About

TOP > About

Overview

Recently, amplification DDoS attack (a.k.a Distributed Reflection Denial-of-Service attack, DRDoS attack) --- a kind of Denial-of-Service attack that abuses a lot of network devices and floods the bandwidth of a target --- has become a major threat on the Internet. To confront this threat, we are developing an observation system of amplification DDoS attacks called AmpPot (DRDoS Honeypot) to observe and analyze and analysis of this type of attacks.

Figure 1. Overview of AmpPot.

We have been observing amplification DDoS attacks using AmpPots since October, 2012. Figure 2 shows the number of attacks that our AmpPots observed. The number of our AmpPot sensors varies depending on the period, but the number of attacks have been rapidly increasing for the past few years and this trend shows that amplification DDoS attack has become a major threat on the Internet.

Figure 2. The number of amplification DDoS attacks that AmpPots observed.

By observing and analyzing amplfication DDoS attacks continuously, we aim to understand the trends of attacks and to develop countermeasures against the attacks using these technologies.

Alert System

We are developing alerting system of amplifcation DDoS attacks using AmpPot technologies, and are providing its attack information to number of ogranizations in Japan.

Figure 3. Amplification DDoS alert system.

Figure 4. The number of amplification DDoS attack alerts.

Periodical Reports

We will release observational reports of amplification DDoS attakcs periodically.

Contact

Please email us if you have any questions: ynugr-dos[atmark]ynu.ac.jp

References

  1. Lukas Kramer, Johannes Krupp, Daisuke Makita, Tomomi Nishizoe, Takashi Koide, Katsunari Yoshioka, Christian Rossow, "AmpPot: Monitoring and Defending Amplification DDoS Attacks," Proceedings of the 18th International Symposium on Research in Attacks, Intrusions and Defenses (RAID’15).
  2. Takashi Koide, Daisuke Makita, Katsunari Yoshioka, Tsutomu Matsumoto, "Observation and Analysis of TCP-based Reflection DDoS Attacks Using Honeypot,” Posters of the 18th International Symposium on Research in Attacks, Intrusions and Defenses (RAID’ 15).
  3. 牧田大佑,吉岡克成,松本勉:DNSハニーポットによるDNSアンプ攻撃の 観測,情報処理学会論文誌,Vol.55,No.9,pp.2021-2033,2014.
  4. 牧田大佑,吉岡克成,松本勉,中里純二,島村隼平,井上大介:DNSアン プ攻撃の事前対策へ向けたDNSハニーポットとダークネットの相関分析, 情報処理学会論文誌,Vol.56,No.3,pp.921-931,2015.
  5. 西添友美,牧田大佑,吉岡克成,松本勉:プロトコル非準拠のハニー ポットによるDRDoS攻撃の観測,電子情報通信学会,暗号と情報セキュリ ティシンポジウム(SCIS),2015.

Acknowledgements

This is a joint work between Yokohama National University, Japan, the National Institute of Information and Communications Technology (NICT), Japan and Saarland University, Germany.

Please note that we count attack events based on the target IP addresses. Recent carpet bombing attacks that target wide range of target IP addresses are therefore counted as separate events and creating peaks in the above graph. We are working on aggregating the events.

These results have been obtained through a series of research projects: the commissioned researches (19001(WarpDrive) and 05201) by the National Institute of Information and Communications Technology (NICT), Japan and PRACTICE and MITIGATE supported by the Ministry of Internal Affairs and Communications, Japan.

Copyright (c) Yoshioka Lab, Yokohama National University, All rights reserved.