1000 days of UDP amplification DDoS attacks

Distributed Denial of Service (DDoS) attacks employing reflected UDP amplification are regularly used to disrupt networks and systems. The amplification allows one rented server to generate significant volumes of data, while the reflection hides the identity of the attacker. Consequently this is an attractive, low risk, strategy for criminals bent on vandalism and extortion. To measure the uptake of this strategy we analyse the results of running a network of honeypot UDP reflectors (median size 65 nodes) from July 2014 onwards. We explore the life cycle of attacks that use our reflectors, from the scanning phase used to detect our honeypot machines, through to their use in attacks. We see a median of 1450 malicious scanners per day across all UDP protocols, and have recorded details of 5.18 million subsequent attacks involving in excess of 3.31 trillion packets. Using a capture-recapture statistical technique, we estimate that our reflectors can see between 85.1% and 96.6% of UDP reflection attacks over our measurement period.We are extremely grateful to the organisations and individuals who have hosted Hopscotch nodes, and in particular the ShadowServer Foundation and Digital Ocean Inc. Daniel R. Thomas is supported by a grant from ThreatSTOP Inc. Richard Clayton is supported by the Department of Homeland Security (DHS) Science and Technology Directorate, Cyber Security Division (DHSS\&T/CSD) Broad Agency Announcement 11.02, the Government of Australia and SPAWAR Systems Center Pacific [contract number N66001-13-C-0131]; and the EPSRC [grant number EP/M020320/1]. Alastair R. Beresford is partly supported by the EPSRC [grant number EP/M020320/1]. The opinions, findings, and conclusions or recommendations expressed are those of the authors and do not necessarily reflect those of any of the funders

DDoS Never Dies? An IXP Perspective on DDoS Amplification Attacks

DDoS attacks remain a major security threat to the continuous operation of Internet edge infrastructures, web services, and cloud platforms. While a large body of research focuses on DDoS detection and protection, to date we ultimately failed to eradicate DDoS altogether. Yet, the landscape of DDoS attack mechanisms is even evolving, demanding an updated perspective on DDoS attacks in the wild. In this paper, we identify up to 2608 DDoS amplification attacks at a single day by analyzing multiple Tbps of traffic flows at a major IXP with a rich ecosystem of different networks. We observe the prevalence of well-known amplification attack protocols (e.g., NTP, CLDAP), which should no longer exist given the established mitigation strategies. Nevertheless, they pose the largest fraction on DDoS amplification attacks within our observation and we witness the emergence of DDoS attacks using recently discovered amplification protocols (e.g., OpenVPN, ARMS, Ubiquity Discovery Protocol). By analyzing the impact of DDoS on core Internet infrastructure, we show that DDoS can overload backbone-capacity and that filtering approaches in prior work omit 97% of the attack traffic.Comment: To appear at PAM 202

DDoS cyber-incident detection in smart grids

The smart grid (SG) offers potential benefits for utilities, electric generators, and customers alike. However, the prevalence of cyber-attacks targeting the SG emphasizes its dark side. In particular, distributed denial-of-service (DDoS) attacks can affect the communication of different devices, interrupting the SG’s operation. This could have profound implications for the power system, including area blackouts. The problem is that few operational technology tools provide reflective DDoS protection. Furthermore, such tools often fail to classify the types of attacks that have occurred. Defensive capabilities are necessary to identify the footprints of attacks in a timely manner, as they occur, and to make these systems sustainable for delivery of the services as expected. To meet this need for defensive capabilities, we developed a situational awareness tool to detect system compromise by monitoring the indicators of compromise (IOCs) of amplification DDoS attacks. We achieved this aim by finding IOCs and exploring attack footprints to understand the nature of such attacks and their cyber behavior. Finally, an evaluation of our approach against a real dataset of DDoS attack instances indicated that our tool can distinguish and detect different types of amplification DDoS attacks

