Traffic Measurements for Cyber Security

Demystifying DDoS as a Service

Ali Zand, Gaspar Modelo-Howard, Alok Tongaonkar, Sung-Ju Lee, Christopher Kruegel, and Giovanni Vigna

The authors present a Abstract resource is due to the fact that a single interaction
measurement study of 17 with the target requires an unusually high amount
different DaaS providers, In recent years, we have observed a resur- of resources in order to be processed. For exam-
in which they analyzed gence of DDoS attacks. These attacks often ple, on a web site, there might be a search form
exploit vulnerable servers (e.g., DNS and NTP) that, when provided with certain values, might
the different techniques
to produce large amounts of traffic with little require an extremely large database query that
used to launch DDoS effort. However, we have also observed the slows the whole website to a crawl. We call this
attacks, as well as the appearance of application-level DDoS attacks, kind of attack an asymmetric application-level or
infrastructure leveraged which leverage corner cases in the logic of an intensive DDoS.
in order to carry out the application in order to severely reduce the avail- While extensive DDoS attacks have been
ability of the provided service. In both cases, studied for quite a while [1] and some remedia-
attacks. Results show
these attacks are used to extort a ransom, to tion has been provided (e.g., coordinated filter-
a growing market of hurt a target organization, or to gain some tac- ing managed by blacklists, rate limiting, patching
short-lived providers, tical advantage. As it has happened for many of of vulnerable services), intensive DDoS attacks
where DDoS attacks are the components in the underground economy, have not received the same level of attention.
available at low cost (tens DDoS has been commoditized, and DDoS as a The latter is more difficult to characterize because
service (DaaS) providers allow paying customers they often depend on the logic of the applica-
of dollars) and capable of
to buy and direct attacks against specific targets. tion providing the target service. In addition, these
easily disrupting connec- In this article, we present a measurement study attacks do not rely on large volumes of data and
tions of over 1.4 Gb/s. of 17 different DaaS providers, in which we ana- therefore can go undetected by volumetric detec-
lyzed the different techniques used to launch tion mechanisms. Finally, since the attacker com-
DDoS attacks, as well as the infrastructure lev- municates with the service following the service
eraged in order to carry out the attacks. Results protocol, the attacker’s requests are similar to a
show a growing market of short-lived providers, legitimate request and hence more difficult to fil-
where DDoS attacks are available at low cost ter out.
(tens of dollars) and capable of easily disrupt- As both extensive and intensive DDoS attacks
ing connections of over 1.4 Gb/s. In our study, become an integral part of the efforts of cyber-
particular attention was given to characterize criminals to obtain financial gains (e.g., by black-
application-level (HTTP) DDoS attacks, which mailing organizations under attack or by obtaining
are more difficult to study given the low volume a tactical advantage in time-sensitive settings), the
of traffic they generate and the need to study provision of DDoS service has become commod-
the logic of the application providing the target itized. We now see the rise of DDoS as a service
service. (DaaaS) offerings, in which DDoS providers attack
a target in exchange for money.
Introduction
Distributed denial of service (DDoS) attacks Background
have been a problem on the Internet for more In this section we introduce the different types of
than 15 years. However, the recent increase in DDoS attacks available, as well as the basic infra-
the number of DDoS attacks and in the amount structure of the DaaS providers, which are the
of traffic that they generate has attracted the subject of our study.
attention of the media, the industry, and the
research community alike. This new wave of Types of DDoS Attacks
attacks exploit asymmetries in vulnerable ser- A DDoS attack can be extensive or intensive. An
vices to generate large amounts of traffic or use extensive attack relies on high volumes of traffic
large amounts of resources with relatively little that by itself is harmless. A malicious actor needs
effort from the attacker. For example, misconfig- a considerable amount of resources to success-
ured Network Time Protocol (NTP) services can fully execute an extensive attack, as it is costly
be leveraged to generate gigabytes of data with to generate enough traffic volume to impact a
a simple spoofed request. This generated traffic large target. Examples of these attacks include
exhausts the bandwidth available at the target. SYN flood, UDP flood, reflected Domain Name
We call this type of (more traditional) attack an Service (DNS), and reflected NTP.
extensive DDoS. In most extensive attacks, miscreants may
However, there is another type of DDoS use a technique called amplification. Leveraging
attack in which the lack of availability of a amplification, the attacker continuously abuses a

Digital Object Identifier: Ali Zand, Christopher Kruegel, and Giovanni Vigna are with the University of California, Santa Barbara; Gaspar Modelo-Howard is with Symantec;
10.1109/MCOM.2017.1600980 Alok Tongaonkar is with RedLock; Sung-Ju Lee is with KAIST.

