An official website of the United States government
In light of the numerous peculiar events that persistently challenge the world, it is paramount to possess the capacity to thoroughly analyze the realm of cyberspace and cyber threats in the context of these circumstances. As such, adequately integrating data-driven intelligence in cyber analytics can help strengthen security postures and enable effective decision making. In this paper, we introduce a multifaceted Internet-scale, data-driven framework to enable the consistent measurement, identification and characterization of cyber threat dynamics amid real-world events. Particularly, our proposed framework scrutinizes Internet-wide security data feeds from multiple sources, including, (i) a large network telescope to infer illicit activities at large, (ii) a cluster of globally distributed sensor and honeypot to quantify reflective amplification attempts, and (iii) a set of BGP collectors to analyze Remotely Triggered Black Hole (RTBH) events. Specifically, we employ our framework to shed light on the 2022 Russo-Ukrainian cyber threat activities by drawing upon Terabytes of real network and security data feeds. We infer DDoS and UDP reflective attacks targeting federal agencies in Russia, and media entities in Ukraine. We further perceive an upsurge of Russian and Ukrainian RTBH techniques employed to block attacks targeting. ru domains and media companies. Additionally, we uncover an escalation of reconnaissance events, some of which are generated by the IoT-centric Mirai malware and others which target critical infrastructure. We report our findings objectively while postulating thoughts on intriguing observations on that particular event. Our Internet-scale data-driven framework offers a robust approach for empirical analysis of cyber threats in the face of real-world challenges; enabling effective and well-informed decision making.
more »
« less
This content will become publicly available on November 4, 2025
The Age of DDoScovery: An Empirical Comparison of Industry and Academic DDoS Assessments
Motivated by the impressive but diffuse scope of DDoS research and reporting, we undertake a multistakeholder (joint industry-academic) analysis to seek convergence across the best available macroscopic views of the relative trends in two dominant classes of attacks – direct-path attacks and reflection-amplification attacks. We first analyze 24 industry reports to extract trends and (in)consistencies across observations by commercial stakeholders in 2022. We then analyze ten data sets spanning industry and academic sources, across four years (2019-2023), to find and explain discrepancies based on data sources, vantage points, methods, and parameters. Our method includes a new approach: we share an aggregated list of DDoS targets with industry players who return the results of joining this list with their proprietary data sources to reveal gaps in visibility of the academic data sources. We use academic data sources to explore an industry-reported relative drop in spoofed reflection-amplification attacks in 2021-2022. Our study illustrates the value, but also the challenge, in independent validation of security-related properties of Internet infrastructure. Finally, we reflect on opportunities to facilitate greater common understanding of the DDoS landscape. We hope our results inform not only future academic and industry pursuits but also emerging policy efforts to reduce systemic Internet security vulnerabilities.
more »
« less
- Award ID(s):
- 2319959
- PAR ID:
- 10591852
- Publisher / Repository:
- ACM
- Date Published:
- ISBN:
- 9798400705922
- Page Range / eLocation ID:
- 259 to 279
- Subject(s) / Keyword(s):
- DDoS Refection-Amplifcation Attacks Direct-Path Attacks
- Format(s):
- Medium: X
- Location:
- Madrid Spain
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
The Internet of Things (IoT) is a network of sensors that helps collect data 24/7 without human intervention. However, the network may suffer from problems such as the low battery, heterogeneity, and connectivity issues due to the lack of standards. Even though these problems can cause several performance hiccups, security issues need immediate attention because hackers access vital personal and financial information and then misuse it. These security issues can allow hackers to hijack IoT devices and then use them to establish a Botnet to launch a Distributed Denial of Service (DDoS) attack. Blockchain technology can provide security to IoT devices by providing secure authentication using public keys. Similarly, Smart Contracts (SCs) can improve the performance of the IoT–blockchain network through automation. However, surveyed work shows that the blockchain and SCs do not provide foolproof security; sometimes, attackers defeat these security mechanisms and initiate DDoS attacks. Thus, developers and security software engineers must be aware of different techniques to detect DDoS attacks. In this