1000 days of UDP amplification DDoS attacks

Daniel R. Thomas, Richard Clayton, Alastair R. Beresford

Research output: Chapter in Book/Report/Conference proceedingConference contribution book

10 Citations (Scopus)

Abstract

Distributed Denial of Service (DDoS) attacks employing reflected UDP amplification are regularly used to disrupt networks and systems. The amplification allows one rented server to generate significant volumes of data, while the reflection hides the identity of the attacker. Consequently this is an attractive, low risk, strategy for criminals bent on vandalism and extortion. To measure the uptake of this strategy we analyse the results of running a network of honeypot UDP reflectors (median size 64 nodes) from July 2014 onwards. We explore the life cycle of attacks that use our reflectors, from the scanning phase used to detect our honeypot machines, through to their use in attacks.We see a median of 1380 malicious scanners per day across all UDP protocols, and have recorded details of 4.7 million subsequent attacks involving in excess of 2.9 trillion packets. Using a capture-recapture statistical technique, we estimate that our reflectors can see between 83.0% and 96.4% of UDP reflection attacks over our measurement period.
Original languageEnglish
Title of host publicationAPWG Symposium on Electronic Crime Research (eCrime)
Place of PublicationPiscataway, NJ
PublisherIEEE
Number of pages16
ISBN (Electronic)9781538627013
DOIs
Publication statusPublished - 12 Jun 2017

Keywords

  • computer crime
  • sensors
  • servers
  • protocols
  • IP networks
  • data collection
  • internet

Fingerprint Dive into the research topics of '1000 days of UDP amplification DDoS attacks'. Together they form a unique fingerprint.

  • Cite this

    Thomas, D. R., Clayton, R., & Beresford, A. R. (2017). 1000 days of UDP amplification DDoS attacks. In APWG Symposium on Electronic Crime Research (eCrime) Piscataway, NJ: IEEE. https://doi.org/10.1109/ECRIME.2017.7945057