14 0163-6804/17/$25.00 © 2017 IEEE IEEE Communications Magazine • July 2017

 Given the shady nature
Daas of the business, DaaS
Daas Anti-DDos
provider
client provider providers are not par-
ticularly dependable
Payment services. In our study,
platforms we found them to
have a short life span
(compared to legiti-
mate online services),
Legend Bots measured in weeks
Phase 1 Dedicated to months. Of the 17
servers Web form
Phase 2 providers identified
(victim)
Misconfigured and tested, only 7 were
servers
functional at the end
Figure 1. Infrastructure used by DaaS providers, including the payment platforms employed (phase 1) and of our three-month
the set of resources to launch the selected DDoS attack (phase 2). Intensive attacks predominantly uti- evaluation.
lize dedicated hosts with high bandwidth.

set of hosts that responds to a request with a con- able on the Internet, providing cheap access to
siderably larger response that is delivered to the both extensive and intensive DDoS attacks. Using
destination of the attacker’s choosing. Previous a subscription-based model, the providers’ fees
studies have shown that this amplification factor range between $2 and $15 for basic packages.
differs according to the used protocol and can They support different payment mechanisms,
be as high as 4670. These types of attacks have ranging from traditional online systems like PayPal
achieved throughputs as high as 500 Gb/s and to the Bitcoin electronic currency and anonymous
affected enterprises with large infrastructures such payment systems like Paysafecard. The basic
as Sony PlayStation Network, Cloudflare, and sev- packages allow launching attacks for 60--90 s and
eral U.S. banks. currently produce attack volume peaking at more
Intensive attacks, on the other hand, target than 1.4 Gb/s. More expensive packages are also
specific weaknesses in a target application. Any available, which provide longer attack periods
request (or request access pattern) that takes a and subscription terms. The same sets of exten-
considerably larger amount of resources on the sive and intensive DDoS attacks are available for
server than the client can be leveraged to per- all subscription packages.
form this attack. These vulnerabilities can be due Figure 1 shows a diagram of the infrastructure
to problems like memory leaks and long running used by DaaS providers to offer their pay, point,
processes that never free their resources. Most and click service. The diagram includes the pay-
cases of intensive attacks target HTTP servers, ment platform used (phase 1, pay), as well as the
given their popularity on the Internet. Examples components used by the providers to launch a
include submitting data to web forms found on DDoS attack (phase 2, point and click). As shown
the victim server, at very slow rates (one byte in the diagram, intensive attacks are launched
at a time), and opening multiple connections using dedicated servers, since only a small set
that are kept alive by sending partial packets. of hosts is required and software needs to be
These examples have been implemented by the installed to interact with the logic of the web
R-U-Dead-Yet? (RUDY) and Slowloris tools [2], application under attack. Botnets and misconfig-
respectively. Also worth noting is that intensive ured hosts are commonly used when launching
attacks only send legit packets, not malformed the volumetric, extensive attacks.
ones, making the resulting traffic appear legiti- A common trait found in DaaS providers is the
mate, complicating their detection by security usage of anti-DDoS service providers to protect
systems. their web platforms. As many of them claim to be
only used to stress test the resources owned by a
Basic Scenario for a DDoS as a Service Providers customer, the providers include DDoS protection
The continued rise of DDoS attacks as a way to mechanisms in their infrastructure.
target the online presence of organizations can Given the shady nature of the business, DaaS
be attributed to several factors. One possibility is providers are not particularly dependable ser-
that these attacks are often conducted through vices. In our study, we found them to have a short
botnets, which often encompass thousands of life span (compared to legitimate online services),
computers. Pools of vulnerable computers are measured in weeks to months. Of the 17 provid-
always available, given the constant discovery of ers identified and tested, only 7 were functional
software bugs. at the end of our three-month evaluation. Addi-
Another possible factor for the rise of DDoS tionally, those providers that were functional deliv-
attacks is the commoditization phenomenon that ered an average of only 44 percent of the offered
these types of attacks have seen in the last few services. We also found several systems provided
years. A large number of DaaS providers are avail- intermittent service.

