DDoS Never Dies? An IXP Perspective on DDoS Amplification Attacks

TL;DR

This study analyzes a large volume of traffic at an Internet Exchange Point to identify and characterize DDoS amplification attacks, revealing persistent and emerging attack protocols and highlighting gaps in existing filtering strategies.

Contribution

The paper provides the first large-scale analysis of DDoS amplification attacks at an IXP, identifying both known and new attack protocols and exposing limitations of current filtering methods.

Findings

Up to 2608 DDoS amplification attacks identified in a single day.

Prevalence of known protocols like NTP and CLDAP in attacks.

Emergence of new attack protocols such as OpenVPN and Ubiquity Discovery Protocol.

Abstract

DDoS attacks remain a major security threat to the continuous operation of Internet edge infrastructures, web services, and cloud platforms. While a large body of research focuses on DDoS detection and protection, to date we ultimately failed to eradicate DDoS altogether. Yet, the landscape of DDoS attack mechanisms is even evolving, demanding an updated perspective on DDoS attacks in the wild. In this paper, we identify up to 2608 DDoS amplification attacks at a single day by analyzing multiple Tbps of traffic flows at a major IXP with a rich ecosystem of different networks. We observe the prevalence of well-known amplification attack protocols (e.g., NTP, CLDAP), which should no longer exist given the established mitigation strategies. Nevertheless, they pose the largest fraction on DDoS amplification attacks within our observation and we witness the emergence of DDoS attacks using recently discovered amplification protocols (e.g., OpenVPN, ARMS, Ubiquity Discovery Protocol). By analyzing the impact of DDoS on core Internet infrastructure, we show that DDoS can overload backbone-capacity and that filtering approaches in prior work omit 97% of the attack traffic.