Taming the 800 pound gorilla: The rise and decline of NTP DDoS attacks

Jakub Czyz, Michael Kallitsis, Manaf Gharaibeh, Christos Papadopoulos, Michael Bailey, Manish Karir

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Distributed Denial of Service (DDoS) attacks based on Network Time Protocol (NTP) amplification, which became prominent in December 2013, have received significant global attention. We chronicle how this attack rapidly rose from obscurity to become the dominant large DDoS vector. Via the lens of five distinct datasets, we characterize the advent and evolution of these attacks. Through a dataset that measures a large fraction of global Internet traffic, we show a three order of magnitude rise in NTP. Using a large darknet, we observe a similar rise in global scanning activity, both malicious and research. We then dissect an active probing dataset, which reveals that the pool of amplifiers totaled 2.2M unique IPs and includes a small number of "mega amplifiers," servers that replied to a single tiny probe packet with gigabytes of data. This dataset also allows us, for the first time, to analyze global DDoS attack victims (including ports attacked) and incidents, where we show 437K unique IPs targeted with at least 3 trillion packets, totaling more than a petabyte. Finally, ISP datasets shed light on the local impact of these attacks. In aggregate, we show the magnitude of this major Internet threat, the community's response, and the effect of that response.

Original languageEnglish (US)
Title of host publicationIMC 2014 - Proceedings of the 2014 ACM
PublisherAssociation for Computing Machinery
Pages435-448
Number of pages14
ISBN (Electronic)9781450332132
DOIs
StatePublished - Nov 5 2014
Event2014 ACM Internet Measurement Conference, IMC 2014 - Vancouver, Canada
Duration: Nov 5 2014Nov 7 2014

Publication series

NameProceedings of the ACM SIGCOMM Internet Measurement Conference, IMC

Other

Other2014 ACM Internet Measurement Conference, IMC 2014
Country/TerritoryCanada
CityVancouver
Period11/5/1411/7/14

Keywords

  • DDoS
  • Darknet
  • NTP

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Taming the 800 pound gorilla: The rise and decline of NTP DDoS attacks'. Together they form a unique fingerprint.

Cite this