TY - GEN
T1 - Linking Amplification DDoS Attacks to Booter Services
AU - Krupp, Johannes
AU - Karami, Mohammad
AU - Rossow, Christian
AU - McCoy, Damon
AU - Backes, Michael
N1 - Publisher Copyright:
© 2017, Springer International Publishing AG.
PY - 2017
Y1 - 2017
N2 - We present techniques for attributing amplification DDoS attacks to the booter services that launched the attack. Our k-Nearest Neighbor (k-NN) classification algorithm is based on features that are characteristic for a DDoS service, such as the set of reflectors used by that service. This allows us to attribute DDoS attacks based on observations from honeypot amplifiers, augmented with training data from ground truth attack-to-services mappings we generated by subscribing to DDoS services and attacking ourselves in a controlled environment. Our evaluation shows that we can attribute DNS and NTP attacks observed by the honeypots with a precision of over 99% while still achieving recall of over 69% in the most challenging real-time attribution scenario. Furthermore, we develop a similarly precise technique that allows a victim to attribute an attack based on a slightly different set of features that can be extracted from a victim’s network traces. Executing our k-NN classifier over all attacks observed by the honeypots shows that 25.53% (49,297) of the DNS attacks can be attributed to 7 booter services and 13.34% (38,520) of the NTP attacks can be attributed to 15 booter services. This demonstrates the potential benefits of DDoS attribution to identify harmful DDoS services and victims of these services.
AB - We present techniques for attributing amplification DDoS attacks to the booter services that launched the attack. Our k-Nearest Neighbor (k-NN) classification algorithm is based on features that are characteristic for a DDoS service, such as the set of reflectors used by that service. This allows us to attribute DDoS attacks based on observations from honeypot amplifiers, augmented with training data from ground truth attack-to-services mappings we generated by subscribing to DDoS services and attacking ourselves in a controlled environment. Our evaluation shows that we can attribute DNS and NTP attacks observed by the honeypots with a precision of over 99% while still achieving recall of over 69% in the most challenging real-time attribution scenario. Furthermore, we develop a similarly precise technique that allows a victim to attribute an attack based on a slightly different set of features that can be extracted from a victim’s network traces. Executing our k-NN classifier over all attacks observed by the honeypots shows that 25.53% (49,297) of the DNS attacks can be attributed to 7 booter services and 13.34% (38,520) of the NTP attacks can be attributed to 15 booter services. This demonstrates the potential benefits of DDoS attribution to identify harmful DDoS services and victims of these services.
UR - http://www.scopus.com/inward/record.url?scp=85032870002&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85032870002&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-66332-6_19
DO - 10.1007/978-3-319-66332-6_19
M3 - Conference contribution
AN - SCOPUS:85032870002
SN - 9783319663319
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 427
EP - 449
BT - Research in Attacks, Intrusions, and Defenses - 20th International Symposium, RAID 2017, Proceedings
A2 - Polychronakis, Michalis
A2 - Antonakakis, Manos
A2 - Dacier, Marc
A2 - Bailey, Michael
PB - Springer Verlag
T2 - 20th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2017
Y2 - 18 September 2017 through 20 September 2017
ER -