Fingerprinting Internet DNS Amplification DDoS Activities

Fachkha, Claude; Bou‐Harb, Elias; Debbabi, Mourad

doi:10.1109/ntms.2014.6814019

Cited by 39 publications

(18 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…An attack that is similar to Smurf and Fraggle attacks is the DNS amplification attack [5][6][7]. Through various techniques, the attacker turns a small DNS query into a much larger payload directed at the target network.…”

Section: Attacks From An External Networkmentioning

confidence: 99%

PrECast: An Efficient Crypto-Free Solution for Broadcast-Based Attacks in IPv4 Networks

2018

View full text Add to dashboard Cite

Broadcasting is one of the essential features in the Internet Protocol Ver 4 (IPv4). Attackers often exploit this feature of the IP protocol to launch several attacks against a network or an individual host. Attackers may either be a part of a Local Area Network (LAN) or outside a LAN to launch these attacks. There are numerous papers available in the literature to solve problems resulting from IP broadcasting. However, all these solutions target a specific problem that results from IP broadcasting. Furthermore, these solutions use either a computationally-intensive cryptographic scheme, the a priori relation between the host and the network or a modified protocol stack at every host. In this paper, we provide a seamless and transparent solution to eliminate IP broadcasting and thus eliminate all problems related to IP broadcasting. Our proposed solution is crypto-free and does not need any modification to the protocol stack.

show abstract

Section: Attacks From An External Networkmentioning

confidence: 99%

PrECast: An Efficient Crypto-Free Solution for Broadcast-Based Attacks in IPv4 Networks

2018

View full text Add to dashboard Cite

show abstract

“…Since then, the focus of network telescope studies has shifted several times, closely following the volatile nature of new threat actors. For instance, some of the important contributions that demonstrate the evolution of telescope research include the discovery of the relationship between backscatter traffic and DDoS attacks in 2001 [60], worm propagation analysis between 2003 and 2005 [61,62], the use of time series and data mining techniques on telescope traffic in 2008 [63], the monitoring of large-scale cyber events through telescope in 2012 [64], and more recently, the study of amplification attacks using telescope sensors in 2013 and 2014 [65,66]. In contrast, this work proposes and evaluates a formal probabilistic preprocessing model for network telescope traffic in an effort to fingerprint and filter out misconfiguration traffic.…”

Section: Network Telescope: Measurements and Analysismentioning

confidence: 99%

Internet-scale Probing of CPS: Inference, Characterization and Orchestration Analysis

Fachkha¹,

Bou‐Harb²,

Keliris³

et al. 2017

Proceedings 2017 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Although the security of Cyber-Physical Systems (CPS) has been recently receiving significant attention from the research community, undoubtedly, there still exists a substantial lack of a comprehensive and a holistic understanding of attackers' malicious strategies, aims and intentions. To this end, this paper uniquely exploits passive monitoring and analysis of a newly deployed network telescope IP address space in a first attempt ever to build broad notions of real CPS maliciousness. Specifically, we approach this problem by inferring, investigating, characterizing and reporting large-scale probing activities that specifically target more than 20 diverse, heavily employed CPS protocols. To permit such analysis, we initially devise and evaluate a novel probabilistic model that aims at filtering noise that is embedded in network telescope traffic. Subsequently, we generate amalgamated statistics, inferences and insights characterizing such inferred scanning activities in terms of their probe types, the distribution of their sources and their packets' headers, among numerous others, in addition to examining and visualizing the co-occurrence patterns of such events. Further, we propose and empirically evaluate an innovative hybrid approach rooted in time-series analysis and context triggered piecewise hashing to infer, characterize and cluster orchestrated and well-coordinated probing activities targeting CPS protocols, which are generated from Internet-scale unsolicited sources. Our analysis and evaluations, which draw upon extensive network telescope data observed over a recent one month period, demonstrate a staggering 33 thousand probes towards ample of CPS protocols, the lack of interest in UDP-based CPS services, and the prevalence of probes towards the ICCP and Modbus protocols. Additionally, we infer a considerable 74% of CPS probes that were persistent throughout the entire analyzed period targeting prominent protocols such as DNP3 and BACnet. Further, we uncover close to 9 thousand large-scale, stealthy, previously undocumented orchestrated probing events targeting a number of such CPS protocols. We validate the various outcomes through cross-validations against publicly available threat repositories. We concur that the devised approaches, techniques, and methods provide a solid first step towards better comprehending real CPS unsolicited objectives and intents. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

“…In another DDoS cases, the attacker flood the Internet with requests spoofed by the address of the victim. Hence, all open services (e.g., DNS resolver) found online will reply to the victim with amplified replies [36]. For all aforementioned cases, while generating these malicious activities, some of this traffic might reach the darknet sensor and hence become available for IT investigators.…”

Section: Darknet Datamentioning

confidence: 99%

Security Monitoring of the Cyber Space

Fachkha

2015

Advances in Digital Crime, Forensics, and Cyber Terrorism

Self Cite

View full text Add to dashboard Cite

Adversaries are abusing Internet security and privacy services to execute cyber attacks. To cope with these threats, network operators utilize various security tools and techniques to monitor the cyber space. An efficient way to infer Internet threat activities is to collect information from trap-based monitoring sensors. As such, this chapter primarily defines the cyberspace trap-based monitoring systems and their taxonomies. Moreover, it presents the state-of-the-art in terms of research contributions and techniques, tools and technologies. Furthermore, it identifies gaps in terms of science and technology. Additionally, it presents some case studies and practical approaches corresponding to large-scale cyber monitoring systems such as Nicter. We further present some related security policies and legal issues for network monitoring. This chapter provides an overview on Internet monitoring and offers a guideline for readers to help them understand the concepts of observing, detecting and analyzing cyber attacks through computer network traps

show abstract

Fingerprinting Internet DNS Amplification DDoS Activities

Cited by 39 publications

References 16 publications

PrECast: An Efficient Crypto-Free Solution for Broadcast-Based Attacks in IPv4 Networks

PrECast: An Efficient Crypto-Free Solution for Broadcast-Based Attacks in IPv4 Networks

Internet-scale Probing of CPS: Inference, Characterization and Orchestration Analysis

Security Monitoring of the Cyber Space

Contact Info

Product

Resources

About