1000 days of UDP amplification DDoS attacks
View / Open Files
Authors
Thomas, DR
Clayton, R
Beresford, AR
Publication Date
2017-04-27Journal Title
eCrime Researchers Summit, eCrime
Conference Name
2017 APWG Symposium on Electronic Crime Research (eCrime)
ISSN
2159-1237
ISBN
9781538627013
Publisher
IEEE
Language
English
Type
Conference Object
This Version
AM
Metadata
Show full item recordCitation
Thomas, D., Clayton, R., & Beresford, A. (2017). 1000 days of UDP amplification DDoS attacks. eCrime Researchers Summit, eCrime https://doi.org/10.1109/ECRIME.2017.7945057
Abstract
Distributed Denial of Service (DDoS) attacks employing reflected UDP amplification are regularly used to disrupt networks and systems. The amplification allows one rented server to generate significant volumes of data, while the reflection hides the identity of the attacker. Consequently this is an attractive, low risk, strategy for criminals bent on vandalism and extortion. To measure the uptake of this strategy we analyse the results of running a network of honeypot UDP reflectors (median size 65 nodes) from July 2014 onwards. We explore the life cycle of attacks that use our reflectors, from the scanning phase used to detect our honeypot machines, through to their use in attacks. We see a median of 1450 malicious scanners per day across all UDP protocols, and have recorded details of 5.18 million subsequent attacks involving in excess of 3.31 trillion packets. Using a capture-recapture statistical technique, we estimate that our reflectors can see between 85.1% and 96.6% of UDP reflection attacks over our measurement period.
Keywords
UDP-reflection, DDoS, honeypot, cybercrime, booter, stresser, amplification attack, attack counting, Internet scanning, DRDoS
Sponsorship
We are extremely grateful to the organisations and individuals who have hosted Hopscotch nodes, and in particular the ShadowServer Foundation and Digital Ocean Inc. Daniel R. Thomas is supported by a grant from ThreatSTOP Inc. Richard Clayton is supported by the Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHSS\&T/CSD) Broad Agency Announcement 11.02, the Government of Australia and SPAWAR Systems Center Pacific [contract number N66001-13-C-0131]; and the EPSRC [grant number EP/M020320/1]. Alastair R. Beresford is partly supported by the EPSRC [grant number EP/M020320/1]. The opinions, findings, and conclusions or recommendations expressed are those of the authors and do not necessarily reflect those of any of the funders.
Funder references
Engineering and Physical Sciences Research Council (EP/M020320/1)
Identifiers
External DOI: https://doi.org/10.1109/ECRIME.2017.7945057
This record's URL: https://www.repository.cam.ac.uk/handle/1810/263925
Rights
Licence:
http://www.rioxx.net/licenses/all-rights-reserved
Statistics
Total file downloads (since January 2020). For more information on metrics see the
IRUS guide.
Recommended or similar items
The current recommendation prototype on the Apollo Repository will be turned off on 03 February 2023. Although the pilot has been fruitful for both parties, the service provider IKVA is focusing on horizon scanning products and so the recommender service can no longer be supported. We recognise the importance of recommender services in supporting research discovery and are evaluating offerings from other service providers. If you would like to offer feedback on this decision please contact us on: support@repository.cam.ac.uk