TY - GEN
T1 - Taming the 800 pound gorilla
T2 - 2014 ACM Internet Measurement Conference, IMC 2014
AU - Czyz, Jakub
AU - Kallitsis, Michael
AU - Gharaibeh, Manaf
AU - Papadopoulos, Christos
AU - Bailey, Michael
AU - Karir, Manish
N1 - Publisher Copyright:
Copyright © 2014 by the Association for Computing Machinery, Inc. (ACM).
PY - 2014/11/5
Y1 - 2014/11/5
N2 - Distributed Denial of Service (DDoS) attacks based on Network Time Protocol (NTP) amplification, which became prominent in December 2013, have received significant global attention. We chronicle how this attack rapidly rose from obscurity to become the dominant large DDoS vector. Via the lens of five distinct datasets, we characterize the advent and evolution of these attacks. Through a dataset that measures a large fraction of global Internet traffic, we show a three order of magnitude rise in NTP. Using a large darknet, we observe a similar rise in global scanning activity, both malicious and research. We then dissect an active probing dataset, which reveals that the pool of amplifiers totaled 2.2M unique IPs and includes a small number of "mega amplifiers," servers that replied to a single tiny probe packet with gigabytes of data. This dataset also allows us, for the first time, to analyze global DDoS attack victims (including ports attacked) and incidents, where we show 437K unique IPs targeted with at least 3 trillion packets, totaling more than a petabyte. Finally, ISP datasets shed light on the local impact of these attacks. In aggregate, we show the magnitude of this major Internet threat, the community's response, and the effect of that response.
AB - Distributed Denial of Service (DDoS) attacks based on Network Time Protocol (NTP) amplification, which became prominent in December 2013, have received significant global attention. We chronicle how this attack rapidly rose from obscurity to become the dominant large DDoS vector. Via the lens of five distinct datasets, we characterize the advent and evolution of these attacks. Through a dataset that measures a large fraction of global Internet traffic, we show a three order of magnitude rise in NTP. Using a large darknet, we observe a similar rise in global scanning activity, both malicious and research. We then dissect an active probing dataset, which reveals that the pool of amplifiers totaled 2.2M unique IPs and includes a small number of "mega amplifiers," servers that replied to a single tiny probe packet with gigabytes of data. This dataset also allows us, for the first time, to analyze global DDoS attack victims (including ports attacked) and incidents, where we show 437K unique IPs targeted with at least 3 trillion packets, totaling more than a petabyte. Finally, ISP datasets shed light on the local impact of these attacks. In aggregate, we show the magnitude of this major Internet threat, the community's response, and the effect of that response.
KW - DDoS
KW - Darknet
KW - NTP
UR - http://www.scopus.com/inward/record.url?scp=84910131344&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84910131344&partnerID=8YFLogxK
U2 - 10.1145/2663716.2663717
DO - 10.1145/2663716.2663717
M3 - Conference contribution
AN - SCOPUS:84910131344
T3 - Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC
SP - 435
EP - 448
BT - IMC 2014 - Proceedings of the 2014 ACM
PB - Association for Computing Machinery
Y2 - 5 November 2014 through 7 November 2014
ER -