DDoS 3.0 - How Terrorists Bring Down the Internet

Dependable operation of the Internet is of crucial importance for our society. In recent years Distributed Denial of Service (DDoS) attacks have quickly become a major problem for the Internet. Most of these attacks are initiated by kids that target schools, ISPs, banks and web-shops; the Dutch NREN (SURFNet), for example, sees around 10 of such attacks per day. Performing attacks is extremely simple, since many websites offer “DDoS as a Service‿; in fact it is easier to order a DDoS attack than to book a hotel! The websites that offer such DDoS attacks are called “Booters‿ or “Stressers‿, and are able to perform attacks with a strength of many Gbps. Although current attempts to mitigate attacks seem promising, analysis of recent attacks learns that it is quite easy to build next generation attack tools that are able to generate DDoS attacks with a strength thousand to one million times higher than the ones we see today. If such tools are used by nation-states or, more likely, terrorists, it should be possible to completely stop the Internet. This paper argues that we should prepare for such novel attacks

Towards validation of the Internet Census 2012

The reliability of the ``Internet Census 2012'' (IC), an anonymously published scan of the entire IPv4 address space, is not a priori clear. As a step towards validation of this dataset, we compare it to logged reference data on a /16 network, and present an approach to systematically handle uncertainties in timestamps in the IC and reference data. We find evidence the scan indeed took place, and a 93\% match with the /16 reference data

Whom do we trust - Booters and SSL/TLS certificates

SPRING 2016, 11th edition of the SPRING series, is a single-track event that was sponsored by the special interest group Security – Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI). The purpose of SPRING is to provide young researchers the opportunity to discuss their work with other students and specialists in the research area of IT security. In particular, SPRING is a venue for presentation of early-stage research and solicits submission of scientific papers presenting novel research on malware analysis, intrusion detection, and related systems security topics. As per our tradition, SPRING encourages submissions from the following broad areas: Analysis of vulnerabilities, intrusion detection, malware, incident management and forensics. This year the SPRING 2016 graduate workshop was held in Darmstadt, Germany, and was hosted at the University of Applied Sciences. SPRING took place from the 2nd to the 3rd of June 2016 and was the eleventh edition of the graduate workshop on IT security. It followed the successful events in Neubiberg in 2015, Bochum in 2014, Munich in 2013, Berlin in 2012, Bochum in 2011, Bonn in 2010, Stuttgart in 2009, Mannheim in 2008, Dortmund in 2007 and Berlin in 2006. SPRING 2016 was organized in a 2-day program to encourage interactions between all participants. The program consists of a main track and opening research keynotes. The presented volume includes all extended abstracts presented at SPRING 2016 as defined within the overall final program

"LUDO" - Kids playing Distributed Denial of Service

Distributed denial of service attacks pose a serious threat to the availability of the network infrastructures and services. GE̿ANT, the pan-European network with terabit capacities witnesses close to hundreds of DDoS attacks on a daily basis. The reason is that DDoS attacks are getting larger, more sophisticated and frequent. At the same time, it has never been easier to execute DDoS attacks, e.g., Booter services offer paying customers without any technical knowledge the possibility to perform DDoS attacks as a service. Given the increasing size, frequency and complexity of DDoS attacks, there is a need to perform a collaborative mitigation. Therefore, we developed (i) a DDoSDB to share real attack data and allow collaborators to query, compare, and download attacks, (ii) the Security attack experimentation framework to test mitigation and response capabilities and (iii) a collaborative mitigation and response process among trusted partners to disseminate security event information. In addition to these developments, we present and would like to discuss our latest research results with experienced networking operators and bridging the gap between academic research and operational business

Solution based on business process management for inter-domain virtual circuits

O estabelecimento de Circuitos Virtuais (CVs) é uma solução bastante utilizada para garantir requisitos de qualidade de serviço para aplicações que trafegam na rede (e.g., transmissão de altas taxas de dados com baixa latência). Anteriormente, esses CVs eram estabelecidos manualmente a partir da troca de mensagens (via email e telefone) entre administradores de redes. O processo de troca de mensagens terminava com a configuração dos dispositivos e poderia durar semanas para ser concluído. Atualmente, middlewares de rede têm sido utilizados para automatizar o processo fim-a-fim do estabelecimento dos CVs. Esses middlewares utilizam regras pré-definidas, chamadas de políticas, para automatizar todo o processo. Apesar dessas soluções atuais terem diminuído o tempo de estabelecimento de CVs para minutos, elas retiraram o humano do processo de autorização e gerenciamento dos recursos de redes. Essa ausência do humano passa a ser um problema em casos que políticas pré-definidas não conseguem gerenciar CVs, principalmente em casos de CVs que perpassam diversos domínios, chamados de inter-domínios. Então, esta dissertação provê uma solução que possibilita a re-inclusão do humano no processo de autorização através de uma abordagem que também seja capaz de manter o gerenciamento realizado através de políticas. Essa abordagem é chamada de gerenciamento de processos de negócios (Business Process Management - BPM). Resultados obtidos a partir de experimentos realizados no backbone da Rede Nacional de Ensino e Pesquisa Brasileira (RNP) demonstraram que a solução proposta com BPM consegue disponibilizar o gerenciamento de CVs através de humanos e políticas. Adicionalmente, o protótipo desenvolvido para a obtenção dos resultados foi melhor do que as soluções atuais existentes em relação ao tempo de estabelecimento e a flexibilidade de gerenciamento dos CVs.Establishing Virtual Circuits (VCs) is a widely used solution for ensuring quality of service requirements for applications that are carried over the network (e.g., transmissions that demand high data rates and low latency). Previously, these VCs used to be manually set via messages exchanged among network administrators, using email or telephone. This message exchanged process resulted in the configuration of the devices that could take weeks to complete. Currently, network middlewares have been used to automate the process of end-to-end establishment of CVs. These middlewares use pre-defined rules, called policies, to automate the entire process. Despite these current solutions have decreased the time for establishing VCs to the order of minutes, they removed the human process of authorization and management of network resources. This absence of the human interaction becomes a problem in cases where pre-defined policies can not manage VCs, especially when VCs cross multiple domains (inter-domain). This dissertation provides a solution which enables the human re-inclusion in the establishment process using an approach that is also capable of keeping the management policies. This approach is called Business Process Management (BPM). Results obtained from experiments on the backbone of the National Network of Brazilian Education and Research (RNP) demonstrated that the proposed solution can provide management of VCs considering both human interaction and management polices. Additionally, the prototype developed for obtaining the results performed better than current solutions in terms of the time used for establishment and management flexibility of VCs

