Threat Detection and Defenses:

Denial of Service Defenses

Monitoring Attacks and Finding Methods to Trace them Back to their Origins.

Denial of Service Defenses


Denial-of-Service (DoS) attacks continuously threaten the availability of online services, many of which belong to critical infrastructures or to the core of the Internet. Novel adversarial techniques to amplify attacks have increased their sophistication, and the attack impact has rapidly grown to an unprecedented scale due to the increase of bandwidth available to adversaries. This development asks for novel solutions to rigorously monitor attacks and to find methods to trace them back to their origin.


To this end, we develop methodologies to get an understanding of the global scale of so-called amplification attacks, in which adversaries abuse address spoofing paired with reflection to overwhelm victims with a flood of large packets. We revisited UDP-based network protocols from the security perspective and revealed that at least 14 popular protocols (such as DNS, NTP, or SSDP) have severe vulnerabilities that can be abused to launch massive DoS attacks. Seeing the harm of these attacks, we designed a novel honeypot dubbed AmpPot that mimics vulnerable protocols---the first time ever the honeypot concept was used in the context of DoS. AmpPot attracts attackers such that they abuse the deployed honeypots, in turn, allowing us to monitor attack techniques and targets.

To stop these attacks, we are furthermore interested in identifying the origin of DoS incidents. A fundamental challenge is that DoS attacks are anonymous, allowing miscreants to perfectly hide the true attack source by spoofing IP addresses. We thus work on novel mechanisms that allow us to trace back the origin of amplification DoS attacks. We conceptually link the reconnaissance (i.e., scanning) and the attack phases by tracking which scan for amplifiers has resulted in which attacks. Furthermore, we map attacks to booter services that have caused them by observing and linking traffic patterns. These results are fed back to law enforcement agencies to help them identifying the true drivers behind nefarious DoS attacks.