Inferring distributed reflection denial of service attacks from darknet

Computer Communications

Volumn 62, Issue , 2015, Pages 59-71

  Fachkha, Claude ^a,b   Bou Harb, Elias ^a,b   Debbabi, Mourad ^a,b  

^a Dept of Electrical and Computer Engineering   (Canada)

^b National Cyber Forensics and Training Alliance Canada   (Canada)

Author keywords

Cyber threats; Darknet; DDoS; DNS; DRDoS

Indexed keywords

INTERNET PROTOCOLS; K-MEANS CLUSTERING; MAXIMUM PRINCIPLE; NETWORK LAYERS; NETWORK SECURITY;

CYBER THREATS; DARKNET; DDOS; DENIAL OF SERVICE; DISTRIBUTED DENIAL OF SERVICE; DRDOS; EXPECTATION - MAXIMIZATIONS; K-MEANS CLUSTERING TECHNIQUES;

DENIAL-OF-SERVICE ATTACK;

EID: 84928823469     PISSN: 01403664     EISSN: 1873703X     Source Type: Journal    
DOI: 10.1016/j.comcom.2015.01.016     Document Type: Article

References (57)

1. Arbor Networks, 2012 Infrastructure Security Report. < http://tinyurl.com/ag6tht4 > (accessed 15.11.13).
2. Forbes, Testing The Limits, LulzSec Takes Down CIA's Website. < http://tinyurl.com/bfhzbta > (accessed 15.11.13).
3. PcWorld, Hacker Arrested for DDoS Attacks on Amazon.com. < http://tinyurl.com/d22myng > (accessed 15.11.13).
4. ITPRO, InfoSection 2011: Energy Firms Pummelled by DDoS Attacks. < http://tinyurl.com/cpqodbx > (accessed 15.11.13).
5. US-CERT, DNS Amplification Attacks - Alert (TA13-088A). < http://tinyurl.com/bp4xud4 > (accessed 15.11.13).
6. Ars Technica, When Spammers go to War: Behind the Spamhaus DDoS. < http://tinyurl.com/d9vkegg > (accessed 15.11.13).
7. M. Anagnostopoulos, G. Kambourakis, P. Kopanos, G. Louloudakis, and S. Gritzalis Dns amplification attack revisited Comput. Secur. Part B 39 2013 475 485 < http://www.sciencedirect.com/science/article/pii/S0167404813001405 >
8. M. Bailey, E. Cooke, F. Jahanian, J. Nazario, D. Watson, et al., The internet motion sensor: a distributed blackhole monitoring system, in: Proceedings of the 12th ISOC Symposium on Network and Distributed Systems Security (SNDSS), 2005, pp. 167-179.
9. Yegneswaran, Vinod et al., On the design and use of internet sinks for network abuse monitoring, in: Recent Advances in Intrusion Detection, 2004.
10. E. Wustrow, M. Karir, M. Bailey, F. Jahanian, and G. Huston Internet background radiation revisited Proceedings of the 10th Annual Conference on Internet Measurement 2010 ACM 62 74
11. C. Rossow, Amplification Hell: Revisiting Network Protocols for DDoS Abuse.
12. D. Moore, C. Shannon, D.J. Brown, G.M. Voelker, and S. Savage Inferring internet denial-of-service activity ACM Trans. Comput. Syst. (TOCS) 24 2 2006 115 139
13. D. Dagon, N. Provos, C.P. Lee, W. Lee, Corrupted dns resolution paths: the rise of a malicious resolution authority, in: NDSS, 2008.
14. S. Staniford, D. Moore, V. Paxson, and N. Weaver The top speed of flash worms Proceedings of the 2004 ACM Workshop on Rapid Malcode, WORM '04 2004 ACM New York, NY, USA 33 42 10.1145/1029618.1029624
15. S. Staniford, J.A. Hoagland, and J.M. McAlerney Practical automated detection of stealthy portscans J. Comput. Secur. 10 1 2002 105 136
16. The University of Waikato, WEKA Select Attributes: Ranker. < http://tinyurl.com/kt6rccu > (accessed 15.11.13).
17. T.K. Moon The expectation-maximization algorithm Signal Process. Mag. IEEE 13 6 1996 47 60
18. J.A. Hartigan, and M.A. Wong Algorithm as 136: a k-means clustering algorithm J. Roy. Stat. Soc. Ser. C (Appl. Stat.) 28 1 1979 100 108
19. D. Hudson Interval estimation from the likelihood function J. Roy. Stat. Soc. Ser. B (Methodol.) 1971 256 262
20. G. Münz, S. Li, G. Carle, Traffic anomaly detection using k-means clustering, in: GI/ITG Workshop MMBnet, 2007.
21. J. Yu, Z. Li, H. Chen, and X. Chen A detection and offense mechanism to defend against application layer ddos attacks Third International Conference on Networking and Services, 2007, ICNS 2007 IEEE 54
22. S. Zhong, T.M. Khoshgoftaar, and N. Seliya Clustering-based network intrusion detection Int. J. Reliab. Qual. Safety Eng. 14 02 2007 169 187
23. A. Nucci, Architecture, Systems and Methods to Detect Efficiently DoS and DDoS Attacks for Large Scale Internet, US Patent 7,584,507, September 1 2009.
24. Han, Jiawei, Kamber, Micheline, Pei, Jian, Data Mining: Concepts and Techniques, 2006.
25. The University of Waikato, Weka: Data Mining Software in Java. < http://www.cs.waikato.ac.nz/ml/weka/ > (accessed 15.11.13).
26. CloudFlare blog, The DDoS That Knocked Spamhaus Offline (And How We Mitigated It). < http://tinyurl.com/d46gpkj > (accessed 14.04.14).
27. J. Oberheide, M. Karir, Z.M. Mao, Characterizing dark dns behavior, in: Fourth GI International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 2007.
28. Spamhaus, An Arrest in Response to March DDoS Attacks on Spamhaus. < http://www.spamhaus.org/news/article/698/ > (accessed 15.11.13).
