United against Cyberattacks
United against Cyberattacks
BIFOLD Researchers Prof. Dr. Georgios Smaragdakis and Prof. Dr. Anja Feldmann, together with colleagues from Deutsche Commercial Internet Exchange (DE-CIX) and Brandenburg University of Technology, show that the exchange of information about ongoing cyberattacks has the potential to detect and mitigate substantially more attacks and protect critical parts of the Internet infrastructure. Their paper “United We Stand: Collaborative Detection and Mitigation of Amplification DDoS Attacks at Scale” was accepted at the ACM Conference on Computer and Communications Security (ACM CCS) 2021.
Our commercial and social activity is increasingly moving online. The ongoing pandemic is a reminder of how dependent we are on the smooth operation of online services such as e-banking, e-commerce, video streaming, video conferencing, and e-mail. Unfortunately, attacks on such critical services are at an all-time high. The so-called Distributed Denial of Service (DDoS) attack is a popular type of cyberattack that aims to make servers unavailable.
“At least once a week, we read in the news about a DDoS attack that shuts down online services of enterprises or the public sector. We are very frustrated that 20 years after the first DDoS cyberattacks, current solutions are not effective enough to mitigate such attacks.”, says BIFOLD Fellow Georgios Smaragdakis, Professor of Cybersecurity at TU Delft. The researchers collaborated with eleven network infrastructure operators, Internet Exchange Points (IXPs), in central and south Europe and the USA, which interconnect more than 2.100 networks.
They developed inference techniques to detect DDoS cyberattacks and applied them on massive network data collected at the distributed vantage points over six months. In total, they detected and analyzed more than 120.000 cyberattacks. Their results show that between 500 and 1.500 DDoS cyberattacks with traffic of more than one Gigabit per second are observable every day. The total attack traffic reaches up to four Terabytes per day (see Figure). Unfortunately, 80 percent of these attacks are not detectable with current DDoS detection techniques applied locally at each site!
Closer investigation shows that DDoS cyberattacks have become more sophisticated. Today, attackers target many applications (ports) in parallel and can generate higher attack traffic levels at a lower cost. Moreover, attackers can use compromised machines around the globe to target a victim service. Thus, current DDoS detection techniques that analyze data at one location fail to detect them as they lack the global view of the ongoing attack. Even if local techniques detect some of the attacks, the detection is late and yields a higher cost of mitigation. “Without the large-scale network data collected at different vantage points, it would not have been possible to understand why DDoS detection mechanisms are not any more effective. The same data also shows that a given attack is visible at multiple locations. Thus, if the involved network infrastructures had informed each other about ongoing DDoS cyberattacks, they could have jointly defended against them”, explains BIFOLD Fellow Prof. Georgios Smaragdakis.
Motivated by their findings, the researchers developed and tested a DDoS Information Exchange Point (DXP) where network infrastructure providers exchange data about ongoing attacks, including attack traffic level, sources, and destinations of attacks in a trusted environment. The evaluation of the proposed DXP shows that smaller network infrastructure providers that may lack resources and expertise to defend against cyberattacks are benefitted the most. With DXP, mitigation of cyberattacks comes at a lower cost. Indeed, DDoS attacks are detected up to ten minutes earlier, and the attack traffic is dropped closer to the source of the attack. The DXP is now under testing and is expected to be fully operational in the following months and help to protect thousands of networks and services around the globe against DDoS attacks.
The publication in detail:
Daniel Wagner, Daniel Kopp, Matthias Wichtlhuber, Christoph Dietzel, Oliver Hohlfeld, Georgios Smaragdakis, Anja Feldmann: United We Stand: Collaborative Detection and Mitigation of Amplification DDoS Attacks at Scale. CCS 2021: 970-987