including隐士ddos

14AbstractInrecentyears,wehaveobservedaresur-genceofDDoSattacks.
Theseattacksoftenexploitvulnerableservers(e.
g.
,DNSandNTP)toproducelargeamountsoftrafficwithlittleeffort.
However,wehavealsoobservedtheappearanceofapplication-levelDDoSattacks,whichleveragecornercasesinthelogicofanapplicationinordertoseverelyreducetheavail-abilityoftheprovidedservice.
Inbothcases,theseattacksareusedtoextortaransom,tohurtatargetorganization,ortogainsometac-ticaladvantage.
Asithashappenedformanyofthecomponentsintheundergroundeconomy,DDoShasbeencommoditized,andDDoSasaservice(DaaS)providersallowpayingcustomerstobuyanddirectattacksagainstspecifictargets.
Inthisarticle,wepresentameasurementstudyof17differentDaaSproviders,inwhichweana-lyzedthedifferenttechniquesusedtolaunchDDoSattacks,aswellastheinfrastructurelev-eragedinordertocarryouttheattacks.
Resultsshowagrowingmarketofshort-livedproviders,whereDDoSattacksareavailableatlowcost(tensofdollars)andcapableofeasilydisrupt-ingconnectionsofover1.
4Gb/s.
Inourstudy,particularattentionwasgiventocharacterizeapplication-level(HTTP)DDoSattacks,whicharemoredifficulttostudygiventhelowvolumeoftraffictheygenerateandtheneedtostudythelogicoftheapplicationprovidingthetargetservice.
IntroductionDistributeddenialofservice(DDoS)attackshavebeenaproblemontheInternetformorethan15years.
However,therecentincreaseinthenumberofDDoSattacksandintheamountoftrafficthattheygeneratehasattractedtheattentionofthemedia,theindustry,andtheresearchcommunityalike.
Thisnewwaveofattacksexploitasymmetriesinvulnerableser-vicestogeneratelargeamountsoftrafficoruselargeamountsofresourceswithrelativelylittleeffortfromtheattacker.
Forexample,misconfig-uredNetworkTimeProtocol(NTP)servicescanbeleveragedtogenerategigabytesofdatawithasimplespoofedrequest.
Thisgeneratedtrafficexhauststhebandwidthavailableatthetarget.
Wecallthistypeof(moretraditional)attackanextensiveDDoS.
However,thereisanothertypeofDDoSattackinwhichthelackofavailabilityofaresourceisduetothefactthatasingleinteractionwiththetargetrequiresanunusuallyhighamountofresourcesinordertobeprocessed.
Forexam-ple,onawebsite,theremightbeasearchformthat,whenprovidedwithcertainvalues,mightrequireanextremelylargedatabasequerythatslowsthewholewebsitetoacrawl.
Wecallthiskindofattackanasymmetricapplication-levelorintensiveDDoS.
WhileextensiveDDoSattackshavebeenstudiedforquiteawhile[1]andsomeremedia-tionhasbeenprovided(e.
g.
,coordinatedfilter-ingmanagedbyblacklists,ratelimiting,patchingofvulnerableservices),intensiveDDoSattackshavenotreceivedthesamelevelofattention.
Thelatterismoredifficulttocharacterizebecausetheyoftendependonthelogicoftheapplica-tionprovidingthetargetservice.
Inaddition,theseattacksdonotrelyonlargevolumesofdataandthereforecangoundetectedbyvolumetricdetec-tionmechanisms.
Finally,sincetheattackercom-municateswiththeservicefollowingtheserviceprotocol,theattacker'srequestsaresimilartoalegitimaterequestandhencemoredifficulttofil-terout.
AsbothextensiveandintensiveDDoSattacksbecomeanintegralpartoftheeffortsofcyber-criminalstoobtainfinancialgains(e.
g.
,byblack-mailingorganizationsunderattackorbyobtainingatacticaladvantageintime-sensitivesettings),theprovisionofDDoSservicehasbecomecommod-itized.
WenowseetheriseofDDoSasaservice(DaaaS)offerings,inwhichDDoSprovidersattackatargetinexchangeformoney.
BackgroundInthissectionweintroducethedifferenttypesofDDoSattacksavailable,aswellasthebasicinfra-structureoftheDaaSproviders,whicharethesubjectofourstudy.
TypesofDDoSAttacksADDoSattackcanbeextensiveorintensive.
Anextensiveattackreliesonhighvolumesoftrafficthatbyitselfisharmless.
Amaliciousactorneedsaconsiderableamountofresourcestosuccess-fullyexecuteanextensiveattack,asitiscostlytogenerateenoughtrafficvolumetoimpactalargetarget.
ExamplesoftheseattacksincludeSYNflood,UDPflood,reflectedDomainNameService(DNS),andreflectedNTP.
Inmostextensiveattacks,miscreantsmayuseatechniquecalledamplification.
Leveragingamplification,theattackercontinuouslyabusesaDemystifyingDDoSasaServiceAliZand,GasparModelo-Howard,AlokTongaonkar,Sung-JuLee,ChristopherKruegel,andGiovanniVignaTrafficMeasurementsforCyberSecurityTheauthorspresentameasurementstudyof17differentDaaSproviders,inwhichtheyanalyzedthedifferenttechniquesusedtolaunchDDoSattacks,aswellastheinfrastructureleveragedinordertocarryouttheattacks.
