Nothing Special   »   [go: up one dir, main page]

skip to main content
10.1007/978-3-031-22295-5_10guideproceedingsArticle/Chapter ViewAbstractPublication PagesConference Proceedingsacm-pubtype
Article

A Wide Network Scanning for Discovery of UDP-Based Reflectors in the Nordic Countries

Published: 01 January 2023 Publication History

Abstract

Distributed Reflective Denial of Service (DRDoS) attacks exploit Internet facing devices with the purpose to involve them in DoS incidents. In turn, these devices unwittingly amplify and redirect the attack traffic towards the victim. As a result, this traffic causes the extortion of the target’s network bandwidth and computation resources. The current work evaluates the amplification and reflective potentials of four UDP-based protocols, which are constantly reported as facilitators to DoS attacks. These are Simple Service Discovery Protocol (SSDP), Simple Network Management Protocol (SNMP), Constrained Application Protocol (CoAP) and Web Services Dynamic Discovery (WSD). Specifically, we conduct a countrywide network scanning across the four main Nordic countries, i.e., Denmark, Finland, Norway and Sweden, and enumerate the devices that respond to any of our probes and hence they can be exploited in DoS attacks. For each of the discovered devices, we assess its amplification capabilities in terms of Bandwidth Amplification Factor (BAF) and Packet Amplification Factor (PAF) that can contribute to a DoS incident. The outcomes show that from the four examined protocols, SSDP and SNMP are the most beneficial protocols from an attacker’s perspective, as a multitudinous group of reflectors is identified in each of the considered countries. Even worst, a significant portion of these devices produced a BAF over 30, a BAF that can multiply significantly the attack traffic stemming from the attacker’s side and hence causes a devastating impact on the victim’s infrastructure.

References

[1]
NexusGuard. Threat Report FHY 2021 Distributed Denial of Service (DDoS)
[2]
Anagnostopoulos M Amplification DoS Attacks 2019 Heidelberg Springer 1-3
[3]
Heinrich T, Obelheiro RR, and Maziero CA Hohlfeld O, Lutu A, and Levin D New kids on the DRDoS block: characterizing multiprotocol and carpet bombing attacks Passive and Active Measurement 2021 Cham Springer 269-283
[4]
M. Anagnostopoulos, G. Kambourakis, S. Gritzalis, and D. K. Y. Yau. Never say never: authoritative TLD nameserver-powered DNS amplification. In: NOMS 2018 IEEE/IFIP Network Operations and Management Symposium, pp. 1–9 (2018)
[5]
Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: Proceedings of the 2014 Network and Distributed System Security Symposium (NDSS) (2014)
[6]
Ferguson, P., Senie, D.: Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. Technical report (1998)
[7]
Beverly, R., Bauer, S.: The spoofer project: inferring the extent of internet source address filtering on the internet. In: Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI 2005). USENIX Association (2005)
[8]
Ryba, F.J., Orlinski, M., Waehlisch, M.,Rossow, C., Schmidt, T.C.: Amplification and DRDoS attack defense-a survey and new perspectives. arXiv preprint arXiv:1505.07892 (2015)
[9]
Center for Applied Internet Data Analysis (CAIDA). State of IP Spoofing. http://spoofer.caida.org/summary.php (2022)
[10]
van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks: a comprehensive measurement study. In: Proceedings of the 2014 Conference on Internet Measurement Conference, IMC 2014, New York, NY, USA, pp. 449–460. ACM (2014)
[11]
Goland, Y., Cai, T., Leach, P., Gu, Y., Albright, S.: Simple service discovery protocol/1.0 operating without an arbiter (1999)
[12]
Gondim JJ, de Albuquerque RO, and Orozco ALS Mirror saturation in amplified reflection Distributed Denial of Service: a case of study using SNMP, SSDP, NTP and DNS protocols Future Gener. Comput. Syst. 2020 108 68-81
[13]
Shelby, Z., Hartke, K., Bormann, C.: RFC7252: The Constrained Application Protocol (CoAP) (2014)
[14]
Mattsson, J.P., Selander, G., Amsüss, C.: Amplification Attacks Using the Constrained Application Protocol (CoAP) (2014)
[15]
Respeto, J.: New DDoS vector observed in the wild: WSD attacks hitting 35/Gbps. http://www.akamai.com/blog/security/new-ddos-vector-observed-in-the-wild-wsd-attacks-hitting-35gbps (2019)
[16]
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: 22nd USENIX Security Symposium (USENIX Security 13), pp. 605–620. USENIX Association (2013)
[17]
Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? reducing the impact of amplification DDoS attacks. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 111–125 (2014)
[18]
Anagnostopoulos M, Lagos S, and Kambourakis G Large-scale empirical evaluation of DNS and SSDP amplification attacks J. Inf. Secur. Appl. 2022 66 103168
[19]
Lyu, M., Sherratt, D., Sivanathan, A., Gharakheili, H.H., Radford, A., Sivaraman, V.: Quantifying the reflective DDoS attack capability of household IoT devices. In: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2017, New York, NY, USA, pp. 46–51. Association for Computing Machinery (2017)

Index Terms

  1. A Wide Network Scanning for Discovery of UDP-Based Reflectors in the Nordic Countries
      Index terms have been assigned to the content through auto-classification.

      Recommendations

      Comments

      Please enable JavaScript to view thecomments powered by Disqus.

      Information & Contributors

      Information

      Published In

      cover image Guide Proceedings
      Secure IT Systems: 27th Nordic Conference, NordSec 2022, Reykjavic, Iceland, November 30–December 2, 2022, Proceedings
      Nov 2022
      389 pages
      ISBN:978-3-031-22294-8
      DOI:10.1007/978-3-031-22295-5

      Publisher

      Springer-Verlag

      Berlin, Heidelberg

      Publication History

      Published: 01 January 2023

      Author Tags

      1. DDoS
      2. Amplification attacks
      3. Reflection attacks
      4. SSDP
      5. SNMP
      6. CoAP
      7. WSD
      8. Internet measurement

      Qualifiers

      • Article

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • 0
        Total Citations
      • 0
        Total Downloads
      • Downloads (Last 12 months)0
      • Downloads (Last 6 weeks)0
      Reflects downloads up to 28 Nov 2024

      Other Metrics

      Citations

      View Options

      View options

      Login options

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media