Abstract
A lot of research has been devoted to understanding the technical properties of amplification DDoS attacks and the emergence of the DDoS-as-a-service economy, especially the so-called booters. Much less is known about the consequences for victimization patterns. We profile victims via data from amplification DDoS honeypots. We develop victimization rates and present explanatory models capturing key determinants of these rates. Our analysis demonstrates that the bulk of the attacks are directed at users in access networks, not at hosting, and even less at enterprise networks. We find that victimization in broadband ISPs is highly proportional to the number of ISP subscribers and that certain countries have significantly higher or lower victim rates which are only partially explained by institutional factors such as ICT development. We also find that victimization rate in hosting networks is proportional to the number of hosted domains and number of routed IP addresses and that content popularity has a minor impact on victimization rates. Finally, we reflect on the implications of these findings for the wider trend of commoditization in cybercrime.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Czyz, J., Kallitsis, M., Papadopoulos, C., Bailey, M.: Taming the 800 Pound Gorilla: the rise and decline of NTP DDoS attacks. In: Proceedings of ACM IMC, pp. 435–448 (2014)
Krämer, L., Krupp, J., Makita, D., Nishizoe, T., Koide, T., Yoshioka, K., Rossow, C.: AmpPot: monitoring and defending against amplification DDoS attacks. In: Bos, H., et al. (eds.) Raid 2015. LNCS, vol. 9404, pp. 615–636. Springer, Heidelberg (2015). doi:10.1007/978-3-319-26362-5_28
Thomas, K., Yuxing, D., David, H., Holt, T.J., Kruegel, C., Mccoy, D., Bursztein, E., Grier, C., Savage, S., Vigna, G.: Framing dependencies introduced by underground commoditization. In: WEIS (2015)
Santanna, J.J., Sperotto, A.: Characterizing and mitigating the DDoS-as-a-Service phenomenon. In: Sperotto, A., Doyen, G., Latré, S., Charalambides, M., Stiller, B. (eds.) AIMS 2014. LNCS, vol. 8508, pp. 74–78. Springer, Heidelberg (2014)
Kuhrer, M., Hupperich, T., Bushart, J., Rossow, C., Holz, T.: Going wild: large-scale classification of open DNS resolvers categories and subject descriptors. In: Proceedings of ACM IMC (2015)
Karami, M., Mccoy, D.: Understanding the emerging threat of DDoS-As-a-Service. In: Proceedings of Usenix LEET, pp. 2–5 (2013)
Santanna, J.J., Durban, R., Sperotto, A., Pras, A.: Inside booters: an analysis on operational databases. In: Proceedings of IFIP/IEEE IM, pp. 432–440 (2015)
Karami, M., Park, Y., McCoy, D.: Stress testing the booters: understanding and undermining the business of DDoS services. In: Proceedings of WWW (2016)
Akamai: State of the Internet / Security Q4. Technical report Akamai (2014). https://www.stateoftheinternet.com/
Arbor Networks: Worldwide infrastructure security report volume X. Technical report (2015). https://www.arbornetworks.com/insight-into-the-global-threat-landscape
Incapsula: DDoS global threat landscape report. Technical report (2015). http://lp.incapsula.com/ddos-report-2015.html
Rossow, C.: Amplification Hell: revisiting network protocols for DDoS abuse. In: Proceedings of NDSS, pp. 23–26 (2014)
Santanna, J., Van Rijswijk-deij, R., Hofstede, R., Sperotto, A.: Booters - an analysis of DDoS-as-a-Service attacks. In: Proceedings of IFIP/IEEE IM (2015)
Kaspersky: Statistics on botnet assisted DDoS attacks (2015). https://securelist.com/blog/research/70071/statistics-on-botnet-assisted-ddos-attacks-in-q1-2015/
Asghari, H., van Eeten, M.J.G., Bauer, J.M.: Economics of fighting botnets: lessons from a decade of mitigation. IEEE Secur. Priv. 13(5), 16–23 (2015)