Resultsshowagrowingmarketofshort-livedproviders,whereDDoSattacksareavailableatlowcost(tensofdollars)andcapableofeasilydisruptingconnec-tionsofover1.
4Gb/s.
AliZand,ChristopherKruegel,andGiovanniVignaarewiththeUniversityofCalifornia,SantaBarbara;GasparModelo-HowardiswithSymantec;AlokTongaonkariswithRedLock;Sung-JuLeeiswithKAIST.
DigitalObjectIdentifier:10.
1109/MCOM.
2017.
160098015setofhoststhatrespondstoarequestwithacon-siderablylargerresponsethatisdeliveredtothedestinationoftheattacker'schoosing.
Previousstudieshaveshownthatthisamplificationfactordiffersaccordingtotheusedprotocolandcanbeashighas4670.
Thesetypesofattackshaveachievedthroughputsashighas500Gb/sandaffectedenterpriseswithlargeinfrastructuressuchasSonyPlayStationNetwork,Cloudflare,andsev-eralU.
S.
banks.
Intensiveattacks,ontheotherhand,targetspecificweaknessesinatargetapplication.
Anyrequest(orrequestaccesspattern)thattakesaconsiderablylargeramountofresourcesontheserverthantheclientcanbeleveragedtoper-formthisattack.
Thesevulnerabilitiescanbeduetoproblemslikememoryleaksandlongrunningprocessesthatneverfreetheirresources.
MostcasesofintensiveattackstargetHTTPservers,giventheirpopularityontheInternet.
Examplesincludesubmittingdatatowebformsfoundonthevictimserver,atveryslowrates(onebyteatatime),andopeningmultipleconnectionsthatarekeptalivebysendingpartialpackets.
TheseexampleshavebeenimplementedbytheR-U-Dead-Yet(RUDY)andSlowloristools[2],respectively.
Alsoworthnotingisthatintensiveattacksonlysendlegitpackets,notmalformedones,makingtheresultingtrafficappearlegiti-mate,complicatingtheirdetectionbysecuritysystems.
BasicScenarioforaDDoSasaServiceProvidersThecontinuedriseofDDoSattacksasawaytotargettheonlinepresenceoforganizationscanbeattributedtoseveralfactors.
Onepossibilityisthattheseattacksareoftenconductedthroughbotnets,whichoftenencompassthousandsofcomputers.
Poolsofvulnerablecomputersarealwaysavailable,giventheconstantdiscoveryofsoftwarebugs.
AnotherpossiblefactorfortheriseofDDoSattacksisthecommoditizationphenomenonthatthesetypesofattackshaveseeninthelastfewyears.
AlargenumberofDaaSprovidersareavail-ableontheInternet,providingcheapaccesstobothextensiveandintensiveDDoSattacks.
Usingasubscription-basedmodel,theproviders'feesrangebetween$2and$15forbasicpackages.
Theysupportdifferentpaymentmechanisms,rangingfromtraditionalonlinesystemslikePayPaltotheBitcoinelectroniccurrencyandanonymouspaymentsystemslikePaysafecard.
Thebasicpackagesallowlaunchingattacksfor60--90sandcurrentlyproduceattackvolumepeakingatmorethan1.
4Gb/s.
Moreexpensivepackagesarealsoavailable,whichprovidelongerattackperiodsandsubscriptionterms.
Thesamesetsofexten-siveandintensiveDDoSattacksareavailableforallsubscriptionpackages.
Figure1showsadiagramoftheinfrastructureusedbyDaaSproviderstooffertheirpay,point,andclickservice.
Thediagramincludesthepay-mentplatformused(phase1,pay),aswellasthecomponentsusedbytheproviderstolaunchaDDoSattack(phase2,pointandclick).
Asshowninthediagram,intensiveattacksarelaunchedusingdedicatedservers,sinceonlyasmallsetofhostsisrequiredandsoftwareneedstobeinstalledtointeractwiththelogicofthewebapplicationunderattack.
Botnetsandmisconfig-uredhostsarecommonlyusedwhenlaunchingthevolumetric,extensiveattacks.
AcommontraitfoundinDaaSprovidersistheusageofanti-DDoSserviceproviderstoprotecttheirwebplatforms.
Asmanyofthemclaimtobeonlyusedtostresstesttheresourcesownedbyacustomer,theprovidersincludeDDoSprotectionmechanismsintheirinfrastructure.
Giventheshadynatureofthebusiness,DaaSprovidersarenotparticularlydependableser-vices.
Inourstudy,wefoundthemtohaveashortlifespan(comparedtolegitimateonlineservices),measuredinweekstomonths.
Ofthe17provid-ersidentifiedandtested,only7werefunctionalattheendofourthree-monthevaluation.
Addi-tionally,thoseprovidersthatwerefunctionaldeliv-eredanaverageofonly44percentoftheofferedservices.
Wealsofoundseveralsystemsprovidedintermittentservice.
Giventheshadynatureofthebusiness,DaaSprovidersarenotpar-ticularlydependableservices.
Inourstudy,wefoundthemtohaveashortlifespan(comparedtolegiti-mateonlineservices),measuredinweekstomonths.
Ofthe17providersidentifiedandtested,only7werefunctionalattheendofourthree-monthevaluation.
Figure1.
InfrastructureusedbyDaaSproviders,includingthepaymentplatformsemployed(phase1)andthesetofresourcestolaunchtheselectedDDoSattack(phase2).