IEEE Communications Magazine • July 2017 15

 DaaS/run 1 2 3 4 core Intel processor, an optical fiber network con-
There are multiple risk
nection of 10 Gb/s to the Internet, running an
factors associated with APO 2 — 90 2289 Apache web server with MediaWiki software, and
studying cyber-miscre- hosting a clone of a university’s department web-
BIG 90 415 61 170 site. The machine was connected to the Internet
ants. To deal with these through a dedicated link that allowed isolation of
factors and to develop DAR 4256 — — — our tests from the rest of the university campus
network and prevented it from being negatively
the ethical framework DES 38,194 11,889 20,922 10,727
affected. We captured all the traffic aimed at our
for our experiments, DIV — 4 8 — victim machine, its responses, and its internal state
we followed the ethical during the attacks.
GRI 20,752 — — — Each DaaS was tested four times over a period
guidelines for com- of three months, from May to July 2014. In each
puter security research HAZ — 1 2 1 of the four runs, we tested all the attack types
offered by each of the working DaaS and cap-
defined in The Menlo IDD — 4 2 64 tured all the resulting traffic. At all times during
Report and consulted the testing, we ran only one type of attack from
ION 5 4 4 14,118
previous work where a single DaaS. Also, to prevent late packets from
IPS 2284 — — — one attack from being mixed with the next, we
researchers actively waited for 100 s between consecutive attacks.
interacted with systems NET 1776 1854 1556 982
Ethical Considerations
or networks used by POW 2759 3727 3723 — There are multiple risk factors associated with
cyber-miscreants. studying cyber-miscreants. To deal with these fac-
QUA 8132 — — — tors and to develop the ethical framework for our
experiments, we followed the ethical guidelines
RAG 30,505 4018 4 3
for computer security research defined in the
RES 8499 — — — Menlo Report [3] and consulted previous work
where researchers actively interacted with sys-
TIT 21,609 2274 3501 8238 tems or networks used by cyber-miscreants [4, 5].
To reduce the risk of financing possible
WRA 7219 6891 11,699 95 cyber-miscreants during our experiments, we
purchased the cheapest services from the DaaS
Table 1. Traffic generated by each DaaS (MB). providers. This meant a single DaaS provider
received no more than $45, as we repeated the
The DDoS as a Service Landscape experiments three times on the most expensive
($15) service used.
Methodology Another risk factor for studies such as ours is
We identified 28 different DaaS providers for to unwittingly and negatively affect other victims.
our study, from visiting multiple hacking sourc- In this case, the victims can be compromised
es: forums, blogs, mailings lists, and news sites. machines used by the providers to launch the
A user account was then created on each of the DDoS attacks or other machines and networks
28 providers. After reviewing the corresponding on the path of the attack that are affected by
websites, 17 were determined to be operational. the amount of generated traffic. To mitigate the
The other 11 failed to provide a working service potential risks, our experiments included condi-
interface. We later realized that this failure rate is tions to restrict the duration and intensity of the
the result of the common short and intermittent attacks, limit the path of the attack traffic, and
life span experienced by DaaS providers (usual- coordinate the experiments with the system
ly weeks to months). For example, 12 out of the administrators of our campus networks.
17 providers were available since the start of our As mentioned before, we ran each attack for
investigation, while the other 5 became active only 60 s to limit the impact of each attack. In
later in the process. addition, the target machine used to receive the
Using each of the 17 operational providers, attacks was located on an isolated subnet of our
we investigated the DaaS ecosystem from both campus network and connected to a dedicated
sides of the attack. 10 Gb/s link so that the traffic generated during
As a DaaS Customer: After registering on the tests would not affect other subnets (and their
the website of each provider, their services were hosts) on campus. We also ran all high traffic tests
bought for a limited time, selecting the cheap- during weekend nights to further reduce impact-
est services available on each website. The prices ing network bystanders.
varied from $2 to $15. We studied the different We acquired the campus network adminis-
functionalities provided on these websites to help trators’ permission to run our tests before pro-
determine how their advertisement, payment sys- ceeding, agreed on a schedule, and established
tems, and business aspects work. Additionally, a contingency plan in case an undesirable situa-
our analysis also included a look at their offered tion happened. We followed up with the network
attack capabilities. administrators after each round of experiments
As a DDoS Victim: We set up a machine to and confirmed with them that an experiment had
serve as a target of DDoS attacks and ordered not negatively affected other parts of the campus
each provider to launch the strike against it. The network before proceeding with the next round.
victim machine was an Ubuntu Linux machine Finally, it should be mentioned that our
with 8 GB of RAM, 1 TB of SSD disk space, dual- research was out of scope of the institution-

