On the Feasibility of TTL-Based Filtering for DRDoS Mitigation

Backes, Michael; Holz, Thorsten; Rossow, Christian; Rytilahti, Teemu; Simeonovski, Milivoj; Stock, Ben

doi:10.1007/978-3-319-45719-2_14

Cited by 12 publications

(7 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Nevertheless, clustering methods such as KNN allowed researchers to fingerprint a few major attacking entities and attribute attacks to them [21,28]. Another commonly used feature is the IP Time-To-Live (TTL) field, which was used to narrow down attack origins [7,27].…”

Section: Background and Related Workmentioning

confidence: 99%

The far side of DNS amplification

Nawrocki

Jonker

Schmidt

et al. 2021

Proceedings of the 21st ACM Internet Measurement Conference

View full text Add to dashboard Cite

In this paper, we shed new light on the DNS amplification ecosystem, by studying complementary data sources, bolstered by orthogonal methodologies. First, we introduce a passive attack detection method for the Internet core, i.e., at Internet eXchange Points (IXPs). Surprisingly, IXPs and honeypots observe mostly disjoint sets of attacks: 96% of IXP-inferred attacks were invisible to a sizable honeypot platform. Second, we assess the effectiveness of observed DNS attacks by studying IXP traces jointly with diverse data from independent measurement infrastructures. We find that attackers efficiently detect new reflectors and purposefully rotate between them. At the same time, we reveal that attackers are a small step away from bringing about significantly higher amplification factors (14×). Third, we identify and fingerprint a major attack entity by studying patterns in attack traces. We show that this entity dominates the DNS amplification ecosystem by carrying out 59% of the attacks, and provide an in-depth analysis of its behavior over time. Finally, our results reveal that operators of various .gov names do not adhere to DNSSEC key rollover best practices, which exacerbates amplification potential. We can verifiably connect this operational behavior to misuses and attacker decision-making. CCS CONCEPTS• Security and privacy → Denial-of-service attacks; • Networks → Naming and addressing; Public Internet.

show abstract

Section: Background and Related Workmentioning

confidence: 99%

The far side of DNS amplification

Nawrocki

Jonker

Schmidt

et al. 2021

Proceedings of the 21st ACM Internet Measurement Conference

View full text Add to dashboard Cite

show abstract

“…iTTL: Rounding the TTL value up to the next power of 2 results in the iTTL value [13,46,55]. Using iTTL, we find only 6 prefixes with inconsistent behavior, all caused by 22 IP addresses responding with differing iTTL values to our 2 consecutive probes.…”

Section: Fingerprinting Aliased Prefixesmentioning

confidence: 89%

“…Below, we investigate replies from 20,692 /64 prefixes classified as aliased, for which all of our 16 APD probes to TCP/80 succeeded on May 11, 2018. We first analyze TTL values of response packets. Previous work found that TTL values cannot be expected to be constant per prefix or even IP address [13,67]. TTL inconsistencies can stem from routing changes, TTL-manipulating middleboxes, or other on-path effects.…”

Section: Fingerprinting Aliased Prefixesmentioning

confidence: 99%

Clusters in the Expanse: Understanding and Unbiasing IPv6 Hitlists

Gasser¹,

Scheitle²,

Foremski³

et al. 2018

Preprint

View full text Add to dashboard Cite

Network measurements are an important tool in understanding the Internet. Due to the expanse of the IPv6 address space, exhaustive scans as in IPv4 are not possible for IPv6. In recent years, several studies have proposed the use of target lists of IPv6 addresses, called IPv6 hitlists.In this paper, we show that addresses in IPv6 hitlists are heavily clustered. We present novel techniques that allow IPv6 hitlists to be pushed from quantity to quality. We perform a longitudinal active measurement study over 6 months, targeting more than 50 M addresses. We develop a rigorous method to detect aliased prefixes, which identifies 1.5 % of our prefixes as aliased, pertaining to about half of our target addresses. Using entropy clustering, we group the entire hitlist into just 6 distinct addressing schemes. Furthermore, we perform client measurements by leveraging crowdsourcing.To encourage reproducibility in network measurement research and to serve as a starting point for future IPv6 studies, we publish source code, analysis tools, and data.

show abstract

“…The ASes can declare illegal paths for pseudo they do not have, pull part of the traffic to these prefixes or all. Backes et al [37] proposed a solution based on the idea that the assailant cannot guess or juggle the number of leaps between the amplifier and victim. Hop-count filtering (HCF) technique is used to analyze the time-to-live (TTL) of entering packets.…”

Section: Drdos Attacks Based On Tcp Protocolmentioning

confidence: 99%

Distributed reflection denial of service attack: A critical review

Nuiaa

Manickam

Alsaeedi

2021

IJECE

View full text Add to dashboard Cite

As the world becomes increasingly connected and the number of users grows exponentially and “things” go online, the prospect of cyberspace becoming a significant target for cybercriminals is a reality. Any host or device that is exposed on the internet is a prime target for cyberattacks. A denial-of-service (DoS) attack is accountable for the majority of these cyberattacks. Although various solutions have been proposed by researchers to mitigate this issue, cybercriminals always adapt their attack approach to circumvent countermeasures. One of the modified DoS attacks is known as distributed reflection denial-of-service attack (DRDoS). This type of attack is considered to be a more severe variant of the DoS attack and can be conducted in transmission control protocol (TCP) and user datagram protocol (UDP). However, this attack is not effective in the TCP protocol due to the three-way handshake approach that prevents this type of attack from passing through the network layer to the upper layers in the network stack. On the other hand, UDP is a connectionless protocol, so most of these DRDoS attacks pass through UDP. This study aims to examine and identify the differences between TCP-based and UDP-based DRDoS attacks.

show abstract

On the Feasibility of TTL-Based Filtering for DRDoS Mitigation

Cited by 12 publications

References 11 publications

The far side of DNS amplification

The far side of DNS amplification

Clusters in the Expanse: Understanding and Unbiasing IPv6 Hitlists

Distributed reflection denial of service attack: A critical review

Contact Info

Product

Resources

About