Observing the DDoS landscape requires collaboration

Distributed Denial-of-Service (DDoS) attacks are an ever-present phenomenon on the Internet. Over the years, several undertakings have combated its feasibility and viability, such as disabling attack vectors (Network Time Protocol (NTP) 'get monlist'), deploying source address validation (ingress and egress filtering), and action by law enforcement (booter takedowns). In addition, an industry of DDoS protection companies sells attack mitigation services. While all these approaches have had an impact - who knows how dire the situation would be without our efforts - DDoS remains a persistent threat.

A clear understanding and view of the DDoS landscape is the basis for developing countermeasures. Our work comparatively evaluates long-term DDoS trends in academia and industry to better understand the current limitations. It focuses on two classes of DDoS attacks: direct-path (DP) attacks and reflection-amplification (RA) attacks. In a direct-path attack, packets are sent directly to the target of the attack. One group of DP attacks establishes connections to abuse application layer protocols, while others use randomly spoofed source addresses. In a reflection-amplification attack, requests are spoofed to contain the source address of the attack target and sent to a reflective third-party service (for example, DNS), which then sends the replies to the victim.

Collecting DDoS datasets

Our longitudinal DDoS trend analysis is based on 10 datasets from across academia and industry. For this study, we collected data from seven observatories listed in Table 1. Each observatory shared 4.5 years of weekly attack counts for our long-term trend analysis. The observatories from academia additionally shared raw DDoS event data, which enabled us to analyze the visibility of targets across observatories. We further collected and analyzed 24 DDoS threat reports from 22 companies for the year 2022. We published the detailed analysis as an artifact online.

Long-term attack trends depend on the viewpoint

Our analysis of the attack trends reveals that even observatories that agree on long-term trends exhibit many differences in their short-term measurements, which indicates different views on the DDoS landscape. Table 1 summarizes the long-term attack trends. For the analysis, we normalized the weekly attack counts to the median of the first 15 weeks. Additionally, we plot the exponentially weighted moving average (EWMA) with a 12-week window and linear regressions starting in 2019 and ending in 2022.

Direct-path attack trends

Both network telescopes (Figure 1) observe an increase in attacks during the measurement period. They repeatedly see short peaks that at least triple attack counts, but do not coincide across both observatories. ORION Network Telescope (ORION NT) sees its largest peaks in 2022Q1 and Q2, with smaller peaks in 2019Q2 and mid-2021. In contrast, UCSD Network Telescope (UCSD NT) sees its largest peak in 2023, with small peaks each year. While ORION observes a decline in 2023 compared to 2022, UCSD trends remain positive.

The industry time series in Figure 2 does not show large peaks. Netscout Atlas (Figure 2, left) experiences stable growth, except in 2021. Akamai Prolexic (Figure, 2 right) fluctuates around its baseline with a slight decrease in attacks overall. Both companies likely have stable customer bases and are less affected by sudden bursts in attacks. Both companies see a rise in attacks in 2020, followed by a decline in 2021. Netscout sees a rise throughout 2022, while Akamai sees peaks in 2022 but no persistent increase. Both companies detected a rise in attacks in 2023.

Reflection-amplification attack trends

The honeypots in our study (Figure 3) show a significant increase in attacks in 2020 after a decline in 2019Q4. Hopscotch records most attacks early in 2020, while AmpPot sees its highest peaks later, coinciding with a decline in attack counts at Hopscotch. Both honeypots detect a continued decline in 2021, aligning with industry efforts to deploy Source Address Validation (SAV) (see discussion in the paper, Section 2.3). While both time series share a peak in mid-2022, it is much more pronounced in the Hopscotch data.

Akamai Prolexic (Figure 4, left) experiences only small variations in attacks until 2020Q3 before they surge above 2x its baseline in 2021Q1. This peak coincides with a peak in the IXP time series (Figure 4, right). However, the IXP already saw a steep rise in attacks starting in 2019Q4, with peaks in 2021Q1 and Q2. Both time series decline until the end of 2022, with more pronounced peaks in the Akamai time series. They both detect an increase in attacks in 2023 but have a neutral to negative trend overall.

