MD-Honeypot: On Adversarial Choices in DRDoS attacks
More Info
expand_more
Abstract
The Internet has grown from a few interconnections of trusted parties to an incredibly large network with many different use cases. While the Internet grew, threats emerged as well. Although there are many different threats on the Internet, Distributed Denial of Service (DDoS) attacks are a threat that keeps rising in the threat landscape. The asymmetry between adversaries and defenders is enormous - whereas DDoS attack can be started for less than 5$, DDoS prevention takes up the majority of operational cost in data centers and damages are in the billions. Thus, it is of vital importance that more effective methods of DDoS prevention are found and implemented to improve defensive effectiveness and to reduce costs. DDoS attacks consist of various types, but the largest share of DDoS attacks are of the subtype Distributed Reflected Denial of Service (DRDoS) attacks. Adversaries that execute DRDoS attacks use vulnerable servers to create incredibly large attacks and to stay anonymous. Previous work by Rossow showed us which vulnerable services are typically used for these DRDoS attacks, and how well these vulnerable services are exploitable for these attacks. However, we do not know why an adversary uses one vulnerable service but not another. Thus, this work fills that research gap by researching how adversaries react to differently configured vulnerable services, using a large scale experiment. This work shows that the amplification factor of a honeypot is a primary factor that determines whether an adversary will use a vulnerable server in an attack or not. This work also shows that attackers do not distinguish between regular vulnerable servers and their obvious honeypot counterparts. Furthermore, the response time of a system is of no influence, and some honeypots with packet loss attract fewer adversaries. Additionally, different attacks can be detected while using different service providers and geographical locations for honeypot deployment. Finally, the MD-honeypot framework that was developed for this research may be further developed into fully-fledged DRDoS mitigation software.