16 IEEE Communications Magazine • July 2017

al review board (IRB) committee given that the addresses, an expected result given the usual
experiments with DaaS providers did not include incognito nature of extensive attacks and the con- Our findings show that
any type of direct or indirect experiments with siderably larger traffic they produce. 81.5 percent of the non-
human beings. Using the technique described above, a total spoofed IP addresses
of 26,271 non-spoofed IP addresses were identi-
Results for DaaS Providers fied in all the attacks launched to our victim server belonged to Linux
The four test runs generated around 255 GB of and across the five providers that successfully pro- machines and 12.5 per-
traffic and more than 94.1 million packets. The duced the attacks. As shown in Table 4, the num-
top four protocols (DNS, CHARGEN, Simple Net- ber of IP addresses used by a DaaS varied from cent to Windows hosts;
work Management Protocol [SNMP], and NTP) 35 (TIT) to 21,809 (WRA). The low number of the rest of the machines
produced 91.3 percent of the total traffic generat- addresses for TIT was a sign of the DaaS soon to were not identified.
ed. DNS was the top traffic contributor with 71.07 go offline, as the service stopped after our second
GB, while NTP was the top packet generator with run. WRA, on the other hand, consisted of a large The high occurrence of
34.9 million packets. Attacks using HTTP only pro- botnet, primarily composed of compromised or Linux hosts and non-
duced 0.71 GB from 4.72 million packets. misconfigured WordPress web servers. WRA was
Table 1 shows the amount of traffic generated also the only provider to successfully produce six spoofed IP addresses
by each DaaS during a run. Those providers that different types of intensive attacks (GET and POST suggests that the DaaS
were not active in a run are shown with a dash floods, ARME, Slowloris, RUDY, and XML-RPC providers depended
(—). Results showed that 10 to 14 DaaS were pingback) and worked for all four runs.
active in a single run and that traffic generated IP2Location [6] was consulted to determine on machines that use
varied among the different providers. For exam- the geographical information of the IP addresses, popular OSs, such
ple, the RAG1 and DES DaaS generated 30.5 and their autonomous system number (ASN), and the
38.2 GB each in run 1, while APO and ION only type of networks to which they were connected. as dedicated servers
produced 2 and 5 MB. Out of the 47 tests that As IP2Location provides various degrees of geolo- and Internet of Things
produced traffic across the four different runs, 26 cation accuracy, we limited our analysis to using devices, to successfully
(55 percent) produced at least 1 GB. country and region (state in the United States)
The functionalities provided by different DaaS information in order to determine the location of launch attacks.
providers differ greatly in terms of their claimed addresses. Additionally, we used their classifica-
and actual attack types provided. Table 2 shows tion of subnets and ASNs to label the IP addresses
the offered attack capabilities of each DaaS. In as part of one of the following three types of net-
this table, each row is a type of attack, and each works: broadband/residential, commercial hosting
column represents a DaaS. A checkmark () indi- providers, and other.
cates that the feature was offered and indeed Results show DaaS with different geographical
worked during the experiments. An (û) means the extensions and mixtures of types of machines.
feature was offered but did not work for any test The United States and China were the largest
run. A blank space means that the feature was not sources of machines for the providers, with the
offered. United States providing at least 55 percent of the
A total of 28 different attack methods were machines in the cases of WRA, DES, and BIG.
identified across the 17 DaaS providers under China was the largest source for RAG and TIT,
evaluation. Out of these attack methods, 17 were providing at least 39 percent of the attacking
extensive DDoS attacks, 7 were intensive, and 4 hosts. RAG presented a larger number of coun-
never worked. Of these seven intensive attacks, tries hosting machines and associated ASNs than
we found that some of the tools used by the pro- BIG, even though they both had similar numbers
viders to launch these attacks targeted different of IP addresses. 81 percent of the addresses
web server implementations. For example, the used by RAG were in 10 different countries, and
Apache Remote Memory Exhaustion (ARME) tool 74.1 percent were connected to broadband net-
is only effective against Apache servers, as the works. In comparison, BIG had 81 percent of its
name implies, while the Slowloris tool targets machines located in one country (United States)
Apache, HTTPd, and GoAhead web servers. As and 128 addresses (93.3 percent) are connected
observed in our experiments, both tools send par- to networks identified for hosting. Moreover, 85
tial,legitimate packets to keep connections open of those addresses were attributed to a single data
and do not generate large volumes of traffic com- center in Arizona. We experienced more effective
pared to extensive attacks. (able to leave our server unresponsive) and reli-
Table 3 present the number of completed TCP able (available through all runs) attacks by using
connections to the victim, the number of unique BIG than when launching attacks through RAG,
non-spoofed IP addresses, and the maximum which not surprisingly suggests that machines
observed throughput for the DaaS producing the in hosting networks might be more valuable for
largest traffic. DaaS than in those in broadband networks.
After identifying the addresses with at least a
DaaS Infrastructure for Intensive Attacks complete TCP connection in the intensive attacks,
To characterize the machines and networks used we knew that the attacker’s machine either had
by the DaaS providers to launch their intensive that IP address, or went through a proxy or VPN
attacks, we first determined the non-spoofed IP using that address. To determine each case, we 1 Throughout this article,
addresses that initiated the attacks. An address scanned the IP address actively and also finger- each DaaS provider is
was labeled non-spoofed if at least one complete printed the host passively, as both approaches referred to by a three-letter
TCP connection was established with our victim complement each other. An active scan interacts code in order to keep its
real name anonymous and
server during the test, which provided a lower with the target host by sending a predefined set avoid publicizing its service.
bound of the actual situation. Among all (inten- of packets and determining the type of the host For example, a DaaS named
sive and extensive) attack traffic observed, only based on its response. As such, this approach GeneralTester could be
0.71 percent was associated with non-spoofed allows identifying when a proxy is used. In con- referred to as GRL.

