Scan, Test, Execute: Adversarial Tactics in Amplification DDoS Attacks

Harm Griffioen; Kris Oosthoek; Paul  van der Knaap; Christian Doerr

doi:10.1145/3460120.3484747

Scan, Test, Execute: Adversarial Tactics in Amplification DDoS Attacks

Harm Griffioen, Kris Oosthoek, Paul van der Knaap, Christian Doerr

Cyber Security

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

10 Citations (Scopus)

112 Downloads (Pure)

Abstract

Amplification attacks generate an enormous flood of unwanted traffic towards a victim and are generated with the help of open, unsecured services, to which an adversary sends spoofed service requests that trigger large answer volumes to a victim. However, the actual execution of the packet flood is only one of the activities necessary for a successful attack. Adversaries need, for example, to develop attack tools, select open services to abuse, test them, and adapt the attacks if necessary, each of which can be implemented in myriad ways. Thus, to understand the entire ecosystem and how adversaries work, we need to look at the entire chain of activities. This paper analyzes adversarial techniques, tactics, and procedures (TTPs) based on 549 honeypots deployed in 5 clouds that were rallied to participate in 13,479 attacks. Using a traffic shaping approach to prevent meaningful participation in DDoS activities while allowing short bursts of adversarial testing, we find that adversaries actively test for plausibility, packet loss, and amplification benefits of these servers, and show evidence of a 'memory' of previously exploited servers among attackers. In practice, we demonstrate that even for commonplace amplification attacks, adversaries exhibit differences in how they work.

Original language	English
Title of host publication	CCS 2021
Subtitle of host publication	Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
Place of Publication	New York
Publisher	Association for Computing Machinery (ACM)
Pages	940-954
Number of pages	15
ISBN (Print)	978-1-4503-8454-4
DOIs	https://doi.org/10.1145/3460120.3484747
Publication status	Published - 2021
Event	27th ACM Annual Conference on Computer and Communication Security, CCS 2021 - Virtual, Online, Korea, Republic of Duration: 15 Nov 2021 → 19 Nov 2021

Conference

Conference	27th ACM Annual Conference on Computer and Communication Security, CCS 2021
Country/Territory	Korea, Republic of
City	Virtual, Online
Period	15/11/21 → 19/11/21

Keywords

cyber threat intelligence
DDoS
internet measurements

Access to Document

10.1145/3460120.3484747

3460120.3484747Final published version, 2.95 MBLicence: CC BY

Cite this

@inproceedings{b9bf807685f44011a731f4aba18a80a0,

title = "Scan, Test, Execute: Adversarial Tactics in Amplification DDoS Attacks",

abstract = "Amplification attacks generate an enormous flood of unwanted traffic towards a victim and are generated with the help of open, unsecured services, to which an adversary sends spoofed service requests that trigger large answer volumes to a victim. However, the actual execution of the packet flood is only one of the activities necessary for a successful attack. Adversaries need, for example, to develop attack tools, select open services to abuse, test them, and adapt the attacks if necessary, each of which can be implemented in myriad ways. Thus, to understand the entire ecosystem and how adversaries work, we need to look at the entire chain of activities. This paper analyzes adversarial techniques, tactics, and procedures (TTPs) based on 549 honeypots deployed in 5 clouds that were rallied to participate in 13,479 attacks. Using a traffic shaping approach to prevent meaningful participation in DDoS activities while allowing short bursts of adversarial testing, we find that adversaries actively test for plausibility, packet loss, and amplification benefits of these servers, and show evidence of a 'memory' of previously exploited servers among attackers. In practice, we demonstrate that even for commonplace amplification attacks, adversaries exhibit differences in how they work.",

keywords = "cyber threat intelligence, DDoS, internet measurements",

author = "Harm Griffioen and Kris Oosthoek and {van der Knaap}, Paul and Christian Doerr",

year = "2021",

doi = "10.1145/3460120.3484747",

language = "English",

isbn = "978-1-4503-8454-4",

pages = "940--954",

booktitle = "CCS 2021",

publisher = "Association for Computing Machinery (ACM)",

address = "United States",

note = "27th ACM Annual Conference on Computer and Communication Security, CCS 2021 ; Conference date: 15-11-2021 Through 19-11-2021",