Intensiveattackspredominantlyuti-lizededicatedhostswithhighbandwidth.
DaasclientAnti-DDosproviderPaymentplatformsDaasproviderWebform(victim)DedicatedserversBotsLegendPhase1Phase2Misconfiguredservers16TheDDoSasaServiceLandscapeMethodologyWeidentified28differentDaaSprovidersforourstudy,fromvisitingmultiplehackingsourc-es:forums,blogs,mailingslists,andnewssites.
Auseraccountwasthencreatedoneachofthe28providers.
Afterreviewingthecorrespondingwebsites,17weredeterminedtobeoperational.
Theother11failedtoprovideaworkingserviceinterface.
WelaterrealizedthatthisfailurerateistheresultofthecommonshortandintermittentlifespanexperiencedbyDaaSproviders(usual-lyweekstomonths).
Forexample,12outofthe17providerswereavailablesincethestartofourinvestigation,whiletheother5becameactivelaterintheprocess.
Usingeachofthe17operationalproviders,weinvestigatedtheDaaSecosystemfrombothsidesoftheattack.
AsaDaaSCustomer:Afterregisteringonthewebsiteofeachprovider,theirserviceswereboughtforalimitedtime,selectingthecheap-estservicesavailableoneachwebsite.
Thepricesvariedfrom$2to$15.
Westudiedthedifferentfunctionalitiesprovidedonthesewebsitestohelpdeterminehowtheiradvertisement,paymentsys-tems,andbusinessaspectswork.
Additionally,ouranalysisalsoincludedalookattheirofferedattackcapabilities.
AsaDDoSVictim:WesetupamachinetoserveasatargetofDDoSattacksandorderedeachprovidertolaunchthestrikeagainstit.
ThevictimmachinewasanUbuntuLinuxmachinewith8GBofRAM,1TBofSSDdiskspace,dual-coreIntelprocessor,anopticalfibernetworkcon-nectionof10Gb/stotheInternet,runninganApachewebserverwithMediaWikisoftware,andhostingacloneofauniversity'sdepartmentweb-site.
ThemachinewasconnectedtotheInternetthroughadedicatedlinkthatallowedisolationofourtestsfromtherestoftheuniversitycampusnetworkandpreventeditfrombeingnegativelyaffected.
Wecapturedallthetrafficaimedatourvictimmachine,itsresponses,anditsinternalstateduringtheattacks.
EachDaaSwastestedfourtimesoveraperiodofthreemonths,fromMaytoJuly2014.
Ineachofthefourruns,wetestedalltheattacktypesofferedbyeachoftheworkingDaaSandcap-turedalltheresultingtraffic.
Atalltimesduringthetesting,weranonlyonetypeofattackfromasingleDaaS.
Also,topreventlatepacketsfromoneattackfrombeingmixedwiththenext,wewaitedfor100sbetweenconsecutiveattacks.
EthicalConsiderationsTherearemultipleriskfactorsassociatedwithstudyingcyber-miscreants.
Todealwiththesefac-torsandtodeveloptheethicalframeworkforourexperiments,wefollowedtheethicalguidelinesforcomputersecurityresearchdefinedintheMenloReport[3]andconsultedpreviousworkwhereresearchersactivelyinteractedwithsys-temsornetworksusedbycyber-miscreants[4,5].
Toreducetheriskoffinancingpossiblecyber-miscreantsduringourexperiments,wepurchasedthecheapestservicesfromtheDaaSproviders.
ThismeantasingleDaaSproviderreceivednomorethan$45,aswerepeatedtheexperimentsthreetimesonthemostexpensive($15)serviceused.
Anotherriskfactorforstudiessuchasoursistounwittinglyandnegativelyaffectothervictims.
Inthiscase,thevictimscanbecompromisedmachinesusedbytheproviderstolaunchtheDDoSattacksorothermachinesandnetworksonthepathoftheattackthatareaffectedbytheamountofgeneratedtraffic.
Tomitigatethepotentialrisks,ourexperimentsincludedcondi-tionstorestrictthedurationandintensityoftheattacks,limitthepathoftheattacktraffic,andcoordinatetheexperimentswiththesystemadministratorsofourcampusnetworks.
Asmentionedbefore,weraneachattackforonly60stolimittheimpactofeachattack.
Inaddition,thetargetmachineusedtoreceivetheattackswaslocatedonanisolatedsubnetofourcampusnetworkandconnectedtoadedicated10Gb/slinksothatthetrafficgeneratedduringthetestswouldnotaffectothersubnets(andtheirhosts)oncampus.
Wealsoranallhightraffictestsduringweekendnightstofurtherreduceimpact-ingnetworkbystanders.
Weacquiredthecampusnetworkadminis-trators'permissiontorunourtestsbeforepro-ceeding,agreedonaschedule,andestablishedacontingencyplanincaseanundesirablesitua-tionhappened.
Wefollowedupwiththenetworkadministratorsaftereachroundofexperimentsandconfirmedwiththemthatanexperimenthadnotnegativelyaffectedotherpartsofthecampusnetworkbeforeproceedingwiththenextround.
Finally,itshouldbementionedthatourresearchwasoutofscopeoftheinstitution-Table1.
TrafficgeneratedbyeachDaaS(MB).
