Accurately Measuring Global Risk of Amplification Attacks

Amplification DDoS Attacks

Many high-profile Distributed Denial-of-Service (DDoS) attacks rely on amplification via public network server. As networks evolve, new avenues of amplification attacks will continue to be discovered. What we need is an Internet-scale monitoring service that can systematically and continuously measure the empirical risk of amplification. Unfortunately, existing techniques that count the total number of servers and identify only a small set of query patterns are fundamentally imprecise.

Our Approach: AmpMap

The fundamental question we ask is:

"Is it possible to proactively map out the amplification risk on the Internet without impacting network servers?"

Our AmpMap system answers this question! AmpMap is a low-footprint Internet health monitoring service that can systematically measure the cyber-risk of modern amplification-based DDoS attacks. Using AmpMap, we systematically uncovered new-possibly-hidden amplification patterns ripe for abuse. Our findings can serve as an empirical foundation for cyber-risk quantification and inform remediation efforts.

Our Techniques and How it Works

Given a list of open servers implementing a protocol (e.g., DNS, SSDP) from public services (Censys, Shodan), AmpMap outputs a set of amplification-inducing queries for each server. We leverage key structural insights to develop an efficient approach that searches across the space of protocol headers and servers.

These identified queries from AmpMap measurements are fed into our analysis and pattern generation workflow to summarize and analyze these patterns. Our findings can inform mitigation efforts and quantify the amplification risk across protocols, servers, and query patterns.

Who we are

We are a group of researchers from Carnegie Mellon University where some are affiliated with CyLab, CMU's Security and Privacy Institute.

Questions? Contact Us

The best way to reach us is via our emails.