Linking Amplification DDoS Attacks to Booter Services

Johannes Krupp, Mohammad Karami, Christian Rossow, Damon McCoy, Michael Backes

    Research output: Chapter in Book/Report/Conference proceedingConference contribution


    We present techniques for attributing amplification DDoS attacks to the booter services that launched the attack. Our k-Nearest Neighbor (k-NN) classification algorithm is based on features that are characteristic for a DDoS service, such as the set of reflectors used by that service. This allows us to attribute DDoS attacks based on observations from honeypot amplifiers, augmented with training data from ground truth attack-to-services mappings we generated by subscribing to DDoS services and attacking ourselves in a controlled environment. Our evaluation shows that we can attribute DNS and NTP attacks observed by the honeypots with a precision of over 99% while still achieving recall of over 69% in the most challenging real-time attribution scenario. Furthermore, we develop a similarly precise technique that allows a victim to attribute an attack based on a slightly different set of features that can be extracted from a victim’s network traces. Executing our k-NN classifier over all attacks observed by the honeypots shows that 25.53% (49,297) of the DNS attacks can be attributed to 7 booter services and 13.34% (38,520) of the NTP attacks can be attributed to 15 booter services. This demonstrates the potential benefits of DDoS attribution to identify harmful DDoS services and victims of these services.

    Original languageEnglish (US)
    Title of host publicationResearch in Attacks, Intrusions, and Defenses - 20th International Symposium, RAID 2017, Proceedings
    EditorsMichalis Polychronakis, Manos Antonakakis, Marc Dacier, Michael Bailey
    PublisherSpringer Verlag
    Number of pages23
    ISBN (Print)9783319663319
    StatePublished - 2017
    Event20th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2017 - Atlanta, United States
    Duration: Sep 18 2017Sep 20 2017

    Publication series

    NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
    Volume10453 LNCS
    ISSN (Print)0302-9743
    ISSN (Electronic)1611-3349


    Other20th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2017
    Country/TerritoryUnited States

    ASJC Scopus subject areas

    • Theoretical Computer Science
    • General Computer Science


    Dive into the research topics of 'Linking Amplification DDoS Attacks to Booter Services'. Together they form a unique fingerprint.

    Cite this