IEEE Communications Magazine • July 2017 17

 No.
Attack/DaaS APO BIG DAR DES DIV GRI HAZ IDD ION IPS NET POW QUA RAG RES TIT WRA
DaaS

Extensive attacks

UDP (û) ü ü (û) ü (û) (û) (û) ü ü ü ü 7/12

Home Conn. ü (ü) 1/2

XSYN (û) ü (û) (û) 1/4

SSYN (û) (û) ü (û) (û) ü ü ü (û) ü 5/10

SSDP ü ü ü 1/1

ESSYN (û) (û) (û) ü ü ü 3/6

ZSSYN 1/1

NUDP (Net BIOS) ü 1/1

SUDP (SNMP) ü ü (û) 2/3

Website ü 1/1

XBOX Live ü 1/1

DNS (û) (û) ü ü 2/4

CHARGEN (û) (û) (û) ü (û) ü 2/6

NTP (ü) ü ü ü 4/5

TCP Amp. ü 1/1

RUDP (û) 1/2

UDPLAG (û) ü (û) (û) (û) ü ü (û) (û) ü ü ü 8/14

Intensive attacks

POST (û) (û) (û) (û) ü (û) ü 2/7

HEAD (û) (û) (û) (û) ü (û) (û) 1/7

GET (û) (û) (û) (û) ü (û) ü 2/7

ARME (û) (û) (û) (û) ü (û) ü 2/7

SLOWLORIS ü (û) (û) (û) (û) (û) ü ü 3/8

RUDY (û) (û) (û) (û) (û) (û) (û) ü ü 2/9

XML-RPC ü (û) ü (û) (û) (û) (û) (û) ü 3/9

Not working

Source Engine (û) 0/1

KS (û) 0/1

Joomla (û) 0/1

OVH (û) 0/1

No. Attacks 0/6 2/2 3/7 10/17 0/8 5/12 0/2 0/5 0/9 2/4 4/11 1/3 2/5 10/12 3/12 5/5 12/15

Table 2. Attack methods offered by each DaaS provider tested.

trast, a passive fingerprinting method observes the rest of the machines were not identified. The high
traffic originating from the target host and deter- occurrence of Linux hosts and non-spoofed IP
mines its type by looking for patterns that identify addresses suggests that DaaS providers depend-
a particular operating system or application. ed on machines that use popular OSs, such as
Our findings show that 81.5 percent of the dedicated servers and Internet of Things devices,
non-spoofed IP addresses belonged to Linux to successfully launch attacks. In terms of prox-
machines and 12.5 percent to Windows hosts; the ies used by the providers, we found that they

18 IEEE Communications Magazine • July 2017

 Number of connections/number of unique IP addresses Max. attack size (Mb/s)/run DaaS providers offered
DaaS/run 1 2 3 4 multiple subscription
options for their ser-
BIG 20,408/127 7076/85 6625/39 2314/50 84.65/2
vices, at different prices.
DES –/– –/– 76,483/9409 51/1 690.18/2
For ten providers,
RAG 4226/168 1665/168 –/– –/– 852.49/1 a higher price only
RES 7523/527 –/– –/– –/– 1494.05/1 means longer period of
attack and longer-term
WRA 55,077/459 89,728/271 71,819/278 51,564/21,573 579.84/2
subscriptions. In other
Table 3. Number of connections and unique IP addresses for top traffic generating DaaS per run.
words, they did not