DaaS/run1234APO2—902289BIG9041561170DAR4256———DES38,19411,88920,92210,727DIV—48—GRI20,752———HAZ—121IDD—4264ION54414,118IPS2284———NET177618541556982POW275937273723—QUA8132———RAG30,505401843RES8499———TIT21,609227435018238WRA7219689111,69995Therearemultipleriskfactorsassociatedwithstudyingcyber-miscre-ants.
Todealwiththesefactorsandtodeveloptheethicalframeworkforourexperiments,wefollowedtheethicalguidelinesforcom-putersecurityresearchdefinedinTheMenloReportandconsultedpreviousworkwhereresearchersactivelyinteractedwithsystemsornetworksusedbycyber-miscreants.
17alreviewboard(IRB)committeegiventhattheexperimentswithDaaSprovidersdidnotincludeanytypeofdirectorindirectexperimentswithhumanbeings.
ResultsforDaaSProvidersThefourtestrunsgeneratedaround255GBoftrafficandmorethan94.
1millionpackets.
Thetopfourprotocols(DNS,CHARGEN,SimpleNet-workManagementProtocol[SNMP],andNTP)produced91.
3percentofthetotaltrafficgenerat-ed.
DNSwasthetoptrafficcontributorwith71.
07GB,whileNTPwasthetoppacketgeneratorwith34.
9millionpackets.
AttacksusingHTTPonlypro-duced0.
71GBfrom4.
72millionpackets.
Table1showstheamountoftrafficgeneratedbyeachDaaSduringarun.
Thoseprovidersthatwerenotactiveinarunareshownwithadash(—).
Resultsshowedthat10to14DaaSwereactiveinasinglerunandthattrafficgeneratedvariedamongthedifferentproviders.
Forexam-ple,theRAG1andDESDaaSgenerated30.
5and38.
2GBeachinrun1,whileAPOandIONonlyproduced2and5MB.
Outofthe47teststhatproducedtrafficacrossthefourdifferentruns,26(55percent)producedatleast1GB.
ThefunctionalitiesprovidedbydifferentDaaSprovidersdiffergreatlyintermsoftheirclaimedandactualattacktypesprovided.
Table2showstheofferedattackcapabilitiesofeachDaaS.
Inthistable,eachrowisatypeofattack,andeachcolumnrepresentsaDaaS.
Acheckmark()indi-catesthatthefeaturewasofferedandindeedworkedduringtheexperiments.
An()meansthefeaturewasofferedbutdidnotworkforanytestrun.
Ablankspacemeansthatthefeaturewasnotoffered.
Atotalof28differentattackmethodswereidentifiedacrossthe17DaaSprovidersunderevaluation.
Outoftheseattackmethods,17wereextensiveDDoSattacks,7wereintensive,and4neverworked.
Ofthesesevenintensiveattacks,wefoundthatsomeofthetoolsusedbythepro-viderstolaunchtheseattackstargeteddifferentwebserverimplementations.
Forexample,theApacheRemoteMemoryExhaustion(ARME)toolisonlyeffectiveagainstApacheservers,asthenameimplies,whiletheSlowloristooltargetsApache,HTTPd,andGoAheadwebservers.
Asobservedinourexperiments,bothtoolssendpar-tial,legitimatepacketstokeepconnectionsopenanddonotgeneratelargevolumesoftrafficcom-paredtoextensiveattacks.
Table3presentthenumberofcompletedTCPconnectionstothevictim,thenumberofuniquenon-spoofedIPaddresses,andthemaximumobservedthroughputfortheDaaSproducingthelargesttraffic.
DaaSInfrastructureforIntensiveAttacksTocharacterizethemachinesandnetworksusedbytheDaaSproviderstolaunchtheirintensiveattacks,wefirstdeterminedthenon-spoofedIPaddressesthatinitiatedtheattacks.
Anaddresswaslabelednon-spoofedifatleastonecompleteTCPconnectionwasestablishedwithourvictimserverduringthetest,whichprovidedalowerboundoftheactualsituation.
Amongall(inten-siveandextensive)attacktrafficobserved,only0.
71percentwasassociatedwithnon-spoofedaddresses,anexpectedresultgiventheusualincognitonatureofextensiveattacksandthecon-siderablylargertraffictheyproduce.
Usingthetechniquedescribedabove,atotalof26,271non-spoofedIPaddresseswereidenti-fiedinalltheattackslaunchedtoourvictimserverandacrossthefiveprovidersthatsuccessfullypro-ducedtheattacks.
AsshowninTable4,thenum-berofIPaddressesusedbyaDaaSvariedfrom35(TIT)to21,809(WRA).
ThelownumberofaddressesforTITwasasignoftheDaaSsoontogooffline,astheservicestoppedafteroursecondrun.
WRA,ontheotherhand,consistedofalargebotnet,primarilycomposedofcompromisedormisconfiguredWordPresswebservers.
WRAwasalsotheonlyprovidertosuccessfullyproducesixdifferenttypesofintensiveattacks(GETandPOSTfloods,ARME,Slowloris,RUDY,andXML-RPCpingback)andworkedforallfourruns.
IP2Location[6]wasconsultedtodeterminethegeographicalinformationoftheIPaddresses,theirautonomoussystemnumber(ASN),andthetypeofnetworkstowhichtheywereconnected.
AsIP2Locationprovidesvariousdegreesofgeolo-cationaccuracy,welimitedouranalysistousingcountryandregion(stateintheUnitedStates)informationinordertodeterminethelocationofaddresses.
