Inferring distributed reflection denial of service attacks from darknet

Fachkha, Claude; Bou‐Harb, Elias; Debbabi, Mourad

doi:10.1016/j.comcom.2015.01.016

Cited by 44 publications

(26 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The software and network entry points are hard to enumerate and are subject to change. Entry points for hardware attacks are fewer and moderately well determined but attack targets can be diverse, targeting for example, information leakage [71], tampering [72], denial of service (DoS) [73], or cloning [59]. For each threat type, threat analysis needs to identify and describe activities which may allow the relevant vulnerability to be exploited (Table 1).…”

Section: Monitoring Systems Security In Industrial Environmentsmentioning

confidence: 99%

“…All communications apply AES 256 encryption. The test aimed to simulate a denial of service (DoS) [73] via the network. The attacker gained network access through any of the earlier mentioned methods and is ready to generate connection requests to the communication module using its source address rather than the attack target.…”

Section: Pilot Implementation and Testingmentioning

confidence: 99%

See 1 more Smart Citation

A Design Approach to IoT Endpoint Security for Production Machinery Monitoring

Tedeschi

Emmanouilidis

Mehnen

et al. 2019

Sensors

View full text Add to dashboard Cite

The Internet of Things (IoT) has significant potential in upgrading legacy production machinery with monitoring capabilities to unlock new capabilities and bring economic benefits. However, the introduction of IoT at the shop floor layer exposes it to additional security risks with potentially significant adverse operational impact. This article addresses such fundamental new risks at their root by introducing a novel endpoint security-by-design approach. The approach is implemented on a widely applicable production-machinery-monitoring application by introducing real-time adaptation features for IoT device security through subsystem isolation and a dedicated lightweight authentication protocol. This paper establishes a novel viewpoint for the understanding of IoT endpoint security risks and relevant mitigation strategies and opens a new space of risk-averse designs that enable IoT benefits, while shielding operational integrity in industrial environments.

show abstract

Section: Monitoring Systems Security In Industrial Environmentsmentioning

confidence: 99%

Section: Pilot Implementation and Testingmentioning

confidence: 99%

A Design Approach to IoT Endpoint Security for Production Machinery Monitoring

Tedeschi

Emmanouilidis

Mehnen

et al. 2019

Sensors

View full text Add to dashboard Cite

show abstract

“…There have been several papers focusing on the characterisation of darknet data [4], [10]. Rather than analyzing full darknet data, examining selected traffic is helpful to address a particular threat, as for example DNS queries to identify Dr-DOS (Distributed Reflection Denial of Service) [11]. Fachkha et al [4], have provided a study of darknet data and the attack activities that could be investigated throughout its data.…”

Section: Background and Related Workmentioning

confidence: 99%

Topological analysis and visualisation of network monitoring data: Darknet case study

Marc

Lahmadi

Jérôme

2016

2016 IEEE International Workshop on Information Forensics and Security (WIFS)

View full text Add to dashboard Cite

Network monitoring is a primordial source of data in cyber-security since it may reveal abnormal behaviors of users or applications. Indeed, security analysts and tools like IDS (Intrusion Detection system) or SIEM (security information and event management) rely on them as a single source of information or combined with others. In this paper, we propose a visualisation method derived from the Mapper algorithm that has been developed in the field of Topological Data Analysis (TDA). The developed method and its associated tool are able to analyze a large number of IP packets in order to make malicious activities patterns easily observable by security analysts. We applied our method to darknet data, i.e. from an entire and supposed not used subnetwork in Internet and we have found that those observable patterns have been missed by Suricata, a widely used State-ofthe-Art IDS.

show abstract

“…However, there is a lack of research on multiprotocol DRDoS attacks, where a victim is attacked using multiple amplification protocols simultaneously, which is an emerging trend in the DDoS scene [21]. Most existing research considers either individual protocols [1,5,7,25,27], or multiple protocols in isolation from each other [9,10,22,26,29]. Another trend in DRDoS are carpet bombing attacks, which target multiple IP addresses in the same subnet (instead of a single IP address) in order to evade detection while still being able to cause disruption by flooding access links.…”

Section: Introductionmentioning

confidence: 99%

New Kids on the DRDoS Block: Characterizing Multiprotocol and Carpet Bombing Attacks

Heinrich

Obelheiro

Maziero

2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Distributed reflection denial of service (DRDoS) attacks are widespread on the Internet. DRDoS attacks exploit mostly UDP-based protocols to achieve traffic amplification and provide an extra layer of indirection between attackers and their victims, and a single attack can reach hundreds of Gbps. Recent trends in DRDoS include multiprotocol amplification attacks, which exploit several protocols at the same time, and carpet bombing attacks, which target multiple IP addresses in the same subnet instead of a single address, in order to evade detection. Such attacks have been reported in the wild, but have not been discussed in the scientific literature so far. This paper describes the first research on the characterization of both multiprotocol and carpet bombing DRDoS attacks. We developed MP-H, a honeypot that implements nine different protocols commonly used in DRDoS attacks, and used it for data collection. Over a period of 731 days, our honeypot received 1.8 TB of traffic, containing nearly 20.7 billion requests, and was involved in more than 1.4 million DRDoS attacks, including over 13.7 thousand multiprotocol attacks. We describe several features of multiprotocol attacks and compare them to monoprotocol attacks that occurred in the same period, and characterize the carpet bombing attacks seen by our honeypot.

show abstract

Inferring distributed reflection denial of service attacks from darknet

Cited by 44 publications

References 18 publications

A Design Approach to IoT Endpoint Security for Production Machinery Monitoring

A Design Approach to IoT Endpoint Security for Production Machinery Monitoring

Topological analysis and visualisation of network monitoring data: Darknet case study

New Kids on the DRDoS Block: Characterizing Multiprotocol and Carpet Bombing Attacks

Contact Info

Product

Resources

About