Palvelunestohyökkäykseen osallistuvan IoT-laitteen havaitseminen tukiasemassa

Tiivistelmä. Esineiden internet (Internet of things, IoT) tulee kasvamaan huomattavasti tulevaisuudessa ja markkinoille ilmestyy jatkuvasti heikolla tietoturvalla varustettuja IoT-laitteita. Palvelunestohyökkäyksiä tekevät bottiverkot ovat alkaneet suosimaan niitä ja ne koostuvatkin suurimmaksi osaksi saastuneista IoT-laitteista. Tällaisten IoT-laitteiden tietoturvan parantamiseen tarvitaan jatkuvasti uusia tietoturvaratkaisuja, joiden avulla voidaan ehkäistä palvelunestohyökkäyksiä ja siten suojata sekä internetin käyttäjiä että palveluita bottiverkkojen luomalta kasvavalta uhalta. Työssä toteutettiin langattomassa tukiasemassa ajettava ohjelma, jonka tarkoitus on havaita palvelunestohyökkäykseen osallistuva tukiasemaan yhdistetty IoT-laite. Ohjelma suunniteltiin havaitsemaan UDP-, TCP SYN-, DNS- ja ICMP-tulva-hyökkäykset. Havaitseminen tapahtuu tarkkailemalla ja analysoimalla tukiasemaan yhdistyneiden IoT-laitteiden verkkoliikennettä. Havaittuaan hyökkäävän laitteen, ohjelma ilmoittaa hyökkäyksestä tallentamalla hyökkäykseen liittyvät tiedot paikalliselle verkkosivulle. Ohjelmaa testattiin simuloimalla edellä mainittuja palvelunestohyökkäystyyppejä itsetehdyillä DoS-työkaluilla. Testien perusteella todettiin, että ohjelma pystyy onnistuneesti havaitsemaan kaikki testeissä simuloidut palvelunestohyökkäystyypit, vaikka ohjelman rajallinen suorituskyky vaikutti negatiivisesti ohjelman kapasiteettiin analysoida verkkoliikennettä. Lisäksi huomattiin, että ohjelma voi tulkita suuren määrän normaalia UDP-verkkoliikennettä palvelunestohyökkäykseksi

MECInOT: a multi-access edge computing and industrial internet of things emulator for the modelling and study of cybersecurity threats

In recent years, the Industrial Internet of Things (IIoT) has grown rapidly, a fact that has led to an increase in the number of cyberattacks that target this environment and the technologies that it brings together. Unfortunately, when it comes to using tools for stopping such attacks, it can be noticed that there are inherent weaknesses in this paradigm, such as limitations in computational capacity, memory and network bandwidth. Under these circumstances, the solutions used until now in conventional scenarios cannot be directly adopted by the IIoT, and so it is necessary to develop and design new ones that can effectively tackle this problem. Furthermore, these new solutions must be tested in order to verify their performance and viability, which requires testing architectures that are compatible with newly introduced IIoT topologies. With the aim of addressing these issues, this work proposes MECInOT, which is an architecture based on openLEON and capable of generating test scenarios for the IIoT environment. The performance of this architecture is validated by creating an intelligent threat detector based on tree-based algorithms, such as decision tree, random forest and other machine learning techniques. Which allows us to generate an intelligent and to demonstrate, we could generate an intelligent threat detector and demonstrate the suitability of our architecture for testing solutions in IIoT environments. In addition, by using MECInOT, we compare the performance of the different machine learning algorithms in an IIoT network. Firstly, we present the benefits of our proposal, and secondly, we describe the emulation of an IIoT environment while ensuring the repeatability of the experiments

7th Strathclyde International Perspectives on Cybercrime Summer School

Schedule and talk abstracts for the summer school

Cybercrime is (often) boring: maintaining the infrastructure of cybercrime economies

