Scan, Test, Execute

Title

Scan, Test, Execute: Adversarial Tactics in Amplification DDoS Attacks

 Author

Griffioen, H.J. (Hasso Plattner Institute)
Oosthoek, K. (TU Delft Cyber Security)
van der Knaap, Paul (Student TU Delft)
Dörr, C. (Hasso Plattner Institute)

Date

2021

 Abstract

Amplification attacks generate an enormous flood of unwanted traffic towards a victim and are generated with the help of open, unsecured services, to which an adversary sends spoofed service requests that trigger large answer volumes to a victim. However, the actual execution of the packet flood is only one of the activities necessary for a successful attack. Adversaries need, for example, to develop attack tools, select open services to abuse, test them, and adapt the attacks if necessary, each of which can be implemented in myriad ways. Thus, to understand the entire ecosystem and how adversaries work, we need to look at the entire chain of activities. This paper analyzes adversarial techniques, tactics, and procedures (TTPs) based on 549 honeypots deployed in 5 clouds that were rallied to participate in 13,479 attacks. Using a traffic shaping approach to prevent meaningful participation in DDoS activities while allowing short bursts of adversarial testing, we find that adversaries actively test for plausibility, packet loss, and amplification benefits of these servers, and show evidence of a 'memory' of previously exploited servers among attackers. In practice, we demonstrate that even for commonplace amplification attacks, adversaries exhibit differences in how they work.


 Subject

cyber threat intelligence
DDoS
internet measurements

 To reference this document use:

http://resolver.tudelft.nl/uuid:b9bf8076-85f4-4011-a731-f4aba18a80a0

 DOI

https://doi.org/10.1145/3460120.3484747

 Publisher

Association for Computing Machinery (ACM), New York

 ISBN

978-1-4503-8454-4

 Source

CCS 2021: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

 Event

27th ACM Annual Conference on Computer and Communication Security, CCS 2021, 2021-11-15 → 2021-11-19, Virtual, Online, Korea, Republic of

 Part of collection

Institutional Repository

 Document type

conference paper

 Rights

© 2021 H.J. Griffioen, K. Oosthoek, Paul van der Knaap, C. Dörr
Files
PDF 3460120.3484747.pdf 2.37 MB
Close viewer