Additionally,weusedtheirclassifica-tionofsubnetsandASNstolabeltheIPaddressesaspartofoneofthefollowingthreetypesofnet-works:broadband/residential,commercialhostingproviders,andother.
ResultsshowDaaSwithdifferentgeographicalextensionsandmixturesoftypesofmachines.
TheUnitedStatesandChinawerethelargestsourcesofmachinesfortheproviders,withtheUnitedStatesprovidingatleast55percentofthemachinesinthecasesofWRA,DES,andBIG.
ChinawasthelargestsourceforRAGandTIT,providingatleast39percentoftheattackinghosts.
RAGpresentedalargernumberofcoun-trieshostingmachinesandassociatedASNsthanBIG,eventhoughtheybothhadsimilarnumbersofIPaddresses.
81percentoftheaddressesusedbyRAGwerein10differentcountries,and74.
1percentwereconnectedtobroadbandnet-works.
Incomparison,BIGhad81percentofitsmachineslocatedinonecountry(UnitedStates)and128addresses(93.
3percent)areconnectedtonetworksidentifiedforhosting.
Moreover,85ofthoseaddresseswereattributedtoasingledatacenterinArizona.
Weexperiencedmoreeffective(abletoleaveourserverunresponsive)andreli-able(availablethroughallruns)attacksbyusingBIGthanwhenlaunchingattacksthroughRAG,whichnotsurprisinglysuggeststhatmachinesinhostingnetworksmightbemorevaluableforDaaSthaninthoseinbroadbandnetworks.
AfteridentifyingtheaddresseswithatleastacompleteTCPconnectionintheintensiveattacks,weknewthattheattacker'smachineeitherhadthatIPaddress,orwentthroughaproxyorVPNusingthataddress.
Todetermineeachcase,wescannedtheIPaddressactivelyandalsofinger-printedthehostpassively,asbothapproachescomplementeachother.
Anactivescaninteractswiththetargethostbysendingapredefinedsetofpacketsanddeterminingthetypeofthehostbasedonitsresponse.
Assuch,thisapproachallowsidentifyingwhenaproxyisused.
Incon-1Throughoutthisarticle,eachDaaSproviderisreferredtobyathree-lettercodeinordertokeepitsrealnameanonymousandavoidpublicizingitsservice.
Forexample,aDaaSnamedGeneralTestercouldbereferredtoasGRL.
Ourfindingsshowthat81.
5percentofthenon-spoofedIPaddressesbelongedtoLinuxmachinesand12.
5per-centtoWindowshosts;therestofthemachineswerenotidentified.
ThehighoccurrenceofLinuxhostsandnon-spoofedIPaddressessuggeststhattheDaaSprovidersdependedonmachinesthatusepopularOSs,suchasdedicatedserversandInternetofThingsdevices,tosuccessfullylaunchattacks.
18trast,apassivefingerprintingmethodobservesthetrafficoriginatingfromthetargethostanddeter-minesitstypebylookingforpatternsthatidentifyaparticularoperatingsystemorapplication.
Ourfindingsshowthat81.
5percentofthenon-spoofedIPaddressesbelongedtoLinuxmachinesand12.
5percenttoWindowshosts;therestofthemachineswerenotidentified.
ThehighoccurrenceofLinuxhostsandnon-spoofedIPaddressessuggeststhatDaaSprovidersdepend-edonmachinesthatusepopularOSs,suchasdedicatedserversandInternetofThingsdevices,tosuccessfullylaunchattacks.
Intermsofprox-iesusedbytheproviders,wefoundthattheyTable2.
AttackmethodsofferedbyeachDaaSprovidertested.
Attack/DaaSAPOBIGDARDESDIVGRIHAZIDDIONIPSNETPOWQUARAGRESTITWRANo.
DaaSExtensiveattacksUDP7/12HomeConn.
ü(ü)1/2XSYN1/4SSYN5/10SSDPüüü1/1ESSYN3/6ZSSYN1/1NUDP(NetBIOS)ü1/1SUDP(SNMP)2/3Websiteü1/1XBOXLiveü1/1DNS2/4CHARGEN2/6NTP4/5TCPAmp.
ü1/1RUDP()1/2UDPLAG8/14IntensiveattacksPOST2/7HEAD1/7GET2/7ARME2/7SLOWLORIS3/8RUDY2/9XML-RPC3/9NotworkingSourceEngine()0/1KS()0/1Joomla()0/1OVH()0/1No.
Attacks0/62/23/710/170/85/120/20/50/92/44/111/32/510/123/125/512/1519employedproxiesinverysmallnumbers,asonly0.
76percentofthenon-spoofedaddresseswereidentifiedasproxies,anonymizingVPNserviceorTORexitnode.
IP2Locationalsoprovidedinfor-mationonaddressesidentifiedasproxies,validat-ing92percentofourresults.
Throughthefourrunsofexperimentslaunch-ingintensiveattacks,wefoundfewcasesofIPaddresssharingamongproviders.
Mostdidnotshareanyaddresses,andinthecasesweretheydid,itwasinverylownumbers(1to5address-es).
ThissuggeststheappropriationorexclusivecontrolofthemachinesbyeachDaaS.
WRAwastheonlyexceptiontothis,sharing5223addresseswithDES,thankstoexploitingahigh-riskvulnera-bility[7]onWordPressserversthatwaspubliclyreportedduringourruns.
