Linking Amplification DDoS Attacks to Booter Services

Johannes Krupp, Mohammad Karami, Christian Rossow, Damon McCoy, Michael Backes

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    We present techniques for attributing amplification DDoS attacks to the booter services that launched the attack. Our k-Nearest Neighbor (k-NN) classification algorithm is based on features that are characteristic for a DDoS service, such as the set of reflectors used by that service. This allows us to attribute DDoS attacks based on observations from honeypot amplifiers, augmented with training data from ground truth attack-to-services mappings we generated by subscribing to DDoS services and attacking ourselves in a controlled environment. Our evaluation shows that we can attribute DNS and NTP attacks observed by the honeypots with a precision of over 99% while still achieving recall of over 69% in the most challenging real-time attribution scenario. Furthermore, we develop a similarly precise technique that allows a victim to attribute an attack based on a slightly different set of features that can be extracted from a victim’s network traces. Executing our k-NN classifier over all attacks observed by the honeypots shows that 25.53% (49,297) of the DNS attacks can be attributed to 7 booter services and 13.34% (38,520) of the NTP attacks can be attributed to 15 booter services. This demonstrates the potential benefits of DDoS attribution to identify harmful DDoS services and victims of these services.

    Original languageEnglish (US)
    Title of host publicationResearch in Attacks, Intrusions, and Defenses - 20th International Symposium, RAID 2017, Proceedings
    PublisherSpringer Verlag
    Pages427-449
    Number of pages23
    Volume10453 LNCS
    ISBN (Print)9783319663319
    DOIs
    StatePublished - 2017
    Event20th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2017 - Atlanta, United States
    Duration: Sep 18 2017Sep 20 2017

    Publication series

    NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
    Volume10453 LNCS
    ISSN (Print)0302-9743
    ISSN (Electronic)1611-3349

    Other

    Other20th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2017
    CountryUnited States
    CityAtlanta
    Period9/18/179/20/17

    Fingerprint

    DDoS
    Amplification
    Linking
    Classifiers
    Attack
    Honeypot
    Attribute
    Nearest Neighbor
    Reflector
    Classification Algorithm
    Classifier
    Trace
    Real-time

    ASJC Scopus subject areas

    • Theoretical Computer Science
    • Computer Science(all)

    Cite this

    Krupp, J., Karami, M., Rossow, C., McCoy, D., & Backes, M. (2017). Linking Amplification DDoS Attacks to Booter Services. In Research in Attacks, Intrusions, and Defenses - 20th International Symposium, RAID 2017, Proceedings (Vol. 10453 LNCS, pp. 427-449). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10453 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-66332-6_19

    Linking Amplification DDoS Attacks to Booter Services. / Krupp, Johannes; Karami, Mohammad; Rossow, Christian; McCoy, Damon; Backes, Michael.

    Research in Attacks, Intrusions, and Defenses - 20th International Symposium, RAID 2017, Proceedings. Vol. 10453 LNCS Springer Verlag, 2017. p. 427-449 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10453 LNCS).

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Krupp, J, Karami, M, Rossow, C, McCoy, D & Backes, M 2017, Linking Amplification DDoS Attacks to Booter Services. in Research in Attacks, Intrusions, and Defenses - 20th International Symposium, RAID 2017, Proceedings. vol. 10453 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10453 LNCS, Springer Verlag, pp. 427-449, 20th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2017, Atlanta, United States, 9/18/17. https://doi.org/10.1007/978-3-319-66332-6_19
    Krupp J, Karami M, Rossow C, McCoy D, Backes M. Linking Amplification DDoS Attacks to Booter Services. In Research in Attacks, Intrusions, and Defenses - 20th International Symposium, RAID 2017, Proceedings. Vol. 10453 LNCS. Springer Verlag. 2017. p. 427-449. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-66332-6_19
    Krupp, Johannes ; Karami, Mohammad ; Rossow, Christian ; McCoy, Damon ; Backes, Michael. / Linking Amplification DDoS Attacks to Booter Services. Research in Attacks, Intrusions, and Defenses - 20th International Symposium, RAID 2017, Proceedings. Vol. 10453 LNCS Springer Verlag, 2017. pp. 427-449 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
    @inproceedings{2254c0771b7b4872b78ac2dd893bde1c,
    title = "Linking Amplification DDoS Attacks to Booter Services",
    abstract = "We present techniques for attributing amplification DDoS attacks to the booter services that launched the attack. Our k-Nearest Neighbor (k-NN) classification algorithm is based on features that are characteristic for a DDoS service, such as the set of reflectors used by that service. This allows us to attribute DDoS attacks based on observations from honeypot amplifiers, augmented with training data from ground truth attack-to-services mappings we generated by subscribing to DDoS services and attacking ourselves in a controlled environment. Our evaluation shows that we can attribute DNS and NTP attacks observed by the honeypots with a precision of over 99{\%} while still achieving recall of over 69{\%} in the most challenging real-time attribution scenario. Furthermore, we develop a similarly precise technique that allows a victim to attribute an attack based on a slightly different set of features that can be extracted from a victim’s network traces. Executing our k-NN classifier over all attacks observed by the honeypots shows that 25.53{\%} (49,297) of the DNS attacks can be attributed to 7 booter services and 13.34{\%} (38,520) of the NTP attacks can be attributed to 15 booter services. This demonstrates the potential benefits of DDoS attribution to identify harmful DDoS services and victims of these services.",
    author = "Johannes Krupp and Mohammad Karami and Christian Rossow and Damon McCoy and Michael Backes",
    year = "2017",
    doi = "10.1007/978-3-319-66332-6_19",
    language = "English (US)",
    isbn = "9783319663319",
    volume = "10453 LNCS",
    series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
    publisher = "Springer Verlag",
    pages = "427--449",
    booktitle = "Research in Attacks, Intrusions, and Defenses - 20th International Symposium, RAID 2017, Proceedings",
    address = "Germany",

