Show simple item record

dc.contributor.authorThomas, Daniel R.en
dc.contributor.authorClayton, Richard Neilen
dc.contributor.authorBeresford, Alastair Richarden
dc.date.accessioned2017-05-02T08:26:06Z
dc.date.available2017-05-02T08:26:06Z
dc.date.issued2017-04-27en
dc.identifier.urihttps://www.repository.cam.ac.uk/handle/1810/263925
dc.description.abstractDistributed Denial of Service (DDoS) attacks employing reflected UDP amplification are regularly used to disrupt networks and systems. The amplification allows one rented server to generate significant volumes of data, while the reflection hides the identity of the attacker. Consequently this is an attractive, low risk, strategy for criminals bent on vandalism and extortion. To measure the uptake of this strategy we analyse the results of running a network of honeypot UDP reflectors (median size 65 nodes) from July 2014 onwards. We explore the life cycle of attacks that use our reflectors, from the scanning phase used to detect our honeypot machines, through to their use in attacks. We see a median of 1450 malicious scanners per day across all UDP protocols, and have recorded details of 5.18 million subsequent attacks involving in excess of 3.31 trillion packets. Using a capture-recapture statistical technique, we estimate that our reflectors can see between 85.1% and 96.6% of UDP reflection attacks over our measurement period.
dc.description.sponsorshipWe are extremely grateful to the organisations and individuals who have hosted Hopscotch nodes, and in particular the ShadowServer Foundation and Digital Ocean Inc. Daniel R. Thomas is supported by a grant from ThreatSTOP Inc. Richard Clayton is supported by the Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHSS\&T/CSD) Broad Agency Announcement 11.02, the Government of Australia and SPAWAR Systems Center Pacific [contract number N66001-13-C-0131]; and the EPSRC [grant number EP/M020320/1]. Alastair R. Beresford is partly supported by the EPSRC [grant number EP/M020320/1]. The opinions, findings, and conclusions or recommendations expressed are those of the authors and do not necessarily reflect those of any of the funders.
dc.languageEnglishen
dc.language.isoenen
dc.publisherIEEE
dc.subjectUDP-reflectionen
dc.subjectDDoSen
dc.subjecthoneypoten
dc.subjectcybercrimeen
dc.subjectbooteren
dc.subjectstresseren
dc.subjectamplification attacken
dc.subjectattack countingen
dc.subjectInternet scanningen
dc.subjectDRDoSen
dc.title1000 days of UDP amplification DDoS attacksen
dc.typeConference Object
prism.publicationDate2017en
dc.identifier.doi10.17863/CAM.9117
dcterms.dateAccepted2017-03-02en
rioxxterms.versionAMen
rioxxterms.licenseref.urihttp://www.rioxx.net/licenses/all-rights-reserveden
rioxxterms.licenseref.startdate2017-04-27en
dc.contributor.orcidThomas, Daniel R. [0000-0001-8936-0683]
dc.contributor.orcidClayton, Richard Neil [0000-0002-1673-918X]
dc.contributor.orcidBeresford, Alastair Richard [0000-0003-0818-6535]
rioxxterms.typeConference Paper/Proceeding/Abstracten
pubs.funder-project-idEPSRC (EP/M020320/1)


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record