Beyond Counting

Richter, Philipp; Smaragdakis, Georgios; Plonka, David; Berger, Arno

doi:10.1145/2987443.2987473

Cited by 34 publications

(6 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Together, our data sets of attack events account for 20.90 M attacks, targeting 6.34 M unique IP addresses, over a two-year period (Table 1). We observe a total of 2.19 M unique /24 network blocks that host at least one target, which is about a third of the ∼6.5 M /24 blocks recently estimated to be active on the Internet [8,9]. For repeated attacks against the same IP address, we see fewer events per target IP in the honeypots data than in the telescope data, which we attribute to more followup in randomly spoofed attacks.…”

Section: Analysis Of Attack Eventsmentioning

confidence: 67%

“…We use two raw data sources that provide signals of DoS attack events and complement each other: (1) the UCSD Network Telescope [6], which captures evidence of DoS attacks that involve randomly and uniformly spoofed IP addresses; and (2) the AmpPot DDoS honeypots [7], which witness reflection and amplification DoS attacks -an attack type that involves specifically spoofed IP addresses. Our data sets reveal more than 20 M DoS attacks targeting about 2.2 M /24 IPv4 network blocks, which is more than one-third of those estimated to be active on the Internet [8,9]. Furthermore, we discover 137 k cases where both randomly spoofed attacks and reflection and amplification attacks were simultaneously launched against the same target.…”

Section: Introductionmentioning

confidence: 89%

“…We show in Figure 8 per protocol the top five potentially targeted services, along with their share of the distribution within that respective protocol. 9 Table 8a shows the results for TCP. HTTP ranks first with 2.83 M attack events, which account for 48.68% of 5.81 M single target port attacks on TCP.…”

Section: Attacksmentioning

confidence: 99%

See 2 more Smart Citations

Millions of targets under attack

Jonker

King

Krupp

et al. 2017

Proceedings of the 2017 Internet Measurement Conference

View full text Add to dashboard Cite

Denial-of-Service attacks have rapidly increased in terms of frequency and intensity, steadily becoming one of the biggest threats to Internet stability and reliability. However, a rigorous comprehensive characterization of this phenomenon, and of countermeasures to mitigate the associated risks, faces many infrastructure and analytic challenges. We make progress toward this goal, by introducing and applying a new framework to enable a macroscopic characterization of attacks, attack targets, and DDoS Protection Services (DPSs). Our analysis leverages data from four independent global Internet measurement infrastructures over the last two years: backscatter traffic to a large network telescope; logs from amplification honeypots; a DNS measurement platform covering 60% of the current namespace; and a DNS-based data set focusing on DPS adoption. Our results reveal the massive scale of the DoS problem, including an eye-opening statistic that one-third of all /24 networks recently estimated to be active on the Internet have suffered at least one DoS attack over the last two years. We also discovered that often targets are simultaneously hit by different types of attacks. In our data, Web servers were the most prominent attack target; an average of 3% of the Web sites in .com, .net, and .org were involved with attacks, daily. Finally, we shed light on factors influencing migration to a DPS. CCS CONCEPTS• Networks → Denial-of-service attacks; Network management; • Security and privacy → Security services; Web protocol security;

show abstract

Section: Analysis Of Attack Eventsmentioning

confidence: 67%

Section: Introductionmentioning

confidence: 89%

See 1 more Smart Citation

Millions of targets under attack

Jonker

King

Krupp

et al. 2017

Proceedings of the 2017 Internet Measurement Conference

View full text Add to dashboard Cite

show abstract

“…Together, our data sets of attack events account for 20.90 M attacks, targeting 6.34 M unique IP addresses, over a two-year period (Table 3.1). We observe a total of 2.19 M unique /24 network blocks that host at least one target, which is about a third of the ∼6.5 M /24 blocks recently estimated to be active on the Internet [95,117]. For repeated attacks against the same IP address, we see fewer events per target IP in the AmpPot data than in the UCSD-NT data, which we attribute to more follow-up in randomly spoofed attacks.…”