Booter takedowns by law enforcement

We marked known booter takedowns by law enforcement with red dashed lines in Figures 3 and 4. Booters offer DDoS-as-a-service usually based on reflection-amplification attacks. The first takedown in late 2022Q4 led to immediate, small valleys in all graphs. In contrast, the 2023Q2 takedown did not affect the AmpPot time series (Figure 3, right). Instead, attack counts even increased. While we do not know how trends would have evolved without interference, the impact on DDoS trends appears limited in our time series.

Why do views on DDoS differ?

We dive into the cause of these differences by comparing DDoS targets across observatories (Section 7 in our paper). The analysis reveals that our four observatories from academia see a substantial share of targets that are not seen by the other three. While the overlap among observatories of the same type - either honeypots or network telescopes - is considerable, each observatory provides a unique view into the DDoS attack landscape. This highlights the limitations of individual datasets and the root cause for different views on the DDoS landscape. Overlap between observatories from academia and industry is similarly limited. Thus, collaboration with industry partners is a valuable - and potentially necessary - source for improved visibility.

Recommendations

Our analysis of 10 longitudinal datasets from 7 observatories revealed the limited view that we use as a basis for DDoS research. Without an accurate view, we can neither accurately plan actions nor evaluate their outcome.

Advice for researchers: DDoS research tries to make global inferences based on a local view. Accepting and acknowledging the limitations of available datasets is important for accurate interpretation and accurate comparison. When possible, base your research on multiple datasets and collaborate with industry and operators. In parallel, our community across academia and industry needs to converge on specific frameworks for data sharing to ease the way forward. Unexplored details include the definition of incidents and their impact, data formats to accommodate comparisons, disclosure control technologies and access policies to allow for rigorous independent analyses.

Advice for threat-intelligence companies: Collaborate with researchers. Gathering reliable data on DDoS attacks is challenging. Getting additional data from different vantage points - especially those that academia usually has no access to - is invaluable for researchers. We found that many DDoS reports are only available after providing email addresses and are not archived for long-term access. Lowering the effort to read reports and offering historical reports increases visibility. Since language is often not consistent across companies and since vantage points and methodologies differ, comparisons to previous reports from the same company are especially relevant to analyze long-term changes in the DDoS landscape.

Advice for operators: Spoofing is an integral mechanism abused in many DDoS attacks, including all reflection-amplification attacks and a significant subset of direct-path attacks. SAV is an effective tool to stop these attacks. Supporting ongoing research and extending measurement systems to quantify the deployment of SAV and reveal persistent sources of spoofed packets is a challenging but worthwhile undertaking.

Let's collaborate to achieve a comprehensive view of DDoS!

For more detail, read our paper "The Age of DDoScovery: An Empirical Comparison of Industry and Academic DDoS Assessments ".

Raphael Hiesgen is a PhD student at HAW Hamburg. His research focuses on Internet measurements and security.

This work wouldn't have been possible without many coauthors: Marcin Nawrocki (NETSCOUT), Marinho Barcellos (U of Waikato), Daniel Kopp (DE-CIX), Oliver Hohlfeld (University of Kassel), Echo Chan (Akamai/Hong Kong PolyU), Roland Dobbins (NETSCOUT), Christian Doerr (Hasso Plattner Institute), Christian Rossow (CISPA), Daniel R. Thomas (University of Strathclyde), Mattijs Jonker (University of Twente), Ricky Mok (CAIDA/UC San Diego), Xiapu Luo (Hong Kong PolyU), John Kristoff (NETSCOUT/UIC), Thomas C. Schmidt (HAW Hamburg), Matthias Wählisch (TU Dresden), and KC Claffy (CAIDA/UC San Diego). I'd also like to thank the industry partners for contributing data.

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Public link

Please use the above public link if you want to share this noodl on another website.