employed proxies in very small numbers, as only that were not working when we first accessed offer additional attack
0.76 percent of the non-spoofed addresses were them started working after three months. methods or an increase
identified as proxies, anonymizing VPN service or 13 out of the 17 tested providers claimed to in the intensity of the
TOR exit node. IP2Location also provided infor- support intensive DDoS attacks, but when we
mation on addresses identified as proxies, validat- tested them, only five successfully executed one attacks.
ing 92 percent of our results. or more types of application layer DDoS attacks.
Through the four runs of experiments launch- Out of the 17 DaaS providers tested, only 7 were
ing intensive attacks, we found few cases of IP still working after we finished our study.
address sharing among providers. Most did not
share any addresses, and in the cases were they Payment Methods
did, it was in very low numbers (1 to 5 address- The most popular payment methods used by the
es). This suggests the appropriation or exclusive DaaS providers were the popular online payment
control of the machines by each DaaS. WRA was system PayPal and the Bitcoin digital currency.
the only exception to this, sharing 5223 addresses Other methods found included the payment plat-
with DES, thanks to exploiting a high-risk vulnera- forms Google Wallet, Paysafecard (which allows
bility [7] on WordPress servers that was publicly anonymous transfers), Payza (transfers using
reported during our runs. The vulnerability did email), and Skrill (focused on low-cost trans-
not provide a mechanism for attackers to control fers). During the tests, three of the providers had
who could exploit these servers, thus leaving the their Paypal accounts deactivated and could not
opportunity for sharing. receive money.
Table 5 shows the number of IP addresses DaaS providers offered multiple subscription
reused by BIG and WRA during our experimental options for their services at different prices. For
runs, as these were the only providers that gen- 10 providers, a higher price only means a longer
erated non-spoofed traffic in all four executions. period of attack and longer-term subscriptions. In
The diagonals in the table show (in bold italic) the other words, they did not offer additional attack
total number of IP addresses used by each DaaS methods or an increase in the intensity of the
in a single run. From our experiments, both pro- attacks.
viders had to continuously add new machines to We evaluated GRI, one of the four provid-
their networks, as many of the IP addresses from ers that claimed better throughput and addition-
an attack execution would not be found in the al methods of attacks, to observe the difference
next. As an example, BIG showed 122 addresses between the cheap and more expensive options.
in the first run, but only 66 (54 percent) of those This DaaS was chosen as it offered the most pow-
would be present in the second run. The attacker erful attack, and in terms of throughput, pricing
needs to constantly find new machines, which is was cheaper than other DaaS ($50, compared
not always trivial. From the second to the third to up to $300 in the case of RAG), and offered
run, BIG went from 82 to 37 IP addresses, and a different class of attack. Results show that the
only two of those were new. In the case of WRA, more expensive service gives access to two VIP
the 21,573 different addresses found in the fourth servers (servers that regular accounts do not have
run correspond to web servers exhibiting the access to) at the same time (and therefore able to
high-risk vulnerability to WordPress, as discussed execute two concurrent attacks). The amount of
above. traffic generated and the list of offered attacks by
each VIP server were not different from its cheap
Operational Stability service.
Given the shady nature of their business, DaaS
providers are not particularly dependable services. Related Work
Our study found them to have a short life span Research on the analysis of existing DDoS attack
(compared to legitimate online services), mea- vectors [8–11] has focused on the resources avail-
sured in weeks to months. This was supported by able on the Internet that can be used to launch
the fact that 11 of the 28 DaaSs identified failed DDoS attacks. Particularly, researchers have
to provide any service, while several of the other studied the amplification effect produced from
DaaSs briefly disappeared during the different using certain network services on the impact from
executions. Only seven of the 17 DaaS were func- using botnets to create DDoS attacks. Our work
tional for all four runs, while four were successful- complements previous research by providing an
ly used in three runs and one DaaS was available unabridged analysis of the new vector available to
in two runs. Additionally, 3 of the 11 providers attackers: application-level, intensive DaaS.