    }

    TY - GEN

    T1 - Linking Amplification DDoS Attacks to Booter Services

    AU - Krupp, Johannes

    AU - Karami, Mohammad

    AU - Rossow, Christian

    AU - McCoy, Damon

    AU - Backes, Michael

    PY - 2017

    Y1 - 2017

    N2 - We present techniques for attributing amplification DDoS attacks to the booter services that launched the attack. Our k-Nearest Neighbor (k-NN) classification algorithm is based on features that are characteristic for a DDoS service, such as the set of reflectors used by that service. This allows us to attribute DDoS attacks based on observations from honeypot amplifiers, augmented with training data from ground truth attack-to-services mappings we generated by subscribing to DDoS services and attacking ourselves in a controlled environment. Our evaluation shows that we can attribute DNS and NTP attacks observed by the honeypots with a precision of over 99% while still achieving recall of over 69% in the most challenging real-time attribution scenario. Furthermore, we develop a similarly precise technique that allows a victim to attribute an attack based on a slightly different set of features that can be extracted from a victim’s network traces. Executing our k-NN classifier over all attacks observed by the honeypots shows that 25.53% (49,297) of the DNS attacks can be attributed to 7 booter services and 13.34% (38,520) of the NTP attacks can be attributed to 15 booter services. This demonstrates the potential benefits of DDoS attribution to identify harmful DDoS services and victims of these services.

    AB - We present techniques for attributing amplification DDoS attacks to the booter services that launched the attack. Our k-Nearest Neighbor (k-NN) classification algorithm is based on features that are characteristic for a DDoS service, such as the set of reflectors used by that service. This allows us to attribute DDoS attacks based on observations from honeypot amplifiers, augmented with training data from ground truth attack-to-services mappings we generated by subscribing to DDoS services and attacking ourselves in a controlled environment. Our evaluation shows that we can attribute DNS and NTP attacks observed by the honeypots with a precision of over 99% while still achieving recall of over 69% in the most challenging real-time attribution scenario. Furthermore, we develop a similarly precise technique that allows a victim to attribute an attack based on a slightly different set of features that can be extracted from a victim’s network traces. Executing our k-NN classifier over all attacks observed by the honeypots shows that 25.53% (49,297) of the DNS attacks can be attributed to 7 booter services and 13.34% (38,520) of the NTP attacks can be attributed to 15 booter services. This demonstrates the potential benefits of DDoS attribution to identify harmful DDoS services and victims of these services.

    UR - http://www.scopus.com/inward/record.url?scp=85032870002&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85032870002&partnerID=8YFLogxK

    U2 - 10.1007/978-3-319-66332-6_19

    DO - 10.1007/978-3-319-66332-6_19

    M3 - Conference contribution

    AN - SCOPUS:85032870002

    SN - 9783319663319

    VL - 10453 LNCS

    T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

    SP - 427

    EP - 449

    BT - Research in Attacks, Intrusions, and Defenses - 20th International Symposium, RAID 2017, Proceedings

    PB - Springer Verlag

    ER -