Distributed reflective denial of service (DRDoS) attacks are a popular choice among adversaries. In fact, one of the largest DDoS attacks ever recorded, reaching a peak of 1.3Tbps against GitHub, was a memcached-based DRDoS attack. More recently, a record-breaking 2.3Tbps attack against Amazon AWS was due to a CLDAP-based DRDoS attack. Although reflective attacks have been known for years, DRDoS attacks are unfortunately still popular and largely unmitigated.
In this paper, we measure in-the-wild DRDoS attacks as observed from a large Internet exchange point (IXP) and provide a number of security-relevant insights. To enable our measurements, we first developed IXmon, an open-source DRDoS detection system specifically designed for deployment at large IXP-like network connectivity providers and peering hubs. We deployed IXmon at Southern Crossroads (SoX), an IXP-like hub that provides both peering and upstream Internet connectivity services to more than 20 research and education (R&E) networks in the South-East United States. In a period of about 21 months, IXmon detected more than 900 DRDoS attacks towards 31 different victim ASes. An analysis of the real-world DRDoS attacks detected by our system shows that most DRDoS attacks are short lived, lasting only a few minutes, but that large-volume, long-lasting, and highly-distributed attacks against R&E networks are not uncommon. We then use the results of our analysis to discuss possible attack mitigation approaches that can be deployed at the IXP level, before the attack traffic overwhelms the victim's network bandwidth.

  @inproceedings{subramani2021detecting,
  title={Detecting and Measuring In-The-Wild DRDoS Attacks at IXPs},
  author={Subramani, Karthika and Perdisci, Roberto and Konte, Maria},
  booktitle={International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment},
  pages={42--67},
  year={2021},
  organization={DIMVA}
}

Bulletproof hosting Autonomous Systems (ASes)—maliciousASes fully dedicated to supporting cybercrime—provide free-dom and resources for a cyber-criminal to operate. Theirservices include hosting a wide range of illegal content, bot-net C&C servers, and other malicious resources. Thousandsof new ASes are registered every year, many of which areoften used exclusively to facilitate cybercrime. A natural ap-proach to squelching bulletproof hosting ASes is to develop areputation system that can identify them for takedown by lawenforcement and as input to other attack detection systems(e.g., spam filters, botnet detection systems). Unfortunately,current AS reputation systems rely primarily on data-planemonitoring of malicious activity from IP addresses (and thuscan only detect malicious ASes after attacks are underway),and are not able to distinguish betweenmaliciousandlegiti-mate but abusedASes.
As a complement to these systems, in this paper, we ex-plore a fundamentally different approach to establishing ASreputation. We presentASwatch, a system that identifies mali-cious ASes using exclusively thecontrol-plane(i.e., routing)behavior of ASes.ASwatch’s design is based on the intuitionthat, in an attempt to evade possible detection and remediationefforts, malicious ASes exhibit “agile” control plane behavior(e.g., short-lived routes, aggressive re-wiring). We evaluateour system on known malicious ASes; our results show thatASwatchdetects up to 93% of malicious ASes with a 5% falsepositive rate, which is reasonable to effectively complementexisting defense systems.

  @inproceedings{konte2015aswatch,
  title={Aswatch: An as reputation system to expose bulletproof hosting ases},
  author={Konte, Maria and Perdisci, Roberto and Feamster, Nick},
  booktitle={Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication},
  pages={625--638},
  year={2015}
}

This paper studies the AS-levelre-wiring dynamics(changes in theconnectivity) of malicious networks. Anecdotal evidence suggests that some ma-licious ASes that are primarily involved in nefarious activities on the Internet,were sequentially de-peered by providers before their final cut-off (as occurredin the well-publicized cases of Atrivo/Intercage). We present the first systematicstudy of the re-wiring dynamics of malicious ASes. We tracked the ASes thatwere listed by Hostexploit over the last two years and compared their AS-levelre-wiring dynamics with non-reported ASes. Using a publicly available dataset ofCustomer-Provider (CP) relations in the Internet’s AS graph, we studied how in-terconnection between autonomous systems evolves, both for ASes that provideconnectivity for attackers and ASes that were not reported as malicious. We findthat malicious networks are more aggressive both in forming links with providersand changing their upstream connectivity than other ASes. Our results indicatethat the re-wiring dynamics of the networks that host attacks are stable over time,despite the evolving nature of the attacks themselves, which suggests that existingdefense mechanisms could benefit from incorporating these features.

  @inproceedings{konte2012re,
  title={Re-wiring activity of malicious networks},
  author={Konte, Maria and Feamster, Nick},
  booktitle={International Conference on Passive and Active Network Measurement},
  pages={116--125},
  year={2012},
  organization={PAM}}
}

This paper studies the dynamics of scam hosting infrastructure, withan emphasis on the role of fast-flux service networks. By monitoring changes inDNS records of over 350 distinct spam-advertised domains collected from URLsin 115,000 spam emails received at a large spam sinkhole, we measure the ratesand locations of remapping DNS records, and the rates at which “fresh” IP ad-dresses are used. We find that, unlike the short-lived nature of the scams them-selves, the infrastructure that hosts these scams has relatively persistent featuresthat may ultimately assist detection.

  @inproceedings{konte2009dynamics,
  title={Dynamics of online scam hosting infrastructure},
  author={Konte, Maria and Feamster, Nick and Jung, Jaeyeon},
  booktitle={International conference on passive and active network measurement},
  pages={219--228},
  year={2009},
  organization={PAM}
}
}