IEEE Communications Magazine • July 2017 19

 Type of network No.
Total No. IP No. No.
DaaS proxies Additional information
addresses countries ASNs Broadband Hosting Other found

U.S. hosts 81.8% of all addresses, while next four

BIG 165 20 40 6.7% 93.3% 0.0% 0
countries account for 8.5%

U.S. hosts 61% of all addresses, followed by 10

DES 9405 88 1446 11.8% 84.8% 0.4% 11
countries with more than 100 addresses each

China accounts for 39.5% of all addresses, while

RAG 162 36 84 74.1% 6.8% 19.7% 58 Brazil, Indonesia, Rusia, and Guatemala together
host 27.16%

TIT 35 10 22 45.7% 48.6% 5.7% 0 China and U.S. host 45% and 22.9%, respectively

U.S. accounts for 55.1% of all addresses, while 19

WRA 21,809 117 3075 20.12% 79.82% 0.06% 130
other countries host at least 140 addresses

Table 4. Geographical distribution of the IP addresses for each of the DaaS providers that generated intensive attacks. The table
also includes for each provider: the number of ASNs involved, the type of network to which the addresses where connected,
and the number of proxy servers identified.

Big WRA Conclusions

With the goal of demystifying the newly preva-
Run/run 1 2 3 4 1 2 3 4 lent class of DaaS providers, we identified and
1 122 66 35 22 426 176 176 157
studied 28 of these online systems. Given the
short life of many of the providers found, we ana-
2 — 82 35 20 — 269 184 163 lyzed the behavior of 17 over a period of three
months. Results show DaaS providers commonly
3 — — 37 17 — — 277 170 offer both extensive and intensive DDoS attacks,
and over different protocols. Customers only
4 — — — 49 — — — 21,573 have to spend tens of dollars to have access to
Table 5. Number of non-spoofed IP addresses reused, per run, for BIG and the attacks, which we were able to use to launch
WRA. Values in the diagonal (shown in bold italic) represent the total 1-minute attacks that generated 255 GB of traffic
number of IP addresses used to launch intensive attacks in each run. and were able to achieve throughput of 1.4 Gb/s,
at a cost of tens of dollars.
In our study, we showed that many of these
Rossow [10] studied several UDP-based ser- publicly accessible providers allow users to launch
vices available on the Internet that can be mis- intensive attacks, hence the need to also study
used for amplification during a DDoS attack, this increasingly popular threat. Results show that
showing that they are numerous and easy to find these providers pose a real threat to web servers
on the Internet, and providing a byte amplification on the Internet as they have access to networks
factor of up to 4670. Kührer et al. [9] showed the of up to tens of thousands of machines to gener-
possibility of using various TCP servers as reflec- ate traffic that looks inconspicuous but leaves the
tive traffic amplifiers, and measured their possible servers unresponsive.
impact. Czyz et al. [8] studied the temporal prop-
erties of reflectors, especially from NTP servers, References
while Rijwijk-Deij et al. [11] showed that a byte [1] R. Chang, “Defending against Flooding-Based Distributed
amplification factor of over 102 is possible by Denial-Of-Service Attacks: A Tutorial,” IEEE Commun. Mag.,
vol. 40, no. 10, Oct. 2000, pp. 42–51.
abusing the DNSSEC extensions. [2] E. Cambiaso et al., “Slow DoS Attacks: Definition and Cat-
Recent work [12, 13] has also looked at the egorisation,” Int’l. J. Trust Management in Comp. and Com-
rising threat of DaaS providers. We consider all mun., vol. 1, no. 3-4, Jan. 2013, pp. 300–19.
previous studies complementary to ours, as they [3] D. Dittrich and E. Kenneally, “The Menlo Report: Ethical Prin-
ciples Guiding Information and Communication Technology
did not analyze the application-level, intensive Research,” U.S. Dept. Homeland Sec., Aug. 2012.
DDoS attacks that can be launched from these [4] C. Kanich et al., “Spamalytics: An Empirical Analysis of Spam
providers, as done in our study. Karami et al. Marketing Conversion,” Proc. 15th ACM Conf. Comp. Com-
[12] only evaluated the infrastructure used for mun. Sec., Oct. 2008, pp. 3–14.
[5] B. Stone-Gross et al., “Your Botnet Is My Botnet: Analysis of
extensive attacks, while Santanna et al. [13] lim- a Botnet Takeover,” Proc. 16th ACM Conf. Comp. Commun.
ited the study to extensive attacks using the DNS Sec., Nov. 2009, pp. 635–47.
or CHARGEN protocols. Noroozian et al. [14] [6] IP2Location, commercial IP geolocation databases, Jan.
profiled the victims of extensive attacks launched 2015; http://www.ip2location.com/databases/, accessed
Jan. 5, 2015.
by DaaS providers by using a network of honey- [7] Symantec, “Security Focus: WordPress Slider Revolution
pots running open services to launch amplifica- Responsive Plugin ‘img’ Parameter Arbitrary File Download
tion attacks. The study found that 88 percent of Vulnerability,” July 2014; http://www.securityfocus.com/
the victims were housed in broadband and host- bid/68942, accessed Sept. 13, 2014.
[8] J. Czyz et al., “Taming the 800 Pound Gorilla: The Rise
ing ISP networks, while the ICT development and and Decline of NTP DDoS Attacks,” Proc. ACM SIG-
GDP per capita of the host countries also help COMM Conf. Internet Measurement, Nov. 2014, pp.
explain the victimization rate. 435–48.

