Obelheiro, R. R. (2017). Experiências com um honeypot DNS: Caracterização e evoluão do tráfego malicioso. In Anais do XVII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, pages 292–305, Brasília, DF, Brasil. SBC.
Heinrich, T. and Obelheiro, R. R. (2019). Brasil vs Mundo: Uma análise comparativa de ataques DDoS por reflexão. In Anais do XIX Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais, pages 239–252, São Paulo, SP, Brasil. SBC.
Heinrich, T., Obelheiro, R. R., and Maziero, C. A. (2021). New kids on the DRDoS block: Characterizing multiprotocol and carpet bombing attacks. In Proceedings of the 22nd International Conference on Passive and Active Network Measurement, pages 269–283, Cottbus, Alemanha. Springer.
HeraldLIVE (2021). It is official, Port Elizabeth has a new name - Gqeberha. https://bit.ly/3N2Xjt5.
Kopp, D., Dietzel, C., and Hohlfeld, O. (2021). DDoS never dies? An IXP perspective on DDoS amplification attacks. In Proceedings of the 22nd International Conference on Passive and Active Network Measurement, pages 284–301, Cottbus, Alemanha. Springer.
Krämer, L., Krupp, J., Makita, D., Nishizoe, T., Koide, T., Yoshioka, K., and Rossow, C. (2015). AmpPot: Monitoring and defending against amplification DDoS attacks. In Proceedings of the 18th International Symposium on Research in Attacks, Intrusions, and Defenses, pages 615–636, Kyoto, Japão. Springer.
Kührer, M., Hupperich, T., Rossow, C., and Holz, T. (2014). Exit from hell? Reducing the impact of amplification DDoS attacks. In Proceedings of the USENIX Security Symposium, San Diego, CA, EUA. USENIX.
Liotti, J. (2019). Vidal decidio que no adelantara las elecciones en Buenos Aires. https://bit.ly/2GaFPMK.
Localcouncils (2019a). About your 2019 local elections. https://bit.ly/3zLoQMA.
Localcouncils (2019b). About your 2019 local elections. https://bit.ly/39yfw3U.
Mills, J. (2019). New prime minister will be announced on july 23. https://bit.ly/3HLz8hJ.
Murphy, K. and Butler, J. (2022). Anthony Albanese commits to anti-corruption watchdog by end of 2022, if Labor wins election. https://bit.ly/3O3HrrB.
NETSCOUT (2020). Netscout threat intelligence report for the first half of 2020. https://bit.ly/3mh3Tzb.
NETSCOUT and Arbor (2017). Insight into the global threat landscape. Netscout Arbor’s 13th Annual Worldwide Infrastructure Security Report.
Noroozian, A., Korczynski, M., Gañan, C., Makita, D., Yoshioka, K., and van Eeten, M. (2016). Who gets the boot? Analyzing victimization by DDoS-as-a-Service. In Proceedings of the 19th International Symposium on Research in Attacks, Intrusions, and Defenses, pages 368–389, Paris, França. Springer.
Paxson, V. (2001). An analysis of using reflectors for distributed denial-of-service attacks. ACM SIGCOMM Computer Communication Review, 31(3):38–47.
Press, A. (2019). Hong Kong’s delayed legislative elections set for December. https://bit.ly/3b5gaX7.
Press, A. (2020). Anti-corona extremists try to storm German parliament. https://bit.ly/3N2B0DY.
Rey, D. (2021). Argentine health minister resigns amid vaccine scandal. https://bit.ly/3xxshDU.
Rossow, C. (2014). Amplification hell: Revisiting network protocols for DDoS abuse. In Proceedings of the Network and Distributed System Security Symposium, pages 1–15, San Diego, CA, EUA. Internet Society.
Rudman, L. and Irwin, B. (2015). Characterization and analysis of NTP amplification-based DDoS attacks. In Proceedings of the Information Security for South Africa, Joanesburgo, África do Sul. IEEE.
Saunokonoko, M. (2020). Shock and awe: Victoria declares state of disaster, six-week Melbourne curfew and stage four restrictions. https://bit.ly/3zIvhA5.
Seyfort, S. and Zagon, C. (2021). More than 200 arrests made on third day of Melbourne protests. https://bit.ly/3tLUbLc.
Stuff (2020). Jacinda Ardern delays election to October 17 amid coronavirus outbreak. https://bit.ly/3xDglAv.
Thomas, D. R., Clayton, R., and Beresford, A. R. (2017). 1000 days of UDP amplification DDoS attacks. In Proceedings of the APWG Symposium on Electronic Crime Research, pages 79–84, Scottsdale, AZ, EUA. IEEE.
Thomas, L. and Carraud, S. (2019). French violence flares as yellow vest protests enter fourth month. https://reut.rs/3y0p6pO.
Publicado
12/09/2022
Como Citar
HEINRICH, Tiago; WILL, Newton C.; OBELHEIRO, Rafael R.; MAZIERO, Carlos A..
Um Estudo de Correlação de Ataques DRDoS com Fatores Externos Visando Dados de Honeypots. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 22. , 2022, Santa Maria.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2022
.
p. 358-371.
DOI: https://doi.org/10.5753/sbseg.2022.225328.
