About AmpMap

How AmpMap works

A Case for AmpMap

Many recent and high-impact DDoS attacks still rely on amplification. Given this continued threat, we need an Internet-scale monitoring service that can systematically measure the empirical risk of amplification. This involves building a tool that can first UNDERSTAND the amplification vulnerabilities for each server and QUANTIFY the degree of amplification a pattern yields. The motivating question is: "How can we build a low-footprint service that can do that for these servers on the Internet?"

Why Building this is Challenging

While there are prior techniques to measure amplification risk, they are fundamentally imprecise and fail to capture the variability of risk across servers and patterns. To realize our vision, we need to handle the challenges of: (1) the large protocol header space; (2) the complex relationship between the packet field values and amplification it induces; and (3) heterogeneity in amplification risks across different servers.

Leveraging Structural Insights

We leverage key structural insights in building AmpMap. For instance, we observe that distinct amplification-inducing query patterns overlap in protocol field values. This locality structure suggests that if we find one such pattern, we can uncover other related patterns by searching neighbors. Further, even though protocol server implementations are diverse, they share some similarities. This helps us further reduce network overhead and improve fidelity by sharing insights across servers.

AmpMap Workflow

AmpMap is a framework for measuring the risk of amplification with a low network footprint that accounts for both the server- and query-specific variability.

Given a total budget, we run the Random Sampling Stage for each server. The goal is to find at least one query in one of the amplification-inducing patterns to leverage the "locality" structure. The Probing Stage then tries amplification-inducing patterns on other servers, to share share insights across servers. Lastly, the Per-Field Search archives coverage of patterns for each server by leveraging the locality structure. The output is amplification-inducing queries for each server and can be used for further analysis and summarization.