20 IEEE Communications Magazine • July 2017

[9] M. Kührer et al., “Hell of a Handshake: Abusing TCP for Alok Tongaonkar (alok@redlock.io) is head of Data Science at
Reflective Amplification DDoS Attacks,” Proc. 8th USENIX RedLock. Previously, he was a data scientist director leading the
Wksp. Offensive Technologies, Aug. 2014. Center for Advanced Data Analytics at Symantec. He has a Ph.D.
[10] C. Rossow, “Amplification Hell: Revisiting Network Proto- in computer science from Stony Brook University, New York. His
cols DDoS Abuse,” Proc. Network Distrib. Sys. Sec. Symp., research focuses on application of machine learning and big data
Feb. 2014. technologies for developing innovative security, networking, and
[11] R. van Rijswijk-Deij, A. Sperotto, and A. Pras, “DNSSEC and mobile app analytic products. He has been granted multiple pat-
Its Potential for DDoS Attacks,” Proc. ACM SIGCOMM Conf. ents by USPTO. He is a Senior Member of ACM.
Internet Measurement, Nov. 2014, pp. 449–60.
[12] M. Karami, Y. Park, and D. McCoy, “Stress Testing the Sung-Ju Lee [F] (sjlee@cs.kaist.ac.kr) is an associate professor
Booters: Understanding and Undermining the Business of and an Endowed Chair Professor at the Korea Advanced Insti-
DDoS Services,” Proc. 25th Int’l. World Wide Web Conf., tute of Science and Technology (KAIST). He received his Ph.D.
Apr. 2016, pp. 1033–43. in computer science from the University of California, Los Ange-
[13] J. Santanna et al., “Booters: An Analysis of DDoS-as-a-Ser- les and spent 15 years in the industry in Silicon Valley before
vice Attacks,” Proc. IFIP/IEEE Int’l. Symp. Integrated Network joining KAIST. His research interests include computer networks,
Mgmt., May 2015, pp. 243–51. mobile computing, network security, and HCI. He is a recipient
[14] A. Noroozian et al., “Who Gets the Boot? Analyzing Vic- of multiple awards, including the HP CEO Innovation Award
timization by DDoS-as-a-Service,” Proc. Int’l. Symp. Research and the Test-of-Time Paper Award at ACM WINTECH 2016. He
Attacks, Intrusions, Defenses, Sept. 2016, pp. 368–89. is an ACM Distinguished Scientist.

Christopher Kruegel (chris@cs.ucsb.edu) is a professor in the

Biographies Computer Science Department at the University of California,
Ali Zand (zand@cs.ucsb.edu) received his Ph.D. in 2015 from Santa Barbara and one of the co-founders of Lastline, Inc.,
the University of California Santa Barbara, working on system where he serves as the chief scientist. His research interests
security research with a focus on cyber situation awareness. include most aspects of computer security, with an emphasis on
His research interests include automatic service dependency malware analysis, web security, and intrusion detection. He is a
detection, automatic asset protection prioritization, botnet C&C recipient of the NSF CAREER Award, MIT Technology Review
signature generation, cyber situation awareness measurement, TR35 Award for young innovators, and IBM Faculty Award.
DDoS attack studies, and social media spam detection.
Giovanni Vigna [SM] (vigna@cs.ucsb.edu) is a professor in the
Gaspar Modelo-Howard [SM] (gaspar@acm.org) is a senior Department of Computer Science at the University of Califor-
principal data scientist in the Center for Advanced Machine nia, Santa Barbara and the CTO at Lastline, Inc. His research
Learning at Symantec. His research interest are computer and interests include malware analysis, vulnerability assessment,
network security, with a focus on web security, intrusion detec- the underground economy, binary analysis, web security, and
tion and response, and malware detection. He is also an adjunct mobile phone security. He leads the Shellphish hacking group,
professor in computer security at Universidad Tecnológica de which has participated in more DEF CON CTF competitions
Panamá. He is a member of ACM and Usenix. than any other group in history. He is a Senior Member of ACM.

IEEE Communications Magazine • July 2017 21