Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SoK: A Data-driven View on Methods to Detect Reflective Amplification DDoS Attacks Using Honeypots

Marcin Nawrocki, John Kristoff, Raphael Hiesgen, Chris Kanich, Thomas C. Schmidt, Matthias Wählisch

TL;DR

This work questions the long-held belief that amplification-honeypot deployments provide near-complete visibility into reflective DDoS attacks. It combines a systematization of six amplification honeypot platforms with a data-driven evaluation across a large-scale honeypot, four network telescopes, and a real-world baseline from a major DDoS mitigation provider to compare attack detection thresholds, convergence, and completeness. The authors find that attack thresholds yield largely similar results across platforms, honeypot convergence is statistically unstable, and honeypots observe only a small fraction of ground-truth attacks, suggesting substantial incompleteness. They propose a framework for reproducible honeypot research, emphasize the need for orthogonal data sources to assess completeness, and outline directions for better threshold definitions and practical deployment strategies to improve observer coverage in the amplification ecosystem.

Abstract

In this paper, we revisit the use of honeypots for detecting reflective amplification attacks. These measurement tools require careful design of both data collection and data analysis including cautious threshold inference. We survey common amplification honeypot platforms as well as the underlying methods to infer attack detection thresholds and to extract knowledge from the data. By systematically exploring the threshold space, we find most honeypot platforms produce comparable results despite their different configurations. Moreover, by applying data from a large-scale honeypot deployment, network telescopes, and a real-world baseline obtained from a leading DDoS mitigation provider, we question the fundamental assumption of honeypot research that convergence of observations can imply their completeness. Conclusively we derive guidance on precise, reproducible honeypot research, and present open challenges.

SoK: A Data-driven View on Methods to Detect Reflective Amplification DDoS Attacks Using Honeypots

TL;DR

This work questions the long-held belief that amplification-honeypot deployments provide near-complete visibility into reflective DDoS attacks. It combines a systematization of six amplification honeypot platforms with a data-driven evaluation across a large-scale honeypot, four network telescopes, and a real-world baseline from a major DDoS mitigation provider to compare attack detection thresholds, convergence, and completeness. The authors find that attack thresholds yield largely similar results across platforms, honeypot convergence is statistically unstable, and honeypots observe only a small fraction of ground-truth attacks, suggesting substantial incompleteness. They propose a framework for reproducible honeypot research, emphasize the need for orthogonal data sources to assess completeness, and outline directions for better threshold definitions and practical deployment strategies to improve observer coverage in the amplification ecosystem.

Abstract

In this paper, we revisit the use of honeypots for detecting reflective amplification attacks. These measurement tools require careful design of both data collection and data analysis including cautious threshold inference. We survey common amplification honeypot platforms as well as the underlying methods to infer attack detection thresholds and to extract knowledge from the data. By systematically exploring the threshold space, we find most honeypot platforms produce comparable results despite their different configurations. Moreover, by applying data from a large-scale honeypot deployment, network telescopes, and a real-world baseline obtained from a leading DDoS mitigation provider, we question the fundamental assumption of honeypot research that convergence of observations can imply their completeness. Conclusively we derive guidance on precise, reproducible honeypot research, and present open challenges.
Paper Structure (64 sections, 10 figures, 5 tables)

This paper contains 64 sections, 10 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Contributions
  3. Outline
  4. Problem Statement and Background
  5. Distributed Denial of Service (DDoS) Attacks
  6. Attack Popularity over Time
  7. Honeypots and Network Telescopes
  8. Honeypots
  9. Network telescopes
  10. Monitoring Spoofed DDoS Attacks
  11. Methodology
  12. Systematization and Contextualization
  13. Selecting honeypot research
  14. Comparing honeypot deployments
  15. Comparing attack inference
  16. ...and 49 more sections

Figures (10)

  • Figure 1: Relative shares of victims observed at a large-scale amplification honeypot and confirmed at a large DDoS mitigation provider (Baseline).
  • Figure 2: Overview of flow identifiers, timeouts, and packet loads to split a train of packets into flows (rounded rectangles) and attacks (e.g.,$\ge3$ packets per flow, red rectangle).
  • Figure 3: Number of attack flows, depending on different definitions of flow identifiers and attack thresholds. Thresholds from honeypot research (\ref{['tab:honeypot_threshold']}) are located in the gray box, the HPI attack threshold marks fewer flows as attack.
  • Figure 4: Number of victims, depending on different definitions of flow identifiers and attack thresholds. Thresholds from honeypot research (\ref{['tab:honeypot_threshold']}) are located in the gray box, HPI attack threshold marks less hosts as victims.
  • Figure 5: Convergence behavior for NTP using a near-optimal selection of honeypot sensors.
  • ...and 5 more figures