Detecting and Measuring In-The-Wild DRDoS Attacks at IXPs

• Published in: Detection of Intrusions and Malware, and Vulnerability Assessment Vol. 12756; pp. 42 - 67
• Main Authors: Subramani, Karthika, Perdisci, Roberto, Konte, Maria
• Format: Book Chapter
• Language: English
• Published: Switzerland Springer International Publishing AG 2021; Springer International Publishing
• Series: Lecture Notes in Computer Science
• Subjects: DDoS attack; DRDoS attack; IXP; Traffic analysis
• ISBN: 3030808246; 9783030808242
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-030-80825-9_3

Distributed reflective denial of service (DRDoS) attacks are a popular choice among adversaries. In fact, one of the largest DDoS attacks ever recorded, reaching a peak of 1.3 Tbps against GitHub, was a memcached-based DRDoS attack. More recently, a record-breaking 2.3 Tbps attack against Amazon AWS was due to a CLDAP-based DRDoS attack. Although reflective attacks have been known for years, DRDoS attacks are unfortunately still popular and largely unmitigated. In this paper, we measure in-the-wild DRDoS attacks as observed from a large Internet exchange point (IXP) and provide a number of security-relevant insights. To enable our measurements, we first developed IXmon, an open-source DRDoS detection system specifically designed for deployment at large IXP-like network connectivity providers and peering hubs. We deployed IXmon at Southern Crossroads (SoX), an IXP-like hub that provides both peering and upstream Internet connectivity services to more than 20 research and education (R&E) networks in the South-East United States. In a period of about 21 months, IXmon detected more than 900 DRDoS attacks towards 31 different victim ASes. An analysis of the real-world DRDoS attacks detected by our system shows that most DRDoS attacks are short lived, lasting only a few minutes, but that large-volume, long-lasting, and highly-distributed attacks against R&E networks are not uncommon. We then use the results of our analysis to discuss possible attack mitigation approaches that can be deployed at the IXP level, before the attack traffic overwhelms the victim’s network bandwidth.