Thevulnerabilitydidnotprovideamechanismforattackerstocontrolwhocouldexploittheseservers,thusleavingtheopportunityforsharing.
Table5showsthenumberofIPaddressesreusedbyBIGandWRAduringourexperimentalruns,astheseweretheonlyprovidersthatgen-eratednon-spoofedtrafficinallfourexecutions.
Thediagonalsinthetableshow(inbolditalic)thetotalnumberofIPaddressesusedbyeachDaaSinasinglerun.
Fromourexperiments,bothpro-vidershadtocontinuouslyaddnewmachinestotheirnetworks,asmanyoftheIPaddressesfromanattackexecutionwouldnotbefoundinthenext.
Asanexample,BIGshowed122addressesinthefirstrun,butonly66(54percent)ofthosewouldbepresentinthesecondrun.
Theattackerneedstoconstantlyfindnewmachines,whichisnotalwaystrivial.
Fromthesecondtothethirdrun,BIGwentfrom82to37IPaddresses,andonlytwoofthosewerenew.
InthecaseofWRA,the21,573differentaddressesfoundinthefourthruncorrespondtowebserversexhibitingthehigh-riskvulnerabilitytoWordPress,asdiscussedabove.
OperationalStabilityGiventheshadynatureoftheirbusiness,DaaSprovidersarenotparticularlydependableservices.
Ourstudyfoundthemtohaveashortlifespan(comparedtolegitimateonlineservices),mea-suredinweekstomonths.
Thiswassupportedbythefactthat11ofthe28DaaSsidentifiedfailedtoprovideanyservice,whileseveraloftheotherDaaSsbrieflydisappearedduringthedifferentexecutions.
Onlysevenofthe17DaaSwerefunc-tionalforallfourruns,whilefourweresuccessful-lyusedinthreerunsandoneDaaSwasavailableintworuns.
Additionally,3ofthe11providersthatwerenotworkingwhenwefirstaccessedthemstartedworkingafterthreemonths.
13outofthe17testedprovidersclaimedtosupportintensiveDDoSattacks,butwhenwetestedthem,onlyfivesuccessfullyexecutedoneormoretypesofapplicationlayerDDoSattacks.
Outofthe17DaaSproviderstested,only7werestillworkingafterwefinishedourstudy.
PaymentMethodsThemostpopularpaymentmethodsusedbytheDaaSproviderswerethepopularonlinepaymentsystemPayPalandtheBitcoindigitalcurrency.
Othermethodsfoundincludedthepaymentplat-formsGoogleWallet,Paysafecard(whichallowsanonymoustransfers),Payza(transfersusingemail),andSkrill(focusedonlow-costtrans-fers).
Duringthetests,threeoftheprovidershadtheirPaypalaccountsdeactivatedandcouldnotreceivemoney.
DaaSprovidersofferedmultiplesubscriptionoptionsfortheirservicesatdifferentprices.
For10providers,ahigherpriceonlymeansalongerperiodofattackandlonger-termsubscriptions.
Inotherwords,theydidnotofferadditionalattackmethodsoranincreaseintheintensityoftheattacks.
WeevaluatedGRI,oneofthefourprovid-ersthatclaimedbetterthroughputandaddition-almethodsofattacks,toobservethedifferencebetweenthecheapandmoreexpensiveoptions.
ThisDaaSwaschosenasitofferedthemostpow-erfulattack,andintermsofthroughput,pricingwascheaperthanotherDaaS($50,comparedtoupto$300inthecaseofRAG),andofferedadifferentclassofattack.
ResultsshowthatthemoreexpensiveservicegivesaccesstotwoVIPservers(serversthatregularaccountsdonothaveaccessto)atthesametime(andthereforeabletoexecutetwoconcurrentattacks).
TheamountoftrafficgeneratedandthelistofofferedattacksbyeachVIPserverwerenotdifferentfromitscheapservice.
RelatedWorkResearchontheanalysisofexistingDDoSattackvectors[8–11]hasfocusedontheresourcesavail-ableontheInternetthatcanbeusedtolaunchDDoSattacks.
Particularly,researchershavestudiedtheamplificationeffectproducedfromusingcertainnetworkservicesontheimpactfromusingbotnetstocreateDDoSattacks.
Ourworkcomplementspreviousresearchbyprovidinganunabridgedanalysisofthenewvectoravailabletoattackers:application-level,intensiveDaaS.
Table3.
NumberofconnectionsanduniqueIPaddressesfortoptrafficgeneratingDaaSperrun.
Numberofconnections/numberofuniqueIPaddressesMax.
attacksize(Mb/s)/runDaaS/run1234BIG20,408/1277076/856625/392314/5084.
65/2DES–/––/–76,483/940951/1690.
18/2RAG4226/1681665/168–/––/–852.
49/1RES7523/5271494.
05/1WRA55,077/45989,728/27171,819/27851,564/21,573579.
84/2DaaSprovidersofferedmultiplesubscriptionoptionsfortheirser-vices,atdifferentprices.
Fortenproviders,ahigherpriceonlymeanslongerperiodofattackandlonger-termsubscriptions.
Inotherwords,theydidnotofferadditionalattackmethodsoranincreaseintheintensityoftheattacks.
20Rossow[10]studiedseveralUDP-basedser-vicesavailableontheInternetthatcanbemis-usedforamplificationduringaDDoSattack,showingthattheyarenumerousandeasytofindontheInternet,andprovidingabyteamplificationfactorofupto4670.
