SoK: A Data-driven View on Methods to Detect Reflective Amplification DDoS Attacks Using Honeypots

Publikation: Beitrag in Buch/Konferenzbericht/Sammelband/GutachtenBeitrag in KonferenzbandBeigetragenBegutachtung

Beitragende

  • Marcin Nawrocki - , Freie Universität (FU) Berlin (Autor:in)
  • John Kristoff - , University of Illinois at Chicago (Autor:in)
  • Raphael Hiesgen - , Hochschule fur Angewandte Wissenschaften Hamburg (HAW) (Autor:in)
  • Chris Kanich - , University of Illinois at Chicago (Autor:in)
  • Thomas C. Schmidt - , Hochschule fur Angewandte Wissenschaften Hamburg (HAW) (Autor:in)
  • Matthias Wählisch - , Professur für Distributed and Networked Systems (Autor:in)

Abstract

In this paper, we revisit the use of honeypots for detecting reflective amplification attacks. These measurement tools require careful design of both data collection and data analysis including cautious threshold inference. We survey common amplification honeypot platforms as well as the underlying methods to infer attack detection thresholds and to extract knowledge from the data. By systematically exploring the threshold space, we find most honeypot platforms produce comparable results despite their different configurations. Moreover, by applying data from a large-scale honeypot deployment, network telescopes, and a real-world baseline obtained from a leading DDoS mitigation provider, we question the fundamental assumption of honeypot research that convergence of observations can imply their completeness. Conclusively we derive guidance on precise, reproducible honeypot research, and present open challenges.

Details

OriginalspracheEnglisch
TitelProceedings - 8th IEEE European Symposium on Security and Privacy, Euro S and P 2023
Herausgeber (Verlag)IEEE
Seiten576-591
Seitenumfang16
ISBN (elektronisch)9781665465120
PublikationsstatusVeröffentlicht - Juli 2023
Peer-Review-StatusJa

Externe IDs

Scopus 85168159713
ORCID /0000-0002-3825-2807/work/142241908
Mendeley d251d94f-59ad-3790-b90c-696700c1c85e