Quantifying TCP SYN DDoS Resilience: A Longitudinal Study of Internet Services

Harm Griffioen, Christian Doerr
June, 2020
Cite

Abstract

One of the most prevalent attacks in the Internet are TCP SYN floods, during which a massive number of malicious connection requests is being sent to a victim that will eventually use up all of the server’s resources. In order to make these attacks more difficult to track back and defend against, SYN floods are typically injected with spoofed source addresses, which provides the interesting side effect that an “echo” of ongoing attacks becomes visible through the resulting background noise. This paper provides a longitudinal study of this Internet backscatter received at more than 65,000 IP addresses over a period of 5 years, which allows us to quantify the types of victims that are attacked, the attack duration and intensity, and whether services collapse under the load - thereby providing an insight into the resilience of services provided publicly on the Internet. Our findings show that DDoS attacks have significantly changed in type and magnitude within this relatively short period of time, however we also see that Internet services by-and-large co-evolved with the increased threat landscape and become increasingly better provisioned, yet at a rate insufficient to keep up with the growth of attacks.

Type
Conference paper
Publication
In IFIP Networking Conference
Harm Griffioen
Harm Griffioen
Assistant Professor Cyber Security

My research interests include internet measurements, network security, and cyber threat intelligence.