}

Griffioen, H , Oosthoek, K, van der Knaap, P & Doerr, C 2021, Scan, Test, Execute: Adversarial Tactics in Amplification DDoS Attacks. in CCS 2021 : Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. Association for Computing Machinery (ACM), New York, pp. 940-954, 27th ACM Annual Conference on Computer and Communication Security, CCS 2021, Virtual, Online, Korea, Republic of, 15/11/21. https://doi.org/10.1145/3460120.3484747

Scan, Test, Execute: Adversarial Tactics in Amplification DDoS Attacks. / Griffioen, Harm ; Oosthoek, Kris; van der Knaap, Paul et al.
CCS 2021 : Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York: Association for Computing Machinery (ACM), 2021. p. 940-954.

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Scan, Test, Execute

T2 - 27th ACM Annual Conference on Computer and Communication Security, CCS 2021

AU - Griffioen, Harm

AU - Oosthoek, Kris

AU - van der Knaap, Paul

AU - Doerr, Christian

PY - 2021

Y1 - 2021

N2 - Amplification attacks generate an enormous flood of unwanted traffic towards a victim and are generated with the help of open, unsecured services, to which an adversary sends spoofed service requests that trigger large answer volumes to a victim. However, the actual execution of the packet flood is only one of the activities necessary for a successful attack. Adversaries need, for example, to develop attack tools, select open services to abuse, test them, and adapt the attacks if necessary, each of which can be implemented in myriad ways. Thus, to understand the entire ecosystem and how adversaries work, we need to look at the entire chain of activities. This paper analyzes adversarial techniques, tactics, and procedures (TTPs) based on 549 honeypots deployed in 5 clouds that were rallied to participate in 13,479 attacks. Using a traffic shaping approach to prevent meaningful participation in DDoS activities while allowing short bursts of adversarial testing, we find that adversaries actively test for plausibility, packet loss, and amplification benefits of these servers, and show evidence of a 'memory' of previously exploited servers among attackers. In practice, we demonstrate that even for commonplace amplification attacks, adversaries exhibit differences in how they work.

AB - Amplification attacks generate an enormous flood of unwanted traffic towards a victim and are generated with the help of open, unsecured services, to which an adversary sends spoofed service requests that trigger large answer volumes to a victim. However, the actual execution of the packet flood is only one of the activities necessary for a successful attack. Adversaries need, for example, to develop attack tools, select open services to abuse, test them, and adapt the attacks if necessary, each of which can be implemented in myriad ways. Thus, to understand the entire ecosystem and how adversaries work, we need to look at the entire chain of activities. This paper analyzes adversarial techniques, tactics, and procedures (TTPs) based on 549 honeypots deployed in 5 clouds that were rallied to participate in 13,479 attacks. Using a traffic shaping approach to prevent meaningful participation in DDoS activities while allowing short bursts of adversarial testing, we find that adversaries actively test for plausibility, packet loss, and amplification benefits of these servers, and show evidence of a 'memory' of previously exploited servers among attackers. In practice, we demonstrate that even for commonplace amplification attacks, adversaries exhibit differences in how they work.

KW - cyber threat intelligence

KW - DDoS

KW - internet measurements

UR - http://www.scopus.com/inward/record.url?scp=85119368376&partnerID=8YFLogxK

U2 - 10.1145/3460120.3484747

DO - 10.1145/3460120.3484747

M3 - Conference contribution

AN - SCOPUS:85119368376

SN - 978-1-4503-8454-4

SP - 940

EP - 954

BT - CCS 2021

PB - Association for Computing Machinery (ACM)

CY - New York

Y2 - 15 November 2021 through 19 November 2021

ER -

Scan, Test, Execute: Adversarial Tactics in Amplification DDoS Attacks

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this