A Wide Network Scanning for Discovery of UDP-Based Reflectors in the Nordic Countries
Authors: 
Alexander Bjerre, Andreas Philip Westh, Emil Villefrance, A S M Farhan Al Haque, Jonas Bukrinski Andersen, Lucas K. Helgogaard, Marios AnagnostopoulosAuthors Info & Claims
Pages 176 - 193
Abstract
Distributed Reflective Denial of Service (DRDoS) attacks exploit Internet facing devices with the purpose to involve them in DoS incidents. In turn, these devices unwittingly amplify and redirect the attack traffic towards the victim. As a result, this traffic causes the extortion of the target’s network bandwidth and computation resources. The current work evaluates the amplification and reflective potentials of four UDP-based protocols, which are constantly reported as facilitators to DoS attacks. These are Simple Service Discovery Protocol (SSDP), Simple Network Management Protocol (SNMP), Constrained Application Protocol (CoAP) and Web Services Dynamic Discovery (WSD). Specifically, we conduct a countrywide network scanning across the four main Nordic countries, i.e., Denmark, Finland, Norway and Sweden, and enumerate the devices that respond to any of our probes and hence they can be exploited in DoS attacks. For each of the discovered devices, we assess its amplification capabilities in terms of Bandwidth Amplification Factor (BAF) and Packet Amplification Factor (PAF) that can contribute to a DoS incident. The outcomes show that from the four examined protocols, SSDP and SNMP are the most beneficial protocols from an attacker’s perspective, as a multitudinous group of reflectors is identified in each of the considered countries. Even worst, a significant portion of these devices produced a BAF over 30, a BAF that can multiply significantly the attack traffic stemming from the attacker’s side and hence causes a devastating impact on the victim’s infrastructure.
References
[1]
NexusGuard. Threat Report FHY 2021 Distributed Denial of Service (DDoS)
[2]
Anagnostopoulos M Amplification DoS Attacks 2019 Heidelberg Springer 1-3
[3]
Heinrich T, Obelheiro RR, and Maziero CA Hohlfeld O, Lutu A, and Levin D New kids on the DRDoS block: characterizing multiprotocol and carpet bombing attacks Passive and Active Measurement 2021 Cham Springer 269-283
[4]
M. Anagnostopoulos, G. Kambourakis, S. Gritzalis, and D. K. Y. Yau. Never say never: authoritative TLD nameserver-powered DNS amplification. In: NOMS 2018 IEEE/IFIP Network Operations and Management Symposium, pp. 1–9 (2018)
[5]
Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: Proceedings of the 2014 Network and Distributed System Security Symposium (NDSS) (2014)
[6]
Ferguson, P., Senie, D.: Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. Technical report (1998)
[7]
Beverly, R., Bauer, S.: The spoofer project: inferring the extent of internet source address filtering on the internet. In: Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI 2005). USENIX Association (2005)
[8]
Ryba, F.J., Orlinski, M., Waehlisch, M.,Rossow, C., Schmidt, T.C.: Amplification and DRDoS attack defense-a survey and new perspectives. arXiv preprint arXiv:1505.07892 (2015)
[9]
Center for Applied Internet Data Analysis (CAIDA). State of IP Spoofing. http://spoofer.caida.org/summary.php (2022)
[10]
van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In: Proceedings of the 2014 Conference on Internet Measurement Conference, IMC 2014, New York, NY, USA, pp. 449–460. ACM (2014)
[11]
Goland, Y., Cai, T., Leach, P., Gu, Y., Albright, S.: Simple service discovery protocol/1.0 operating without an arbiter (1999)
[12]
Gondim JJ, de Albuquerque RO, and Orozco ALS Mirror saturation in amplified reflection Distributed Denial of Service: a case of study using SNMP, SSDP, NTP and DNS protocols Future Gener. Comput. Syst. 2020 108 68-81
[13]
Shelby, Z., Hartke, K., Bormann, C.: RFC7252: The Constrained Application Protocol (CoAP) (2014)
[14]
Mattsson, J.P., Selander, G., Amsüss, C.: Amplification Attacks Using the Constrained Application Protocol (CoAP) (2014)
[15]
Respeto, J.: New DDoS vector observed in the wild: WSD attacks hitting 35/Gbps. http://www.akamai.com/blog/security/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps (2019)
[16]
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: 22nd USENIX Security Symposium (USENIX Security 13), pp. 605–620. USENIX Association (2013)
[17]
Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? reducing the impact of amplification DDoS attacks. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 111–125 (2014)
[18]
Anagnostopoulos M, Lagos S, and Kambourakis G Large-scale empirical evaluation of DNS and SSDP amplification attacks J. Inf. Secur. Appl. 2022 66 103168
[19]
Lyu, M., Sherratt, D., Sivanathan, A., Gharakheili, H.H., Radford, A., Sivaraman, V.: Quantifying the reflective DDoS attack capability of household IoT devices. In: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2017, New York, NY, USA, pp. 46–51. Association for Computing Machinery (2017)
Index Terms
- A Wide Network Scanning for Discovery of UDP-Based Reflectors in the Nordic Countries
Index terms have been assigned to the content through auto-classification.
Recommendations
Large-scale empirical evaluation of DNS and SSDP amplification attacks
AbstractReflection-based volumetric distributed denial-of-service (DDoS) attacks take advantage of the available to all (open) services to flood and possibly overpower a victim’s server or network with an amplified amount of traffic. This work ...
United We Stand: Collaborative Detection and Mitigation of Amplification DDoS Attacks at Scale
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityAmplification Distributed Denial of Service (DDoS) attacks' traffic and harm are at an all-time high. To defend against such attacks, distributed attack mitigation platforms, such as traffic scrubbing centers that operate in peering locations, e.g., ...
DoSTRACK: a system for defending against DoS attacks
SAC '09: Proceedings of the 2009 ACM symposium on Applied ComputingDenial of service (DoS) attacks are one of the complex problems in the current Internet. In this paper, we propose a system, DoSTRACK, that can efficiently deal with the TCP SYN and reflection Distributed Denial of Service (DDoS) attacks. We also ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Nov 2022
389 pages
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 01 January 2023
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 26 Nov 2024
Other Metrics
Citations
View Options
View options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in