Kühreretal.
[9]showedthepossibilityofusingvariousTCPserversasreflec-tivetrafficamplifiers,andmeasuredtheirpossibleimpact.
Czyzetal.
[8]studiedthetemporalprop-ertiesofreflectors,especiallyfromNTPservers,whileRijwijk-Deijetal.
[11]showedthatabyteamplificationfactorofover102ispossiblebyabusingtheDNSSECextensions.
Recentwork[12,13]hasalsolookedattherisingthreatofDaaSproviders.
Weconsiderallpreviousstudiescomplementarytoours,astheydidnotanalyzetheapplication-level,intensiveDDoSattacksthatcanbelaunchedfromtheseproviders,asdoneinourstudy.
Karamietal.
[12]onlyevaluatedtheinfrastructureusedforextensiveattacks,whileSantannaetal.
[13]lim-itedthestudytoextensiveattacksusingtheDNSorCHARGENprotocols.
Noroozianetal.
[14]profiledthevictimsofextensiveattackslaunchedbyDaaSprovidersbyusinganetworkofhoney-potsrunningopenservicestolaunchamplifica-tionattacks.
Thestudyfoundthat88percentofthevictimswerehousedinbroadbandandhost-ingISPnetworks,whiletheICTdevelopmentandGDPpercapitaofthehostcountriesalsohelpexplainthevictimizationrate.
ConclusionsWiththegoalofdemystifyingthenewlypreva-lentclassofDaaSproviders,weidentifiedandstudied28oftheseonlinesystems.
Giventheshortlifeofmanyoftheprovidersfound,weana-lyzedthebehaviorof17overaperiodofthreemonths.
ResultsshowDaaSproviderscommonlyofferbothextensiveandintensiveDDoSattacks,andoverdifferentprotocols.
Customersonlyhavetospendtensofdollarstohaveaccesstotheattacks,whichwewereabletousetolaunch1-minuteattacksthatgenerated255GBoftrafficandwereabletoachievethroughputof1.
4Gb/s,atacostoftensofdollars.
Inourstudy,weshowedthatmanyofthesepubliclyaccessibleprovidersallowuserstolaunchintensiveattacks,hencetheneedtoalsostudythisincreasinglypopularthreat.
ResultsshowthattheseprovidersposearealthreattowebserversontheInternetastheyhaveaccesstonetworksofuptotensofthousandsofmachinestogener-atetrafficthatlooksinconspicuousbutleavestheserversunresponsive.
References[1]R.
Chang,"DefendingagainstFlooding-BasedDistributedDenial-Of-ServiceAttacks:ATutorial,"IEEECommun.
Mag.
,vol.
40,no.
10,Oct.
2000,pp.
42–51.
[2]E.
Cambiasoetal.
,"SlowDoSAttacks:DefinitionandCat-egorisation,"Int'l.
J.
TrustManagementinComp.
andCom-mun.
,vol.
1,no.
3-4,Jan.
2013,pp.
300–19.
[3]D.
DittrichandE.
Kenneally,"TheMenloReport:EthicalPrin-ciplesGuidingInformationandCommunicationTechnologyResearch,"U.
S.
Dept.
HomelandSec.
,Aug.
2012.
[4]C.
Kanichetal.
,"Spamalytics:AnEmpiricalAnalysisofSpamMarketingConversion,"Proc.
15thACMConf.
Comp.
Com-mun.
Sec.
,Oct.
2008,pp.
3–14.
[5]B.
Stone-Grossetal.
,"YourBotnetIsMyBotnet:AnalysisofaBotnetTakeover,"Proc.
16thACMConf.
Comp.
Commun.
Sec.
,Nov.
2009,pp.
635–47.
[6]IP2Location,commercialIPgeolocationdatabases,Jan.
2015;http://www.
ip2location.
com/databases/,accessedJan.
5,2015.
[7]Symantec,"SecurityFocus:WordPressSliderRevolutionResponsivePlugin'img'ParameterArbitraryFileDownloadVulnerability,"July2014;http://www.
securityfocus.
com/bid/68942,accessedSept.
13,2014.
[8]J.
Czyzetal.
,"Tamingthe800PoundGorilla:TheRiseandDeclineofNTPDDoSAttacks,"Proc.
ACMSIG-COMMConf.
InternetMeasurement,Nov.
2014,pp.
435–48.
Table4.
GeographicaldistributionoftheIPaddressesforeachoftheDaaSprovidersthatgeneratedintensiveattacks.
Thetablealsoincludesforeachprovider:thenumberofASNsinvolved,thetypeofnetworktowhichtheaddresseswhereconnected,andthenumberofproxyserversidentified.
DaaSTotalNo.
IPaddressesNo.
countriesNo.
ASNsTypeofnetworkNo.
proxiesfoundAdditionalinformationBroadbandHostingOtherBIG16520406.
7%93.
3%0.
0%0U.
S.
hosts81.
8%ofalladdresses,whilenextfourcountriesaccountfor8.
5%DES940588144611.
8%84.
8%0.
4%11U.
S.
hosts61%ofalladdresses,followedby10countrieswithmorethan100addresseseachRAG162368474.
1%6.
8%19.
7%58Chinaaccountsfor39.
5%ofalladdresses,whileBrazil,Indonesia,Rusia,andGuatemalatogetherhost27.
16%TIT35102245.
