Send email Copy Email Address
Annabelle Theobald

Lured into the trap via a detour

CISPA researcher Johannes Krupp is awarded a Distinguished Paper Award for his new approach to tracking specific DDoS attacks.

Error messages popped up on the computers of U.S. users for more than two hours as they tried to access online services such as Twitter, Spotify, eBay, and Netflix on a day in October 2016. A massive distributed denial of service (DDoS) attack on a service provider used by the companies had temporarily paralyzed the services entirely in the United States. Such attacks, in which networks are deliberately overloaded with unnecessary data, occur regularly. However, they usually affect smaller online stores or gamers and therefore do not make such big news. Experienced attackers can mask the source of the attack and thus remain undetected in many cases. Johannes Krupp, a researcher in the group of CISPA faculty Prof. Dr. Christian Rossow, has presented BGPeek-a-Boo, a new approach for tracking DDoS attacks. He received a Distinguished Paper Award for his work at the 6th IEEE European Symposium on Security and Privacy.

Denial-of-service attacks have been a concern for IT security researchers for more than 20 years. In essence, such attacks involve flooding a network with so much data that it is ultimately forced to shut down completely due to overload. In DDoS attacks, the additional "D" stands for distributed; several different systems are used in a coordinated attack instead of individual ones. In one variant of the attack, attackers send masses of requests to Internet services to produce the required flood of data, and they specify the victim's IP address as the sender. As soon as responses come back, the victim's network is overloaded and collapses within a very short time. In this way, online stores and websites can be put out of action for a certain period of time, and thus, for example, competitors or opponents can be damaged.  However, such attacks can ultimately affect every Internet user because the collateral damage is extensive, as Johannes Krupp explains. "In most cases, all neighboring users and people in the wider vicinity who are connected to the same Internet line are also affected."

Actually, Internet services - before they respond - should check where the requests are originating. In the attacks described above, however, the attackers are taking advantage of the fact that there are still communication protocols that allow requests to be foisted on them unchecked, says Krupp. "Some of these are no longer relevant protocols from the stone age of the Internet. But unfortunately, they also include, for example, the important and much-used Domain Name Service protocol, which can't easily be shut down or replaced."

To prepare an attack, attackers must first find Internet services that respond to queries - without checking their origin - and are thus suitable as so-called reflectors for an attack. With so-called honeypots, which are simulated computer systems, IT security researchers pretend to be such a reflector and, instead of helping them, collect information about the attackers. "Using a honeypot, for example, we can find out who is being attacked, how long the attack lasts, and when it stops. We can often also tell whether two attacks are coming from the same attacker or two different attackers - but we still don't know anything about their identity," says Krupp.

So far - because his new approach, called BGPeek-a-Boo, could force the attackers out of hiding in the future. Krupp is using it to take advantage of how routing works on the Internet when searching for attackers. "The Internet is often referred to as a 'network of networks' because it contains around 70,000 so-called autonomous systems. These are networks under the control of a common administrator. These include, for example, Internet providers such as Telekom or Vodafone," explains the 29-year-old. If these autonomous systems want to send data packets to another network, they must know which route is possible and the fastest. "Neighboring networks can communicate with each other and exchange information about what the fastest route to the destination network is," says Krupp. They also have to inform each other if a network on the route is down. If that doesn't happen or doesn't happen fast enough, routing loops can occur in which the packet ultimately ends up back at its origin.

To prevent such loops, routers check before forwarding the data packets whether they themselves are on the alternate route. If this is the case, the route is discarded. This mechanism is called loop detection and is cleverly exploited by BGPeek-a-Boo. With the help of the honeypot, false route information is given out, and it is claimed that systems are on the route that, in fact, are not. This manipulation gradually cuts off all routes. When no more data packets arrive at the honeypot, it is possible to narrow down who is generating the false data traffic and which systems are forwarding it unchecked.

In simulations, this new approach was able to track down the attackers 60 percent of the time. "Before, the hit rate was 0," Krupp says. He is confident that DDoS attacks will continue to be an issue for years to come. "However, we hope to contribute with our research to attackers being prosecuted more in the future and are already in talks with some law enforcement agencies about this." The Trier native is pleased that his idea for BGPeek-a-Boo was also so well received by the expert jury of the IEEE European Symposium on Security and Privacy and was singled out for special mention among the research papers submitted. "A Distinguished Paper Award is something exceptional, after all."

translated by: Oliver Schedler