Tracking DDoS Attacks: Insights into the Business of Disrupting the Web presented at 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats 2012

by Thorsten Holz, Armin Bscher,

Tags: Botnets


Summary : Known for a long time, Distributed Denial-of-Service (DDoS) attacks are still prevalent today and cause harm on the Internet on a daily basis. The main mechanism behind this kind of attacks is the use of so called bot- nets, i.e., networks of compromised machines under the control of an attacker. There are several different botnet families that focus on DDoS attacks and are even used to sell such attacks as a service on Underground markets.
In this paper, we present an empirical study of mod- ern DDoS botnets and analyze one particular family of botnets in detail. We identified 35 Command and Con- trol (C&C) servers related to DirtJumper (also called Ruskill), one of the popular DDoS botnets in operation at this point in time. We monitored these C&C servers for a period of several months, during which we observed almost two thousand different DDoS attacks carried out by the botmasters behind the botnets. Based on this em- pirical data, we performed an analysis of the characteris- tics of DDoS attacks. To complement this C&C-centric point of view, we briefly analyzed the information logged at two different victims of DirtJumper DDoS attacks to study how such attacks are perceived at an endhost. Our results provide insights into modern DDoS attacks and help us to understand how such attacks are carried out nowadays.