Booter websites characterization: towards a list of threats

Distributed Denial of Service (DDoS) attacks mean millions in revenue losses to many industries, such e-commerce and online financial services. The amount of reported DDoS attacks has increased with 47% compared to 2013. One of the reasons for this increase is the availability and ease of accessibility to websites, which provide DDoS attacks as a paid service, called Booters. Although there are hundreds of Booters available, current researches are focused on a handful sample of them - either to analyse attack traffic or hacked databases. Towards a thorough understanding and mitigation of Booters, a comprehensive list of them is needed. In this paper we characterize Booter websites and demonstrate that the found main characteristics can be used to classify Booters with 85% of accuracy. The Dutch National Research and Education Network (SURFnet) has been using a list generated by our methodology since 2013, what demonstrates high relevance to the network management community and the security specialists

A parser for deep packet inspection of IEC-104:A practical solution for industrial applications

We present a practical solution for deep packet inspection for IEC-104 SCADA traffic, which can be used in monitoring approaches to ensure the dependable operation of critical systems. We re-implement an outdated parser and extend it to also parse the content of individual IEC-104 packets and to extract information relevant for monitoring and securing the physical processes being controlled. The deep packet inspection framework Spicy was used for the implementation, which allows for easy extensibility in the future. To illustrate the feasibility of the proposed solution, the throughput obtained when using the parser in combination with the monitoring tool Zeek has been evaluated for traces of different lengths. The traces have been captured in an operating electrical distribution field station with a single RTU

A Tool for Generating Automata of IEC60870-5-104 Implementations

Power distribution networks are often controlled using the communication protocol IEC 60870-5-104 (IEC-104). While a specification exists, not every device implementing this protocol, actually follows this specification. We present \textit{mealy104}, a tool that infers finite-state automata from IEC-104 implementations and use it on a real device implementing IEC-104, comparing it to the protocol standard. We use the tool to show that implementations do deviate from the specification

Context-aware local Intrusion Detection in SCADA systems: a testbed and two showcases

This paper illustrates the use of a testbed that we have developed for context-aware local intrusion detection. This testbed is based on the co-simulation framework Mosaik and allows for the validation of local intrusion detection mechanisms at field stations in power distribution networks. For two cases, we show how this testbed assists with studying the effectiveness of two local IDS mechanisms under different kinds of attacks