AmpMap
Accurately Measuring Global Risk of Amplification Attacks
Amplification DDoS Attacks
Amplification DDoS Attacks
Many high-profile Distributed Denial-of-Service (DDoS) attacks rely on amplification via public network server. As networks evolve, new avenues of amplification attacks will continue to be discovered. What we need is an Internet-scale monitoring service that can systematically and continuously measure the empirical risk of amplification. Unfortunately, existing techniques that count the total number of servers and identify only a small set of query patterns are fundamentally imprecise.
Many high-profile Distributed Denial-of-Service (DDoS) attacks rely on amplification via public network server. As networks evolve, new avenues of amplification attacks will continue to be discovered. What we need is an Internet-scale monitoring service that can systematically and continuously measure the empirical risk of amplification. Unfortunately, existing techniques that count the total number of servers and identify only a small set of query patterns are fundamentally imprecise.
Our Approach: AmpMap
Our Approach: AmpMap
The fundamental question we ask is:
The fundamental question we ask is:
"Is it possible to proactively map out the amplification risk on the Internet without impacting network servers?"
"Is it possible to proactively map out the amplification risk on the Internet without impacting network servers?"
Our AmpMap system answers this question! AmpMap is a low-footprint Internet health monitoring service that can systematically measure the cyber-risk of modern amplification-based DDoS attacks. Using AmpMap, we systematically uncovered new-possibly-hidden amplification patterns ripe for abuse. Our findings can serve as an empirical foundation for cyber-risk quantification and inform remediation efforts.
Our AmpMap system answers this question! AmpMap is a low-footprint Internet health monitoring service that can systematically measure the cyber-risk of modern amplification-based DDoS attacks. Using AmpMap, we systematically uncovered new-possibly-hidden amplification patterns ripe for abuse. Our findings can serve as an empirical foundation for cyber-risk quantification and inform remediation efforts.
Our Techniques and How it Works
Our Techniques and How it Works
Given a list of open servers implementing a protocol (e.g., DNS, SSDP) from public services (Censys, Shodan), AmpMap outputs a set of amplification-inducing queries for each server. We leverage key structural insights to develop an efficient approach that searches across the space of protocol headers and servers.
Given a list of open servers implementing a protocol (e.g., DNS, SSDP) from public services (Censys, Shodan), AmpMap outputs a set of amplification-inducing queries for each server. We leverage key structural insights to develop an efficient approach that searches across the space of protocol headers and servers.
These identified queries from AmpMap measurements are fed into our analysis and pattern generation workflow to summarize and analyze these patterns. Our findings can inform mitigation efforts and quantify the amplification risk across protocols, servers, and query patterns.
These identified queries from AmpMap measurements are fed into our analysis and pattern generation workflow to summarize and analyze these patterns. Our findings can inform mitigation efforts and quantify the amplification risk across protocols, servers, and query patterns.
Who we are
Who we are
We are a group of researchers from Carnegie Mellon University where some are affiliated with CyLab, CMU's Security and Privacy Institute.
We are a group of researchers from Carnegie Mellon University where some are affiliated with CyLab, CMU's Security and Privacy Institute.
Questions? Contact Us
Questions? Contact Us
The best way to reach us is via our emails.
The best way to reach us is via our emails.
- Soo-Jin Moon : soojin.moon91 * at * gmail.com
- Yucheng Yin : yyin4 * at * andrew.cmu.edu
- Vyas Sekar : vsekar * at * andrew.cmu.edu