DDoS-as-a-Service: Investigating Booter Websites

Why should you care about Distributed Denial of Service (DDoS) attacks? If your Internet home connection would be the target of a DDoS attack, then not only your connectivity is gone, but also your telephone and TV programs. This is because many homes have triple-play-service (a package offered by Internet providers that includes TV programs and telephone service together with the Internet connectivity). Looking from a company perspective, in 2015, small and medium companies reported spending more than $US50,000 recovering from a DDoS attack, while large corporations reported an average$US410,000. This figure increased drastically in 2017: large corporations reported $US2.5M in revenue loss as a consequence of a DDoS attack. Given the rapid increase observed above, we can expect that these costs will continue to rise, just as our society's increased dependence on networked services. Until 2013, DDoS attacks were something that only a (relatively) skilled hacker could perform, and that required specialist knowledge. In 2013, the hacker community began offering DDoS attacks via Websites easily findable via popular searching engines (Google and Bing). Websites called ``booters'' and ``stressers'' offer, for very affordable prices, for example, starting from less than$US5, to perform as many DDoS attacks as requested for a month period. Between 2014 and 2017 booters were considered by network security companies to be the main responsible for the increase in (DDoS) attack power and frequency, making the investigation in this thesis even more critical and timely. The main contributions of this these are that we show: (1) how to find booters, (2) how to detect their clients accessing and using them, (3) the characteristics of their attacks, (4) what third-party companies are used by them to maintain their operations, (5) which booters are the most dangerous and (6) which ethical arguments can be used to support mitigation actions against them. Finally, while the core of this thesis is based on scientific publications, a number of solutions proposed in this thesis are actively deployed by network operators worldwide. In addition to this, the methodologies in this thesis are used by the Dutch High Tech Crime Unit for collecting evidences for prosecution cases

Booters - an analysis of DDoS-as-a-Service attacks

In 2012, the Dutch National Research and Education Network, SURFnet, observed a multitude of Distributed Denial of Service (DDoS) attacks against educational institutions. These attacks were effective enough to cause the online exams of hundreds of students to be cancelled. Surprisingly, these attacks were purchased by students from websites, known as Booters. These sites provide DDoS attacks as a paid service (DDoS-as-a-Service) at costs starting from 1 USD. Since this problem was first identified by SURFnet, Booters have been used repeatedly to perform attacks on schools in SURFnet's constituency. Very little is known, however, about the characteristics of Booters, and particularly how their attacks are structure. This is vital information needed to mitigate these attacks. In this paper we analyse the characteristics of 14 distinct Booters based on more than 250 GB of network data from real attacks. Our findings show that Booters pose a real threat that should not be underestimated, especially since our analysis suggests that they can easily increase their firepower based on their current infrastructure

Inside Booters: an analysis on operational databases

Distributed Denial of Service (DDoS) attacks are an increasing threat on the Internet. One of the reasons is that Web sites selling attacks for prices starting from $1.00 are becoming popular. These Web sites, called Booters, facilitate attacks by making transparent the needed infrastructure to perform attacks and by lowering the knowledge to control it. As a consequence, any user on the Internet is able to launch attacks at any time. Although security experts and operators acknowledge the potential of Booters for DDoS attacks, little is known about Booters operational aspects in terms of users, attacks and infrastructure. The existing works that investigate this phenomenon are all restricted to the analysis of a single Booter and therefore provide a narrow overview of the phenomenon. In this paper we extend the existing work by providing an extensive analysis on 15 distinct Booters. We analyze their operational databases containing logs of users, attacks, and the infrastructure used to perform attacks. Among our findings we reveal that (i) some Booters have several database records completely equal, (ii) users that access Booters via proxies and VPNs performed much more attacks than those that accessed using a single IP address, and (iii) the infrastructure used to perform attacks is slightly different from what is known through existing work. The contribution of our work is to bring awareness of Booter characteristics facilitating future works to mitigate this phenomenon

Booters - an analysis of DDoS-as-a-Service attacks

In 2012, the Dutch National Research and Education Network, SURFnet, observed a multitude of Distributed Denial of Service (DDoS) attacks against educational institutions. These attacks were effective enough to cause the online exams of hundreds of students to be cancelled. Surprisingly, these attacks were purchased by students from websites, known as Booters. These sites provide DDoS attacks as a paid service (DDoS-as-a-Service) at costs starting from 1 USD. Since this problem was first identified by SURFnet, Booters have been used repeatedly to perform attacks on schools in SURFnet's constituency. Very little is known, however, about the characteristics of Booters, and particularly how their attacks are structure. This is vital information needed to mitigate these attacks. In this paper we analyse the characteristics of 14 distinct Booters based on more than 250 GB of network data from real attacks. Our findings show that Booters pose a real threat that should not be underestimated, especially since our analysis suggests that they can easily increase their firepower based on their current infrastructure