Visible to the public Fingerprinting Internet DNS Amplification DDoS Activities

TitleFingerprinting Internet DNS Amplification DDoS Activities
Publication TypeConference Paper
Year of Publication2014
AuthorsFachkha, C., Bou-Harb, E., Debbabi, M.
Conference NameNew Technologies, Mobility and Security (NTMS), 2014 6th International Conference on
Date PublishedMarch
Keywordsanti-spam organizations, attack duration, backscattered analysis, Computer crime, computer network security, cyber security intelligence, darknet space, detection period, distributed denial of service, fingerprinting Internet DNS amplification DDoS activities, geolocation, Grippers, Internet, Internet-scale DNS amplification DDoS attacks, IP networks, Monitoring, network-layer, packet size, Sensors, storage capacity 720 Gbit

This work proposes a novel approach to infer and characterize Internet-scale DNS amplification DDoS attacks by leveraging the darknet space. Complementary to the pioneer work on inferring Distributed Denial of Service (DDoS) using darknet, this work shows that we can extract DDoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to DNS Amplification DDoS activities such as detection period, attack duration, intensity, packet size, rate and geo- location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks. We empirically evaluate the proposed approach using 720 GB of real darknet data collected from a /13 address space during a recent three months period. Our analysis reveals that the approach was successful in inferring significant DNS amplification DDoS activities including the recent prominent attack that targeted one of the largest anti-spam organizations. Moreover, the analysis disclosed the mechanism of such DNS amplification DDoS attacks. Further, the results uncover high-speed and stealthy attempts that were never previously documented. The case study of the largest DDoS attack in history lead to a better understanding of the nature and scale of this threat and can generate inferences that could contribute in detecting, preventing, assessing, mitigating and even attributing of DNS amplification DDoS activities.

Citation Key6814019