Tracking DDoS Attacks: Insights into the Business of Disrupting the Web

Armin Büscher, Thorsten Holz

5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), San Jose, CA, April 2012


Known for a long time, Distributed Denial-of-Service (DDoS) attacks are still prevalent today and cause harm on the Internet on a daily basis. The main mechanism behind this kind of attacks is the use of so called botnets, i.e., networks of compromised machines under the control of an attacker. There are several different botnet families that focus on DDoS attacks and are even used to sell such attacks as a service on Underground markets.

In this paper, we present an empirical study of modern DDoS botnets and analyze one particular family of botnets in detail. We identified 35 Command and Control (C&C) servers related to DirtJumper (also called Ruskill), one of the popular DDoS botnets in operation at this point in time. We monitored these C&C servers for a period of several months, during which we observed almost two thousand different DDoS attacks carried out by the botmasters behind the botnets. Based on this empirical data, we performed an analysis of the characteristics of DDoS attacks. To complement this C&C-centric point of view, we briefly analyzed the information logged at two different victims of DirtJumper DDoS attacks to study how such attacks are perceived at an endhost. Our results provide insights into modern DDoS attacks and help us to understand how such attacks are carried out nowadays.


tags: attacks, ddos, Malware