Denial-of-Service (DoS) attacks continuously threaten the availability of online services, many of which belong to critical infrastructures or to the Internet's core. Novel adversarial techniques to amplify attacks have increased their sophistication, and the attack impact has rapidly grown to an unprecedented scale due to the increase of bandwidth available to adversaries. This development necessitates novel solutions to rigorously monitor attacks and to find methods to trace them back to their origin.
To this end, we develop methodologies to get an understanding of the global scale of so-called amplification attacks, in which adversaries abuse address spoofing paired with reflection to overwhelm victims with a flood of large packets. We revisited UDP-based network protocols from the security perspective and revealed that at least 14 popular protocols (such as DNS, NTP, or SSDP) have severe vulnerabilities that can be abused to launch massive DoS attacks. Seeing the harm of these attacks, we designed a novel honeypot dubbed AmpPot that mimics vulnerable protocols – the first time ever the honeypot concept was used in the context of DoS. AmpPot attracts attackers such that they abuse the deployed honeypots, in turn, allowing us to monitor attack techniques and targets.
To stop these attacks, we are furthermore interested in identifying the origin of DoS incidents. A fundamental challenge is that DoS attacks are anonymous, allowing attackers to perfectly hide the true attack source by spoofing IP addresses. We thus work on novel mechanisms that allow us to trace back the origin of amplification DoS attacks. We conceptually link the reconnaissance (i.e., scanning) and the attack phases by tracking which scan for amplifiers has resulted in which attacks. Furthermore, we map attacks to the responsible booter services by observing and linking traffic patterns. These results are fed back to law enforcement agencies to help them identifying the true drivers behind nefarious DoS attacks.