United We Stand: Collaborative Detection and Mitigation of Amplification DDoS Attacks at Scale

Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security Pub Date : 2021-11-12 DOI:10.1145/3460120.3485385

Daniel Wagner, Daniel Kopp, M. Wichtlhuber, C. Dietzel, O. Hohlfeld, Georgios Smaragdakis, A. Feldmann

{"title":"United We Stand: Collaborative Detection and Mitigation of Amplification DDoS Attacks at Scale","authors":"Daniel Wagner, Daniel Kopp, M. Wichtlhuber, C. Dietzel, O. Hohlfeld, Georgios Smaragdakis, A. Feldmann","doi":"10.1145/3460120.3485385","DOIUrl":null,"url":null,"abstract":"Amplification Distributed Denial of Service (DDoS) attacks' traffic and harm are at an all-time high. To defend against such attacks, distributed attack mitigation platforms, such as traffic scrubbing centers that operate in peering locations, e.g., Internet Exchange Points (IXP), have been deployed in the Internet over the years. These attack mitigation platforms apply sophisticated techniques to detect attacks and drop attack traffic locally, thus, act as sensors of attacks. However, it has not yet been systematically evaluated and reported to what extent coordination of these views by different platforms can lead to more effective mitigation of amplification DDoS attacks. In this paper, we ask the question: \"Is it possible to mitigate more amplification attacks and drop more attack traffic when distributed attack mitigation platforms collaborate?\" To answer this question, we collaborate with eleven IXPs that operate in three different regions. These IXPs have more than 2,120 network members that exchange traffic at the rate of more than 11 Terabits per second. We collect network data over six months and analyze more than 120k amplification DDoS attacks. To our surprise, more than 80% of the amplification DDoS are not detected locally, although the majority of the attacks are visible by at least three IXPs. A closer investigation points to the shortcomings, such as the multi-protocol profile of modern amplification attacks, the duration of the attacks, and the difficulty of setting appropriate local attack traffic thresholds that will trigger mitigation. To overcome these limitations, we design and evaluate a collaborative architecture that allows participant mitigation platforms to exchange information about ongoing amplification attacks. Our evaluation shows that it is possible to collaboratively detect and mitigate the majority of attacks with limited exchange of information and drop as much as 90% more attack traffic locally.","PeriodicalId":135883,"journal":{"name":"Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security","volume":"20 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-11-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3460120.3485385","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 10

Abstract

Amplification Distributed Denial of Service (DDoS) attacks' traffic and harm are at an all-time high. To defend against such attacks, distributed attack mitigation platforms, such as traffic scrubbing centers that operate in peering locations, e.g., Internet Exchange Points (IXP), have been deployed in the Internet over the years. These attack mitigation platforms apply sophisticated techniques to detect attacks and drop attack traffic locally, thus, act as sensors of attacks. However, it has not yet been systematically evaluated and reported to what extent coordination of these views by different platforms can lead to more effective mitigation of amplification DDoS attacks. In this paper, we ask the question: "Is it possible to mitigate more amplification attacks and drop more attack traffic when distributed attack mitigation platforms collaborate?" To answer this question, we collaborate with eleven IXPs that operate in three different regions. These IXPs have more than 2,120 network members that exchange traffic at the rate of more than 11 Terabits per second. We collect network data over six months and analyze more than 120k amplification DDoS attacks. To our surprise, more than 80% of the amplification DDoS are not detected locally, although the majority of the attacks are visible by at least three IXPs. A closer investigation points to the shortcomings, such as the multi-protocol profile of modern amplification attacks, the duration of the attacks, and the difficulty of setting appropriate local attack traffic thresholds that will trigger mitigation. To overcome these limitations, we design and evaluate a collaborative architecture that allows participant mitigation platforms to exchange information about ongoing amplification attacks. Our evaluation shows that it is possible to collaboratively detect and mitigate the majority of attacks with limited exchange of information and drop as much as 90% more attack traffic locally.

查看原文本刊更多论文

团结一致:大规模放大DDoS攻击的协同检测和缓解

分布式拒绝服务(DDoS)攻击的流量和危害都达到了历史最高水平。为了防御此类攻击，多年来在互联网上部署了分布式攻击缓解平台，例如在对等位置(例如Internet交换点(IXP))上运行的流量清洗中心。这些攻击缓解平台应用复杂的技术来检测攻击并在本地减少攻击流量，从而充当攻击传感器。但是，还没有系统地评估和报告不同平台对这些观点的协调在多大程度上能够更有效地缓解放大型DDoS攻击。在本文中，我们提出了这样一个问题:“当分布式攻击缓解平台协作时，是否有可能缓解更多的放大攻击并减少更多的攻击流量?”为了回答这个问题，我们与在三个不同地区运营的11家ixp合作。这些ixp有超过2,120个网络成员，以每秒超过11太比特的速率交换流量。我们收集了六个月的网络数据，分析了超过12万次放大DDoS攻击。令我们惊讶的是，超过80%的放大DDoS没有被本地检测到，尽管大多数攻击至少可以被三个ixp看到。进一步的调查指出了缺点，例如现代放大攻击的多协议配置文件，攻击的持续时间，以及难以设置适当的本地攻击流量阈值来触发缓解。为了克服这些限制，我们设计并评估了一个协作架构，该架构允许参与者缓解平台交换有关正在进行的放大攻击的信息。我们的评估表明，通过有限的信息交换，可以协同检测和减轻大多数攻击，并在本地减少多达90%的攻击流量。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

自引率

0.00%

发文量