A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

Jonker, Mattijs; Pras, Aiko; Dainotti, Alberto; Sperotto, Anna

doi:10.1145/3278532.3278571

Cited by 22 publications

(11 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Only in 19 cases we record a delay greater than 30 min, with the highest delay being 5 h for an 8-h long attack. These findings are similar to prior work [30], that describes a delay of <10 min for 84.2% within their data set. The low attack volume in relation to the port capacity of blackholing events, in combination with the short delay, suggest an automation of the blackholing mitigation.…”

Section: Infrastructure Perspectivesupporting

confidence: 91%

“…To mitigate these attacks in practice, various reactive DDoS detection and defense techniques filter unwanted traffic of ongoing attacks, e.g., scrubbing services [2, 23,29,43,63], blackholing [20,21,29,30], or ACLs and Flowspec [16,48]. In this arms race, spontaneously appearing new amplification vectors are quickly growing to cause substantial harm to even well positioned networks and applications [42,65].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

DDoS Never Dies? An IXP Perspective on DDoS Amplification Attacks

Kopp¹,

Dietzel²,

Hohlfeld

2021

Passive and Active Measurement

View full text Add to dashboard Cite

DDoS attacks remain a major security threat to the continuous operation of Internet edge infrastructures, web services, and cloud platforms. While a large body of research focuses on DDoS detection and protection, to date we ultimately failed to eradicate DDoS altogether. Yet, the landscape of DDoS attack mechanisms is even evolving, demanding an updated perspective on DDoS attacks in the wild. In this paper, we identify up to 2608 DDoS amplification attacks at a single day by analyzing multiple Tbps of traffic flows at a major IXP with a rich ecosystem of different networks. We observe the prevalence of well-known amplification attack protocols (e.g., NTP, CLDAP), which should no longer exist given the established mitigation strategies. Nevertheless, they pose the largest fraction on DDoS amplification attacks within our observation and we witness the emergence of DDoS attacks using recently discovered amplification protocols (e.g., OpenVPN, ARMS, Ubiquity Discovery Protocol). By analyzing the impact of DDoS on core Internet infrastructure, we show that DDoS can overload backbone-capacity and that filtering approaches in prior work omit 97% of the attack traffic.

show abstract

Section: Infrastructure Perspectivesupporting

confidence: 91%

Section: Introductionmentioning

confidence: 99%

DDoS Never Dies? An IXP Perspective on DDoS Amplification Attacks

Kopp¹,

Dietzel²,

Hohlfeld

2021

Passive and Active Measurement

View full text Add to dashboard Cite

show abstract

“…Darknet data have been utilized to study DDoS attacks [9,10,15,42], DoS attacks and BGP blackholing [25], IPv6 routing instabilities [11], and long-term cyber attacks [4]. Application-level responses to IBR observed in Darknet have also been used to characterize Internet-wide scanning activities [33].…”

Section: Related Workmentioning

confidence: 99%

Zooming Into the Darknet: Characterizing Internet Background Radiation and its Structural Changes

Kallitsis,

Honavar,

Prajapati

et al. 2021

Preprint

View full text Add to dashboard Cite

Network telescopes or "Darknets" provide a unique window into Internet-wide malicious activities associated with malware propagation, denial of service attacks, scanning performed for network reconnaissance, and others. Analyses of the resulting data can provide actionable insights to security analysts that can be used to prevent or mitigate cyber-threats. Large Darknets, however, observe millions of nefarious events on a daily basis which makes the transformation of the captured information into meaningful insights challenging. We present a novel framework for characterizing Darknet behavior and its temporal evolution aiming to address this challenge. The proposed framework:(i) Extracts a high dimensional representation of Darknet events composed of features distilled from Darknet data and other external sources; (ii) Learns, in an unsupervised fashion, an information-preserving low-dimensional representation of these events (using deep representation learning) that is amenable to clustering; (iv) Performs clustering of the scanner data in the resulting representation space and provides interpretable insights using optimal decision trees; and (v) Utilizes the clustering outcomes as "signatures" that can be used to detect structural changes in the Darknet activities. We evaluate the proposed system on a large operational Network Telescope and demonstrate its ability to detect real-world, high-impact cybersecurity incidents.

show abstract

“…Jonker et al 55 performed empirical observation of DDoS events and corresponding BGP blackholing events. They utilized two data sets of DDoS attack (from an Internet telescope and amplification honeypots) and one data set of BGP blackholing events (from public BGP route collectors), from March 1, 2015, through March 5, 2018.…”

Section: Related Workmentioning

confidence: 99%

Detecting and analyzing border gateway protocol blackholing activity

Farasat

Khan

2020

Int J Network Mgmt

View full text Add to dashboard Cite

Summary DDoS attack is a traditional malicious attempt to make an authorized system or service inaccessible. Currently, BGP blackholing is an operational countermeasure that builds upon the capabilities of BGP to protect from DDoS attacks. BGP enables blackholing by leveraging the BGP community attribute. This paper presents the analysis of BGP blackholing activity and propose a machine learning‐based mechanism to detect BGP blackholing activity. In BGP blackholing analysis, we find that many networks, including Internet service providers (ISPs) and Internet exchange points (IXPs), offer BGP blackholing service to their customers. We collect networks' blackhole communities and make BGP blackhole communities dictionary. Within 3‐month period (from August to October, 2018), we find a significant number of BGP blackhole announcements (97,532) and distinct blackhole prefixes (8,120). Most of the blackhole prefixes are IPv4 (99.1%). Among IPv4 blackhole prefixes, mostly are /32 (79.9%). The daily patterns of BGP blackholing highlight that there is a variable number of blackhole announcements and distinct blackhole prefixes every day. Furthermore, we apply machine learning techniques to design a BGP blackholing detection mechanism based on support vector machine (SVM), decision tree, and long short‐term memory (LSTM) classifiers. The results are compared based on accuracy and F‐score. Experimental results show that LSTM achieves the best classification accuracy of 95.9% and F‐score of 97.2%. This work provides insights for network operators and researchers interested in BGP blackholing service and DDoS mitigation in the Internet.

show abstract

A First Joint Look at DoS Attacks and BGP Blackholing in the Wild

Cited by 22 publications

References 23 publications

DDoS Never Dies? An IXP Perspective on DDoS Amplification Attacks

DDoS Never Dies? An IXP Perspective on DDoS Amplification Attacks

Zooming Into the Darknet: Characterizing Internet Background Radiation and its Structural Changes

Detecting and analyzing border gateway protocol blackholing activity

Contact Info

Product

Resources

About