Section: A Third Of the Internet Attackedmentioning

confidence: 66%

DDoS Mitigation: A Measurement-Based Approach

Jonker

Sperotto

Pras

2020

NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium

View full text Add to dashboard Cite

ix various operational aspects in the wild. Our results reveal how blackholing is applied in practice by operators. We show that for nearly 4% of attacks that are mitigated using blackholing, it takes more than 24 hours following the end of the attack for operators to retract the countermeasure. During this time, blackholed hosts are cutoff from the Internet (at least partially). The apparent lack of automation in recovery raises concern that hosts as well as services running on them may be cutoff from users unnecessarily. In addition, we unveil that less intense attacks are also blackholed: in 13% of cases the inferred attack traffic volume is at most 3 M bps. As blackholing effectively brings about a 'self-inflicted' DoS, these findings raise the question of how much (or little) effort is required for attackers to get operators to trigger such an extreme countermeasure.Focusing on the third contribution, this thesis investigates, for both mitigation solutions under consideration, hazards that can hamstring DoS defenses. Cloud-based protection services may be bypassed by sophisticated attackers as a result of mistakes in deployment. Mistakes may not be clearly understood by all users, which can lead to a false sense of security. We quantify this drawback on the Internet, focusing on the world's most popular Web sites, and on leading commercial protection services. Our results underpin the extent of the problem: the protection of 41% of Web sites under consideration can be bypassed. As for blackholing, this thesis takes preliminary steps towards investigating the extent to which hosts are cutoff unnecessarily. We quantify this in terms of common Internet services that run on blackholed hosts. This thesis will show from its outset that a basic challenge that we are faced with concerns data. Acquiring and developing diverse (raw) data sources to methodologically study the DoS problem constitutes a challenge. While this thesis comes a long way by systematically fusing data sources, future research, the research community and, more generally speaking, society, stand to benefit from improvements in data sharing. For this reason, this thesis also calls for structural improvements in data sharing. xii rence 1.5-jaar). Tezamen representeren deze zones circa de helft van alle globale domeinnamen. We onderzoeken ook tot in hoeverre slachtoffers van DoS aanvallen diensten ingebruiknemen na een aanval (we noemen dit migratie). Onze resultaten tonen aan dat de intensiteit van een aanval een belangrijke factor is voor migratie, terwijl herhaling en de duur van aanvallen dat niet zijn. Qua BGP blackholing onderzoekt dit proefschrift verscheidene operationele aspecten 'in het wild'. Onze resultaten tonen aan hoe blackholing in de praktijk wordt ingezet door operatoren. Voor bijna 4% van DoS aanvallen die met blackholing werden gemitigeerd duurde het langer dan 24 uur nadat de aanval gestopt was eer operatoren het ingezette middel terugtrokken. Gedurende deze tijd zijn de beschermde machines niet bereikbaar voor (delen van) het I...

show abstract

“…Fast IPv4 scanning has become a standard measurement technique for understanding edge host behavior on the Internet. Popularized by tools like ZMap [22] and Masscan [24], Internet scanning has enabled hundreds of papers on service deployment [4,18,20,31,53,57], outages [9,16,22,32,33,47,55], host liveness [7,12,27,46,56], security weaknesses [14,45,60], operator behavior [3,19,21,23,41], botnets [5,39], and censorship [34,49,50], as well as helped uncover new vulnerabilities [6,8,13,29]. Yet, despite the technique's recent popularity, there has been relatively little analysis of its accuracy and completeness.…”

Section: Introductionmentioning

confidence: 99%

On the Origin of Scanning

Wan

Izhikevich

Adrian³

et al. 2020

Proceedings of the ACM Internet Measurement Conference

View full text Add to dashboard Cite

Fast IPv4 scanning has enabled researchers to answer a wealth of security and networking questions. Yet, despite widespread use, there has been little validation of the methodology's accuracy, including whether a single scan provides sufficient coverage. In this paper, we analyze how scan origin affects the results of Internet-wide scans by completing three HTTP, HTTPS, and SSH scans from seven geographically and topologically diverse networks. We find that individual origins miss an average 1.6-8.4% of HTTP, 1.5-4.6% of HTTPS, and 8.3-18.2% of SSH hosts. We analyze why origins see different hosts, and show how permanent and temporary blocking, packet loss, geographic biases, and transient outages affect scan results. We discuss the implications for scanning and provide recommendations for future studies.

show abstract

Beyond Counting

Cited by 34 publications

References 33 publications

Millions of targets under attack

Millions of targets under attack

DDoS Mitigation: A Measurement-Based Approach

On the Origin of Scanning

Contact Info

Product

Resources

About