π€ AI Summary
Accurately estimating the number of true source networks in Distributed Reflection Denial-of-Service (DRDoS) attacks remains a critical challenge for effective traceback and defense. This work proposes a novel approach that integrates global anycast honeypots with Time-to-Live (TTL) variation analysis to model path instability in network routing, thereby constructing a statistical estimator for inferring the minimum number of distinct source networks behind spoofed traffic. Empirical analysis based on 287 days of real-world attack data reveals that at least 21.0% of DRDoS attacks originate from multiple independent networks, highlighting attackersβ widespread use of cross-network distribution to amplify deception. This study presents the first framework combining anycast honeypots and dynamic TTL analysis to establish a lower bound on source network counts, offering a new paradigm for DRDoS source attribution and underscoring the necessity of coordinated defense strategies.
π Abstract
DDoS attacks remain a significant threat, with distributed reflection denial-of-service (DRDoS) attacks being particularly difficult to trace back to their sources. To better understand attacker behavior and deployment patterns, we present a novel approach for estimating a lower bound on the number of networks involved in generating spoofed traffic. Our approach leverages a global deployment of anycast amplification honeypots that attract requests from topologically nearby sources. Using this infrastructure, we develop two estimators based on the set of honeypots receiving spoofed traffic and on variations in observed TTL values, while accounting for natural path instability. Analyzing 287 days of amplification attacks, we find that at least 21.0% originate from multiple network locations, indicating that attackers frequently distribute spoofing activity across networks. Our findings suggest that combating spoofing requires coordinated and distributed defenses, and inform the design of future attribution techniques.