7%48.
6%5.
7%0ChinaandU.
S.
host45%and22.
9%,respectivelyWRA21,809117307520.
12%79.
82%0.
06%130U.
S.
accountsfor55.
1%ofalladdresses,while19othercountrieshostatleast140addressesTable5.
Numberofnon-spoofedIPaddressesreused,perrun,forBIGandWRA.
Valuesinthediagonal(showninbolditalic)representthetotalnumberofIPaddressesusedtolaunchintensiveattacksineachrun.
BigWRARun/run1234123411226635224261761761572—823520—2691841633——3717——2771704———49———21,57321[9]M.
Kühreretal.
,"HellofaHandshake:AbusingTCPforReflectiveAmplificationDDoSAttacks,"Proc.
8thUSENIXWksp.
OffensiveTechnologies,Aug.
2014.
[10]C.
Rossow,"AmplificationHell:RevisitingNetworkProto-colsDDoSAbuse,"Proc.
NetworkDistrib.
Sys.
Sec.
Symp.
,Feb.
2014.
[11]R.
vanRijswijk-Deij,A.
Sperotto,andA.
Pras,"DNSSECandItsPotentialforDDoSAttacks,"Proc.
ACMSIGCOMMConf.
InternetMeasurement,Nov.
2014,pp.
449–60.
[12]M.
Karami,Y.
Park,andD.
McCoy,"StressTestingtheBooters:UnderstandingandUnderminingtheBusinessofDDoSServices,"Proc.
25thInt'l.
WorldWideWebConf.
,Apr.
2016,pp.
1033–43.
[13]J.
Santannaetal.
,"Booters:AnAnalysisofDDoS-as-a-Ser-viceAttacks,"Proc.
IFIP/IEEEInt'l.
Symp.
IntegratedNetworkMgmt.
,May2015,pp.
243–51.
[14]A.
Noroozianetal.
,"WhoGetstheBootAnalyzingVic-timizationbyDDoS-as-a-Service,"Proc.
Int'l.
Symp.
ResearchAttacks,Intrusions,Defenses,Sept.
2016,pp.
368–89.
BiographiesAliZand(zand@cs.
ucsb.
edu)receivedhisPh.
D.
in2015fromtheUniversityofCaliforniaSantaBarbara,workingonsystemsecurityresearchwithafocusoncybersituationawareness.
Hisresearchinterestsincludeautomaticservicedependencydetection,automaticassetprotectionprioritization,botnetC&Csignaturegeneration,cybersituationawarenessmeasurement,DDoSattackstudies,andsocialmediaspamdetection.
GasparModelo-Howard[SM](gaspar@acm.
org)isaseniorprincipaldatascientistintheCenterforAdvancedMachineLearningatSymantec.
Hisresearchinterestarecomputerandnetworksecurity,withafocusonwebsecurity,intrusiondetec-tionandresponse,andmalwaredetection.
HeisalsoanadjunctprofessorincomputersecurityatUniversidadTecnológicadePanamá.
HeisamemberofACMandUsenix.
AlokTongaonkar(alok@redlock.
io)isheadofDataScienceatRedLock.
Previously,hewasadatascientistdirectorleadingtheCenterforAdvancedDataAnalyticsatSymantec.
HehasaPh.
D.
incomputersciencefromStonyBrookUniversity,NewYork.
Hisresearchfocusesonapplicationofmachinelearningandbigdatatechnologiesfordevelopinginnovativesecurity,networking,andmobileappanalyticproducts.
Hehasbeengrantedmultiplepat-entsbyUSPTO.
HeisaSeniorMemberofACM.
Sung-JuLee[F](sjlee@cs.
kaist.
ac.
kr)isanassociateprofessorandanEndowedChairProfessorattheKoreaAdvancedInsti-tuteofScienceandTechnology(KAIST).
HereceivedhisPh.
D.
incomputersciencefromtheUniversityofCalifornia,LosAnge-lesandspent15yearsintheindustryinSiliconValleybeforejoiningKAIST.
Hisresearchinterestsincludecomputernetworks,mobilecomputing,networksecurity,andHCI.
Heisarecipientofmultipleawards,includingtheHPCEOInnovationAwardandtheTest-of-TimePaperAwardatACMWINTECH2016.
HeisanACMDistinguishedScientist.
ChristopherKruegel(chris@cs.
ucsb.
edu)isaprofessorintheComputerScienceDepartmentattheUniversityofCalifornia,SantaBarbaraandoneoftheco-foundersofLastline,Inc.
,whereheservesasthechiefscientist.
Hisresearchinterestsincludemostaspectsofcomputersecurity,withanemphasisonmalwareanalysis,websecurity,andintrusiondetection.
HeisarecipientoftheNSFCAREERAward,MITTechnologyReviewTR35Awardforyounginnovators,andIBMFacultyAward.
GiovanniVigna[SM](vigna@cs.
ucsb.
edu)isaprofessorintheDepartmentofComputerScienceattheUniversityofCalifor-nia,SantaBarbaraandtheCTOatLastline,Inc.
Hisresearchinterestsincludemalwareanalysis,vulnerabilityassessment,theundergroundeconomy,binaryanalysis,websecurity,andmobilephonesecurity.
HeleadstheShellphishhackinggroup,whichhasparticipatedinmoreDEFCONCTFcompetitionsthananyothergroupinhistory.
HeisaSeniorMemberofACM.