TeleGeography: Telegeography globalcomms data. http://shop.telegeography.com/products/globalcomms-database
CAIDA: AS classification. http://www.caida.org/data/as-classification/
Farsight Security: DNSDB. https://www.dnsdb.info
Tajalizadehkhoob, S., Korczynski, M., Noroozian, A., Ganan, C., van Eeten, M.: Apples, oranges and hosting providers: heterogeneity and security in the hosting market. In: Proceedings of IEEE/IFIP NOMS, pp. 289–297 (2016)
Akamai: State of the internet/security Q4. Technical report (2015). https://www.stateoftheinternet.com/downloads/pdfs/q4-2015-securityreport-ddos-stats-trends-analysis-infographic.pdf
Asghari, H., Ciere, M., Van Eeten, M.J.G.: Post-Mortem of a Zombie: conficker cleanup after six years. In: USENIX Security (2015)
PRB. Population Reference Bureau - Gross Domestic Product. http://www.prb.org/DataFinder/Topic/Rankings.aspx?ind=260
Ledbetter, A.M., Kuznekoff, J.H.: More than a game: friendship relational maintenance and attitudes toward Xbox LIVE communication. Commun. Res. 39(2), 269–290 (2012)
Allamanis, M., Scellato, S., Mascolo, C.: Evolution of a location-based online social network. In: Proceedings of ACM IMC, p. 145. ACM Press, New York (2012)
Schravese, F., Born, A.: Lekker thuis providers platleggen (2015). http://www.nrc.nl/handelsblad/2015/10/17/lekker-thuis-providers-platleggen-1545974
Alexa: Alexa top 1M ranked sites (2015). http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
Zittrain, J., Albert, K., Lessig, L.: Perma: scoping and addressing the problem of link and reference rot in legal citations. Legal Inform. Manage. 14(02), 88–99 (2014)
Kaplan, E.L., Meier, P.: Nonparametric estimation from incomplete observations. J. Am. Statist. Assoc. 53(282), 457–481 (1958)
Kuhrer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from Hell? Reducing the impact of amplification DDoS attacks. In: USENIX Security, pp. 111–125 (2014)
Kuhrer, M., Hupperich, T., Rossow, C., Thorsten Holz, G.: Horst: Hell of a handshake: abusing TCP for reflective amplification DDoS attacks. In: Proceedings of USENIX WOOT (2014)
Durumeric, Z., Bailey, M., Halderman, J.A.: An internet-wide view of internet-wide scanning. In: USENIX Security, pp. 65–78 (2014)
Hutchings, A., Clayton, R.: Exploring the provision of online booter services. In: Deviant Behavior, pp. 1–16 (2016)
Florencio, D., Herley, C.: Where do all the attacks go? In: Economics of Information Security and Privacy III, pp. 13–33 (2013)
Florencio, D., Herley, C.: Is everything we know about password- stealing wrong? IEEE Secur. Priv. Mag. 10(6), 63–69 (2012)
Acknowledgements
This work has been enabled through the support of NWO Pr. Nr. CYBSEC.12.003/628.001.003, SIDN, the Dutch National Cyber Security Center and Beatriu Pinos BP-A-214. We would like to thank Dr. Paul Vixie and Farsight Security for providing our pDNS data. In addition we would like to acknowledge the support of the MEXT (Program for Promoting Reform of National Universities) and PRACTICE (Proactive Response Against Cyber-attacks Through International Collaborative Exchange) programs.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Noroozian, A., Korczyński, M., Gañan, C.H., Makita, D., Yoshioka, K., van Eeten, M. (2016). Who Gets the Boot? Analyzing Victimization by DDoS-as-a-Service. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science(), vol 9854. Springer, Cham. https://doi.org/10.1007/978-3-319-45719-2_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-45719-2_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-45718-5
Online ISBN: 978-3-319-45719-2
eBook Packages: Computer ScienceComputer Science (R0)