29. The New York Times, Firm Is Accused of Sending Spam, and Fight Jams Internet. < http://tinyurl.com/bnkmr4c > (accessed 15.11.13).
30. P. Smyth Model selection for probabilistic clustering using cross-validated likelihood Stat. Comput. 10 1 2000 63 72
31. Gephi, Gephi: An Open Source Graph Visualization and Manipulation Software. < https://gephi.org/ > (accessed 14.04.14).
32. DShield, Dshield Port Report. < http://www1.dshield.org > (accessed 15.11.13).
33. Bloomberg News, Dutch Man Arrested in Spain in Probe of Spamhaus Attack. < http://tinyurl.com/puru9l2 > (accessed 14.04.14).
34. The Irish Times, Spam Dispute Results in Biggest Ever Cyber Attack. < http://tinyurl.com/d2xwv9w > (accessed 14.04.14).
35. Luc Rossini, Twitter Tweet: Spamhaus is Currently Under a DDoS Attack Against Our Website which We are Working on Mitigating. Our DNSBLs are Not Affected. < http://tinyurl.com/m7dayxr > (accessed 14.04.14).
36. Open Resolver Project. < http://openresolverproject.org/ > (accessed 15.11.13).
37. Sourcefire, Snort NIDS. < http://www.snort.org/ > (accessed 15.11.13).
38. D. Moore, G. Voelker, S. Savage, Inferring internet denial-of-service activity, in: Proceedings of the 10th Usenix Security Symposium, 2001.
39. S.M. Bellovin, There be dragons, in: Proceedings of the Third Usenix Unix Security Symposium, 1992, pp. 1-16.
40. A. Dainotti, A. King, F. Papale, and A. Pescapè et al. Analysis of a/0 stealth scan from a botnet Proceedings of the 2012 ACM Conference on Internet Measurement Conference 2012 ACM 1 14
41. M. Bailey, E. Cooke, F. Jahanian, D. Watson, and J. Nazario The blaster worm: then and now Secur. Privacy IEEE 3 4 2005 26 31
42. A. Dainotti, C. Squarcella, E. Aben, K.C. Claffy, M. Chiesa, M. Russo, A. Pescape, Analysis of country-wide internet outages caused by censorship, in: Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC, 2011, pp. 1-17.
43. M. Bailey, E. Cooke, F. Jahanian, A. Myrick, S. Sinha, Practical darknet measurement, in: 2006 40th Annual Conference on Information Sciences and Systems, 2006, p. 14961501.
44. M. Bailey, E. Cooke, F. Jahanian, N. Provos, K. Rosaen, D. Watson, Data reduction for the scalable automated analysis of distributed darknet traffic, in: Proceedings of the USENIX/ACM Internet Measurement Conference, 2005.
45. CAIDA, Cooperative Association for Internet Data Analysis. < http://www.caida.org > (accessed 15.11.13).
46. P.A.R. Kumar, and S. Selvakumar Detection of distributed denial of service attacks using an ensemble of adaptive and hybrid neuro-fuzzy systems Comput. Commun. 36 3 2013 303 319
47. S. Bhatia, D. Schmidt, and G. Mohay Ensemble-based ddos detection and mitigation model Proceedings of the Fifth International Conference on Security of Information and Networks, SIN '12 2012 ACM New York, NY, USA 79 86 10.1145/2388576.2388587
48. D.Q. Le, T. Jeong, H.E. Roman, and J.W.-K. Hong Proceedings of the Second Symposium on Information and Communication Technology, SoICT '11 2011 ACM New York, NY, USA 36 41 10.1145/2069216.2069227
49. Z.M. Fadlullah, T. Taleb, A.V. Vasilakos, M. Guizani, and N. Kato Dtrab: combating against attacks on encrypted protocols through traffic-feature analysis IEEE/ACM Trans. Network. (TON) 18 4 2010 1234 1247
50. Z.H. Aghaei Foroushani TDFA: traceback-based defense against DDoS flooding attacks 28th International Conference on Advanced Information Networking and Applications 2014 AINA, IEEE 710 715
51. G. Yao, J. Bi, and Z. Zhou Passive IP traceback: capturing the origin of anonymous traffic through network telescopes ACM SIGCOMM Computer Communication Review vol. 40 2010 ACM 413 414
52. J. Bi, P. Hu, and P. Li Study on classification and characteristics of source address spoofing attacks in the internet Ninth International Conference on Networks (ICN), 2010 2010 IEEE 226 230
53. E. Gansner, B. Krishnamurthy, W. Willinger, F. Bustamante, and M. Snchez Demo abstract: towards extracting semantics by visualizing large traceroute datasets Computing 96 1 2014 81 83 10.1007/s00607-013-0290-8
54. S. Papadopoulos, G. Theodoridis, and D. Tzovaras Bgpfuse: Using visual feature fusion for the detection and attribution of bgp anomalies Proceedings of the Tenth Workshop on Visualization for Cyber Security, VizSec '13 2013 ACM New York, NY, USA 57 64 10.1145/2517957.2517965
55. B. Irwin, and N. Pilkington High Level Internet Scale Traffic Visualization using Hilbert Curve Mapping 2008 Springer
56. V. Paxson An analysis of using reflectors for distributed denial-of-service attacks SIGCOMM Comput. Commun. Rev. 31 3 2001 38 47 10.1145/505659.505664
57. CloudFlare blog, Technical Details Behind a 400 Gbps NTP Amplification DDoS Attack. < http://tinyurl.com/p3exvnc > (accessed 14.04.14).