It is generally accepted that the widespread availability of specialist services has helped drive the growth of cybercrime in the past fifteen to twenty years. Individuals and groups involved in cybercrime no longer need to build their own botnet or send their own spam because they can pay others to do these things. What has seldom been remarked upon is the amount of tedious administrative and maintenance work put in by these specialist suppliers. There is much discussion of the technically sophisticated work of developing new strains of malware or identifying zero-day exploits but the mundane nature of the day to day tasks of operating infrastructure has been almost entirely overlooked. Running bulletproof hosting services, herding botnets, or scanning for reflectors to use in a denial of service attack is unglamorous and tedious work, and is little different in character from the activity of legitimate sysadmins. We provide three case studies of specialist services that underpin illicit economies and map out their characteristics using qualitative sociological research involving interviews with infrastructure providers and scraped data from webforums and chat channels. This enables us to identify some of the distinct cultural and economic factors which attend this infrastructural work and to note, in particular, how its boring nature leads to burnout and the withdrawal of services. This leads us to suggest ways in which this new understanding could open novel avenues for the disruption of cybercrime.This work was supported by the Engineering and Physical Sciences Research Council (EPSRC)

Booting the booters: Evaluating the effects of police interventions in the market for Denial-of-Service attacks

Illegal booter services offer denial of service (DoS) attacks for a fee of a few tens of dollars a month. Internationally, police have implemented a range of different types of intervention aimed at those using and offering booter services, including arrests and website takedown. In order to measure the impact of these interventions we look at the usage reports that booters themselves provide and at measurements of reflected UDP DoS attacks, leveraging a five year measurement dataset that has been statistically demonstrated to have very high coverage. We analysed time series data (using a negative binomial regression model) to show that several interventions have had a statistically significant impact on the number of attacks. We show that, while there is no consistent effect of highly-publicised court cases, takedowns of individual booters precede significant, but short-lived, reductions in recorded attack numbers. However, more wide-ranging disruptions have much longer effects. The closure of HackForums' booter market reduced attacks for 13 weeks globally (and for longer in particular countries) and the FBI's coordinated operation in December 2018, which involved both takedowns and arrests, reduced attacks by a third for at least 10 weeks and resulted in lasting change to the structure of the booter market.This work was supported by the Engineering and Physical Sciences Research Council (EPSRC) [grant number EP/M020320/1]

Saturation analysis of IoT devices acting as reflectors on amplified reflection distributed denial of service attacks

Dissertação (mestrado)—Universidade de Brasília, Faculdade de Tecnologia, Departamento de Engenharia Elétrica, Mestrado Profissional em Engenharia Elétrica, 2020.No contexto dos ataques distribuídos de negação de serviço (DDoS), os ataques por reflexão amplificada (AR-DDoS) representam uma tendência que vem se intensificando ao longo dos últimos anos, com volumes de tráfego cada vez maiores. Isso se deve, em parte, à crescente utilização de dispositivos da Internet das Coisas (IoT) nestes ataques, principalmente devido à ampla superfície de ataque que tais dispositivos proporcionam. Com esta motivação, foram exe- cutados diversos ataques AR-DDoS com três dispositivos IoT típicos (gateway ADSL, câmera IP e Raspberry Pi) atuando como refletores, em ambiente controlado, explorando três protocolos comumente encontrados na Internet das Coisas – SSDP, SNMP e CoAP – , sendo o último uma tendência recente, sobre IPv4 e IPv6 (quando possível), de forma a se avaliar a saturação desses equipamentos e as taxas máximas de amplificação dos ataques em curso. Os resultados obtidos são consistentes com estudos anteriores envolvendo equipamentos convencionais e caracterizam a saturação dos refletores para baixas taxas de injeção de pacotes.In the context of distributed denial of service (DDoS) attacks, those which use amplified re- flection (AR-DDoS) represent a trend that has been intensifying over the past few years, with increasing volumes of traffic. This happens, in part, due to the increasing use of Internet of Things (IoT) devices in those attacks, mainly because of the extensive attack surface that IoT de- vices provide. With this motivation, several AR-DDoS attacks were carried out with three typical IoT devices (ADSL gateway, IP camera and Raspberry Pi) acting as reflectors, in a controlled en- vironment, abusing three protocols commonly found on IoT devices - SSDP , SNMP and CoAP -, the latter one a recent trend, over IPv4 and IPv6 (when possible), in order to assess their satura- tion behavior and the maximum amplification rates of the ongoing attacks. The results achieved are consistent with previous studies involving conventional equipment and characterize reflector saturation at low probe injection rates