Observing the DDoS Landscape Requires Collaboration
December 21st, 2024 by Raphael HiesgenDistributed denial-of-service (DDoS) attacks are an ever-present phenomenon on the Internet. Over the years, many organizations and groups have undertaken efforts to reduce the feasibility and effectiveness of DDoS attacks, such as by disabling attack vectors (e.g., NTP’s get monlist), deploying source address validation (ingress & egress filtering), and enlisting law enforcement (booter takedowns). In addition, an industry of DDoS protection companies sells attack mitigation services. While these approaches have had some impact–who knows how dire the situation would be without such efforts?–DDoS remains a persistent threat.
A clear understanding and view of the DDoS landscape is the basis for developing and improving countermeasures. Our recent study comparatively evaluated long-term DDoS trends in academia and industry to better understand the current limitations. We focused on two classes of DDoS attacks: direct-path (DP) attacks and reflection-amplification (RA) attacks. In a direct-path attack, packets are sent directly to the target of the attack. One group of DP attacks establishes connections to abuse application layer protocols, while others use randomly spoofed source addresses. In a reflection-amplification attack, requests are spoofed to contain the source address of the attack target and sent to a reflective third party service (e.g., DNS), which then sends the replies to the victim.
Collecting DDoS Datasets
Our study analyzed longitudinal DDoS trends across academia and industry. We collected 10 datasets from seven observatories listed in Table 1. Each observatory shared 4.5 years of weekly attack counts for our long-term trend analysis. The observatories from academia additionally shared raw DDoS event data, which enabled us to analyze the visibility of targets across observatories. We further collected and analyzed 24 DDoS threat reports from 22 companies for the year 2022. We published the detailed analysis as an artifact at https://ddoscovery.github.io.
| Observatory | Type | Coverage | DP Attack Trends | RA Attack Trends |
|---|---|---|---|---|
| UCSD NT | Network Telescope | 12M IPs | Increase 🔺 | (not applicable) |
| ORION NT | Network Telescope | 500k IPs | Increase 🔺 | (not applicable) |
| Netscout Atlas | On-path Network | Proprietary | Increase 🔺 | Increase 🔺 |
| Akamai Prolexic | On-path Network | Proprietary | Neutral 🔴 | Neutral 🔴 |
| IXP Blackholing | On-path Network | Proprietary | Increase 🔺 | Decrease 🔻 |
| AmpPot | Honeypot | ~30 IPs | (not applicable) | Neutral 🔴 |
| Hopscotch | Honeypot | 65 IPs | (not applicable) | Decrease 🔻 |
| Industry Reports | PDF/website/etc. | 22 Companies | Increase 🔺 | Increase 🔺 and Decrease 🔻 |
Long-term Attack Trends Depend on the Viewpoint
Our analysis of attack trends revealed that even observatories that agree on long-term trends (Table 1) exhibit many differences in short-term patterns, reflecting different views of the DDoS landscape. For the analysis, we normalized the weekly attack counts to the median of the first 15 weeks. We plot the exponentially weighted moving average (EWMA) with a 12-week window and linear regressions starting in 2019 and ending in 2022.
Direct-path Attack Trends
Both network telescopes (Fig. 1) observed an increase in attacks during the measurement period. They repeatedly saw short peaks that at least tripled attack counts, but did not coincide across both observatories. ORION saw its largest peaks in 2022Q1 and Q2, with smaller peaks in 2019Q2 and mid-2021. In contrast, UCSD saw its largest peak in 2023, with small peaks in each year. While ORION observed a decline in 2023 compared to 2022, UCSD trends remained positive.