survey paper, we highlight different techniques to detect DDoS attacks. The novelty of our work is to classify the DDoS detection techniques according to blockchain technology. As a result, researchers can enhance their systems by using blockchain-based support for detecting threats. In addition, we provide general information about the studied systems and their workings. However, we cannot neglect the recent surveys. To that end, we compare the state-of-the-art DDoS surveys based on their data collection techniques and the discussed DDoS attacks on the IoT subsystems. The study of different IoT subsystems tells us that DDoS attacks also impact other computing systems, such as SCs, networking devices, and power grids. Hence, our work briefly describes DDoS attacks and their impacts on the above subsystems and IoT. For instance, due to DDoS attacks, the targeted computing systems suffer delays which cause tremendous financial and utility losses to the subscribers. Hence, we discuss the impacts of DDoS attacks in the context of associated systems. Finally, we discuss Machine-Learning algorithms, performance metrics, and the underlying technology of IoT systems so that the readers can grasp the detection techniques and the attack vectors. Moreover, associated systems such as Software-Defined Networking (SDN) and Field-Programmable Gate Arrays (FPGA) are a source of good security enhancement for IoT Networks. Thus, we include a detailed discussion of future development encompassing all major IoT subsystems.more » « less
-
null (Ed.)With the proliferation of smart and connected mobile, wireless devices at the edge, Distributed Denial of Service (DDoS) attacks are increasing. Weak security, improper commissioning, and the fast, non-standardized growth of the IoT industry are the major contributors to the recent DDoS attacks, e.g., Mirai Botnet attack on Dyn and Memcached attack on GitHub. Similar to UDP/TCP flooding (common DDoS attack vector), request flooding attack is the primary DDoS vulnerability in the Named-Data Networking (NDN) architecture.In this paper, we propose PERSIA, a distributed request flooding prevention and mitigation framework for NDN-enabled ISPs, to ward-off attacks at the edge. PERSIA's edge-centric attack prevention mechanism eliminates the possibility of successful attacks from malicious end hosts. In the presence of compromised infrastructure (routers), PERSIA dynamically deploys an in-network mitigation strategy to minimize the attack's magnitude. Our experimentation demonstrates PERSIA's resiliency and effectiveness in preventing and mitigating DDoS attacks while maintaining legitimate users' quality of experience (> 99.92% successful packet delivery rate).more » « less
-
A Distributed Denial of Service (DDoS) attack is an attempt to make an online service, a network, or even an entire organization, unavailable by saturating it with traffic from multiple sources. DDoS attacks are among the most common and most devastating threats that network defenders have to watch out for. DDoS attacks are becoming bigger, more frequent, and more sophisticated. Volumetric attacks are the most common types of DDoS attacks. A DDoS attack is considered volumetric, or high-rate, when within a short period of time it generates a large amount of packets or a high volume of traffic. High-rate attacks are well-known and have received much attention in the past decade; however, despite several detection and mitigation strategies have been designed and implemented, high-rate attacks are still halting the normal operation of information technology infrastructures across the Internet when the protection mechanisms are not able to cope with the aggregated capacity that the perpetrators have put together. With this in mind, the present paper aims to propose and test a distributed and collaborative architecture for online high-rate DDoS attack detection and mitigation based on an in-memory distributed graph data structure and unsupervised machine learning algorithms that leverage real-time streaming data and analytics. We have successfully tested our proposed mechanism using a real-world DDoS attack dataset at its original rate in pursuance of reproducing the conditions of an actual large scale attack.more » « less
-
The emerging Internet of Things (IoT) has increased the complexity and difficulty of network administration. Fortunately, Software-Defined Networking (SDN) provides an easy and centralized approach to administer a large number of IoT devices and can greatly reduce the workload of network administrators. SDN-based implementation of networks, however,has also introduced new security concerns, such as increasing number of DDoS attacks. This paper introduces an easy and lightweight defense strategy against DDoS attacks on IoT devices in a SDN environment using Markov Decision Process (MDP)in which optimal policies regarding handling network flows are determined with the intention of preventing DDoS attacks.more » « less
