Characterization and analysis of NTP amplification based DDoS attacks

2015 Information Security for South Africa (ISSA) Pub Date : 2015-11-23 DOI:10.1109/ISSA.2015.7335069

L. Rudman, B. Irwin

{"title":"Characterization and analysis of NTP amplification based DDoS attacks","authors":"L. Rudman, B. Irwin","doi":"10.1109/ISSA.2015.7335069","DOIUrl":null,"url":null,"abstract":"Network Time Protocol based DDoS attacks saw a lot of popularity throughout 2014. This paper shows the characterization and analysis of two large datasets containing packets from NTP based DDoS attacks captured in South Africa. Using a series of Python based tools, the dataset is analysed according to specific parts of the packet headers. These include the source IP address and Time-to-live (TTL) values. The analysis found the top source addresses and looked at the TTL values observed for each address. These TTL values can be used to calculate the probable operating system or DDoS attack tool used by an attacker. We found that each TTL value seen for an address can indicate the number of hosts attacking the address or indicate minor routing changes. The Time-to-Live values, as a whole, are then analysed to find the total number used throughout each attack. The most frequent TTL values are then found and show that the migratory of them indicate the attackers are using an initial TTL of 255. This value can indicate the use of a certain DDoS tool that creates packets with that exact initial TTL. The TTL values are then put into groups that can show the number of IP addresses a group of hosts are targeting.","PeriodicalId":126848,"journal":{"name":"2015 Information Security for South Africa (ISSA)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-11-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"23","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2015 Information Security for South Africa (ISSA)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ISSA.2015.7335069","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 23

Abstract

Network Time Protocol based DDoS attacks saw a lot of popularity throughout 2014. This paper shows the characterization and analysis of two large datasets containing packets from NTP based DDoS attacks captured in South Africa. Using a series of Python based tools, the dataset is analysed according to specific parts of the packet headers. These include the source IP address and Time-to-live (TTL) values. The analysis found the top source addresses and looked at the TTL values observed for each address. These TTL values can be used to calculate the probable operating system or DDoS attack tool used by an attacker. We found that each TTL value seen for an address can indicate the number of hosts attacking the address or indicate minor routing changes. The Time-to-Live values, as a whole, are then analysed to find the total number used throughout each attack. The most frequent TTL values are then found and show that the migratory of them indicate the attackers are using an initial TTL of 255. This value can indicate the use of a certain DDoS tool that creates packets with that exact initial TTL. The TTL values are then put into groups that can show the number of IP addresses a group of hosts are targeting.

查看原文本刊更多论文

基于NTP放大的DDoS攻击特征与分析

基于网络时间协议的DDoS攻击在2014年非常流行。本文展示了两个大型数据集的特征和分析，其中包含在南非捕获的基于NTP的DDoS攻击的数据包。使用一系列基于Python的工具，根据包头的特定部分分析数据集。这些包括源IP地址和生存时间(TTL)值。分析找到了顶级源地址，并查看了每个地址的TTL值。这些TTL值可用于计算攻击者可能使用的操作系统或DDoS攻击工具。我们发现，一个地址的每个TTL值都可以指示攻击该地址的主机数量，或者指示较小的路由更改。然后分析整个生存时间值，以找到每次攻击中使用的总数。然后找到最常见的TTL值，并显示它们的迁移表明攻击者正在使用255的初始TTL。此值可以指示使用某个DDoS工具创建具有相同初始TTL的数据包。然后将TTL值分组，以显示一组主机所针对的IP地址的数量。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2015 Information Security for South Africa (ISSA)

自引率

0.00%

发文量