IXmon: Detecting and Analyzing DRDoS Attacks at Internet Exchange Points

TL;DR

This paper presents IXmon, a detection system deployed at an Internet exchange point, which identified over 900 DRDoS attacks over 21 months, revealing attack characteristics and discussing mitigation strategies.

Contribution

The paper introduces IXmon, an open-source DRDoS detection system tailored for large IXPs, and provides an in-depth analysis of real-world DRDoS attack data collected over nearly two years.

Findings

Most DRDoS attacks are short-lived, lasting only a few minutes.

Large-volume, long-lasting, and highly-distributed attacks are common against R&E networks.

IXmon successfully detected over 900 DRDoS attacks at a major IXP.

Abstract

Distributed reflective denial of service (DRDoS) attacks are a popular choice among adversaries. In fact, one of the largest DDoS attacks ever recorded, reaching a peak of 1.3Tbps against GitHub, was a memcached-based DRDoS attack. More recently, a record-breaking 2.3Tbps attack against Amazon AWS was due to a CLDAP-based DRDoS attack. Although reflective attacks have been known for years, DRDoS attacks are unfortunately still popular and largely unmitigated. In this paper, we study in-the-wild DRDoS attacks observed from a large Internet exchange point (IXP) and provide a number of security-relevant measurements and insights. To enable this study, we first developed IXmon, an open-source DRDoS detection system specifically designed for deployment at large IXP-like network connectivity providers and peering hubs. We deployed IXmon at Southern Crossroads (SoX), an IXP-like hub that provides both peering and upstream Internet connectivity services to more than 20 research and education (R&E) networks in the South-East United States. In a period of about 21 months, IXmon detected more than 900 DRDoS attacks towards 31 different victim ASes. An analysis of the real-world DRDoS attacks detected by our system shows that most DRDoS attacks are short lived, lasting only a few minutes, but that large-volume, long-lasting, and highly-distributed attacks against R&E networks are not uncommon. We then use the results of our analysis to discuss possible attack mitigation approaches that can be deployed at the IXP level, before the attack traffic overwhelms the victim's network bandwidth.