IXmon: Detecting and Analyzing DRDoS Attacks at Internet Exchange Points

by   Karthika Subramani, et al.

Distributed reflective denial of service (DRDoS) attacks are a popular choice among adversaries. In fact, one of the largest DDoS attacks ever recorded, reaching a peak of 1.3Tbps against GitHub, was a memcached-based DRDoS attack. More recently, a record-breaking 2.3Tbps attack against Amazon AWS was due to a CLDAP-based DRDoS attack. Although reflective attacks have been known for years, DRDoS attacks are unfortunately still popular and largely unmitigated. In this paper, we study in-the-wild DRDoS attacks observed from a large Internet exchange point (IXP) and provide a number of security-relevant measurements and insights. To enable this study, we first developed IXmon, an open-source DRDoS detection system specifically designed for deployment at large IXP-like network connectivity providers and peering hubs. We deployed IXmon at Southern Crossroads (SoX), an IXP-like hub that provides both peering and upstream Internet connectivity services to more than 20 research and education (R E) networks in the South-East United States. In a period of about 21 months, IXmon detected more than 900 DRDoS attacks towards 31 different victim ASes. An analysis of the real-world DRDoS attacks detected by our system shows that most DRDoS attacks are short lived, lasting only a few minutes, but that large-volume, long-lasting, and highly-distributed attacks against R E networks are not uncommon. We then use the results of our analysis to discuss possible attack mitigation approaches that can be deployed at the IXP level, before the attack traffic overwhelms the victim's network bandwidth.


page 1

page 2

page 3

page 4


Mitigation of Flooding and Slow DDoS Attacks in a Software-Defined Network

Distributed denial of service (DDoS) attacks are a constant threat for s...

Dragonblood is Still Leaking: Practical Cache-based Side-Channel in the Wild

Recently, the Dragonblood attacks have attracted new interests on the se...

Characterising attacks targeting low-cost routers: a MikroTik case study (Extended)

Attacks targeting network infrastructure devices pose a threat to the se...

Kirin: Hitting the Internet with Millions of Distributed IPv6 Announcements

The Internet is a critical resource in the day-to-day life of billions o...

Practical Traffic Analysis Attacks on Secure Messaging Applications

Instant Messaging (IM) applications like Telegram, Signal, and WhatsApp ...

QUICsand: Quantifying QUIC Reconnaissance Scans and DoS Flooding Events

In this paper, we present first measurements of Internet background radi...

The SEED Internet Emulator and Its Applications in Cybersecurity Education

In cybersecurity courses, it is quite challenging to do hands-on activit...

Please sign up or login with your details

Forgot password? Click here to reset