The Age of DDoScovery: An Empirical Comparison of Industry and Academic DDoS Assessments

Research output: Contribution to book/conference proceedings/anthology/reportConference contributionContributedpeer-review

Contributors

  • Raphael Hiesgen - , Hamburg University of Applied Sciences (Author)
  • Marcin Nawrocki - , NetScout Systems, Inc (Author)
  • Marinho Barcellos - , University of Waikato (Author)
  • Daniel Kopp - , Deutscher Commercial Internet Exchange (DE-CIX) Management GmbH (Author)
  • Oliver Hohlfeld - , University of Kassel (Author)
  • Echo Chan - , Akamai Technologies, Hong Kong Polytechnic University (Author)
  • Roland Dobbins - , NetScout Systems, Inc (Author)
  • Christian Doerr - , Hasso Plattner Institute for Digital Engineering (Author)
  • Christian Rossow - , CISPA - Helmholtz Center for Information Security (Author)
  • Daniel R. Thomas - , University of Strathclyde (Author)
  • Mattijs Jonker - , University of Twente (Author)
  • Ricky Mok - , Center for Applied Internet Data Analysis, University of California at San Diego (Author)
  • Xiapu Luo - , Hong Kong Polytechnic University (Author)
  • John Kristoff - , NetScout Systems, Inc, University of Illinois at Chicago (Author)
  • Thomas C. Schmidt - , Hamburg University of Applied Sciences (Author)
  • Matthias Wählisch - , Chair of Distributed and Networked Systems (Author)
  • KC Claffy - , Center for Applied Internet Data Analysis, University of California at San Diego (Author)

Abstract

Motivated by the impressive but diffuse scope of DDoS research and reporting, we undertake a multistakeholder (joint industry-academic) analysis to seek convergence across the best available macroscopic views of the relative trends in two dominant classes of attacks -- direct-path attacks and reflection-amplification attacks. We first analyze 24 industry reports to extract trends and (in)consistencies across observations by commercial stakeholders in 2022. We then analyze nine data sets spanning industry and academic sources, across four years (2019-2023), to find and explain discrepancies based on data sources, vantage points, methods, and parameters. Our method includes a new approach: we share an aggregated list of DDoS targets with industry players who return the results of joining this list with their proprietary data sources to reveal gaps in visibility of the academic data sources. We use academic data sources to explore an industry-reported relative drop in spoofed reflection-amplification attacks in 2021-2022. Our study illustrates the value, but also the challenge, in independent validation of security-related properties of Internet infrastructure. Finally, we reflect on opportunities to facilitate greater common understanding of the DDoS landscape. We hope our results inform not only future academic and industry pursuits but also emerging policy efforts to reduce systemic Internet security vulnerabilities.

Details

Original languageEnglish
Title of host publicationProceedings of ACM Internet Measurement Conference (IMC)
PublisherACM New York, NY, USA
Pages259-279
Publication statusPublished - 4 Nov 2024
Peer-reviewedYes

Conference

TitleACM Internet Measurement Conference 2024
Abbreviated titleACM IMC 2024
Conference number24
Duration4 - 6 November 2024
Website
Degree of recognitionInternational event
LocationESPACIO Fundación Telefónica
CityMadrid
CountrySpain

External IDs

ORCID /0000-0002-3825-2807/work/171066142

Keywords

Research priority areas of TU Dresden

DFG Classification of Subject Areas according to Review Boards

Subject groups, research areas, subject areas according to Destatis