DDoS attacks remain a major security threat to the continuous operation of Internet edge infrastructures, web services, and cloud platforms. While a large body of research focuses on DDoS detection and protection, to date we ultimately failed to eradicate DDoS altogether. Yet, the landscape of DDoS attack mechanisms is even evolving, demanding an updated perspective on DDoS attacks in the wild. In this paper, we identify up to 2608 DDoS amplification attacks at a single day by analyzing multiple Tbps of traffic flows at a major IXP with a rich ecosystem of different networks. We observe the prevalence of well-known amplification attack protocols (e.g., NTP, CLDAP), which should no longer exist given the established mitigation strategies. Nevertheless, they pose the largest fraction on DDoS amplification attacks within our observation and we witness the emergence of DDoS attacks using recently discovered amplification protocols (e.g., OpenVPN, ARMS, Ubiquity Discovery Protocol). By analyzing the impact of DDoS on core Internet infrastructure, we show that DDoS can overload backbone-capacity and that filtering approaches in prior work omit 97% of the attack traffic.
翻译:DDoS攻击仍然是互联网边缘基础设施、网络服务和云层平台持续运作的一个主要安全威胁。虽然大量研究的重点是DDoS探测和保护,但迄今为止我们最终未能完全消灭DDoS。然而,DDoS攻击机制的景观甚至正在演变,要求从最新的角度来看待DDoS在野外的攻击。在本文件中,我们通过分析具有不同网络丰富生态系统的主要IXP的交通流量多端点数,在一天之内确定多达2608 DDoS扩增攻击。我们观察众所周知的放大攻击协议(例如NTP、QLAP)的流行,鉴于既定的减灾战略,这些协议应该不再存在。然而,它们构成了DDoS攻击的最大部分,我们目睹了利用最近发现的放大协议(例如OpenVPN、ARMS、Ubiquity Redicover Protocess)进行的DDoS攻击的出现。我们通过分析DDoS对核心互联网基础设施的影响,我们发现DOS对主干线能力的过载能力以及先前97号工作中的交通过滤方法。