Towards Remediating DDoS Attacks
ArtursLavrenovs
NATOCCDCOE,Tallinn,Estonia
Arturs.Lavrenovs@ccdcoe.org
DOI:10.34190/IWS.21.046
Abstract:TheInternetinfrastructurehasbeenstrugglingwithdistributeddenialofservice(DDoS)attacksformorethantwo
decades.Thispaper reviewsaspects of current remediationstrategiesfor reflectedamplifiedDDoS attacks and identifies
elementsthatareinsufficientlyresearchedwhichmightbehinderingremediationefforts.Itidentifiesadditionalactorswho
shouldbe playingaroleintheseeffortsandreviewstheirincentivesandmotivation.Theissuehaslongb eenwhetheritis
possibletoremediateabusedprotoc olsfasterthan theprotocolsgetdeprecatedwhiledevicesusingthemremainfunctional
untiltheendoftheirlife.Itnowappearsthatitis.TheMemcacheprotocolattackcapacitywasonly319MbpsinMay2020
butitwas1.7Tbpsonlytwoyearspreviously.Thusitcanbeconsideredfullyremediated.Thepaperexamineswhythiswas
asuccessfulremediationeffortandwhetheritcouldbeappliedtoothercommonlyabusedprotocolsbyusingthereflector
capacity measurement methodology. In contrast, the longterm abused DNS protocol has not seen a significant drop in
capacity,whichislingeringaround27.5Tbps.
Keywords:DDoSattacks,DDoSattackcapacity,DDoSattackremediation,reflectors,amplifiers
1. Introduction
ThefirstDDoSnetworkattackwastwodecadesagoandwassoonfollowedbyreflectedamplifiedDDoSattacks
that have been plaguing th e In ternet ever since. Although the number of reflectors observed by scanning
projects has been steadily decreasing, the attack capacity is evergrowing and is setting new records. A
reasonableobserverwouldassumethatourtechnologicalsocietyiscapableofsolvingthislongknowntechnical
challenge,andperh apswonderwhywehavenot.
ThispaperdiscussesonlyreflectedamplifiedDDoSattacksandwhiletheattackers’ desiredeffectforthevictims
is the same and may be common across different types of attack, the remediation strategies differ widely.
Compromised devices participating in a botnet and causing direct attacks attract more attention from law
enforcementagencies,Internetserviceproviders(ISP),andindustry.
ThetwofoldproblemoftheabilitytospoofsourceIPaddressesinthenetworkandalargenumberofreflectors
istherootcauseoftheissue.Anattackercapableofrentingorcompromisingahostconnectedtoamismanaged
networkcanusetheavailableuploadbandwidthbysendingpacketswiththespoofed IPaddressofthevictim
topubliclyreachablenetworkservices,whichinreturnresponddirectlytothevictimusuallywithalargerp acket
size.Thecurrentremediationstrategyistheproliferation ofnetworkconfiguration,ensuringthat on lypackets
withlegitimatesourceIPaddressesenterth eInternetfromindividualnetworks(BC P38,BCP84)andremoving
reflectors. Both thepercentage of networksthat are spoofableand the number ofreflectorsper commonly
abused protocol s havedecreased, which indicates that theremediation strategy is working, at least to some
extent,whiletheDDoSattacksarebreakingcapacityrecords.
Addressing the DDoS problem in 2020 has become more important than ever. The global pandemic almost
instantlyshiftedthewholeeducationsystemandjobsthatcanbedoneonlinetothehome.Accessingdifferent
remotesystemshasbecomeanecessityforallthoseaffected.DDoSattacksagainstman yorganisationscould
previously have had only a limited negative effect and reputational damage and the daily operations of
employeesandstudentscouldcontinueinpersonorvialocallyaccessiblesystems.Nowtheattackcanstopall
workandeducationforremoteusersrelyingonthe targetedsystem.Thishasbecomeareality;DDoSattacks
againstanelearningplatfor mbyasinglehigh schoolstudentdisruptedaccesstoonlineclassesforaweekfor
170,000users(Freed,2020).Whatcou ldbetheworldwideeconomical impactifanewrecordbreakingDDoS
attacktargetsthelargestonlinecollaborationtools?
2. Relatedwork
DDoSis a widely researched topic.It primarily follows atypicalpatternof newtechnology emerging, such as
SDN,blockchain,AI,andresearch ersapplyingittotheDDoSproblembutusually whentheattackhasalready
reachedthevictim.Therootcauseof theissueistwofold:theabilitytospoofthesourceIPaddressesandalarge
