Spoofer or Spoofers? Estimating a Lower Bound on the Number of DRDoS Sources Using Anycast Honeypots

πŸ“… 2026-07-16
πŸ“ˆ Citations: 0
✨ Influential: 0
πŸ“„ PDF
πŸ€– AI Summary
Accurately estimating the number of true source networks in Distributed Reflection Denial-of-Service (DRDoS) attacks remains a critical challenge for effective traceback and defense. This work proposes a novel approach that integrates global anycast honeypots with Time-to-Live (TTL) variation analysis to model path instability in network routing, thereby constructing a statistical estimator for inferring the minimum number of distinct source networks behind spoofed traffic. Empirical analysis based on 287 days of real-world attack data reveals that at least 21.0% of DRDoS attacks originate from multiple independent networks, highlighting attackers’ widespread use of cross-network distribution to amplify deception. This study presents the first framework combining anycast honeypots and dynamic TTL analysis to establish a lower bound on source network counts, offering a new paradigm for DRDoS source attribution and underscoring the necessity of coordinated defense strategies.
πŸ“ Abstract
DDoS attacks remain a significant threat, with distributed reflection denial-of-service (DRDoS) attacks being particularly difficult to trace back to their sources. To better understand attacker behavior and deployment patterns, we present a novel approach for estimating a lower bound on the number of networks involved in generating spoofed traffic. Our approach leverages a global deployment of anycast amplification honeypots that attract requests from topologically nearby sources. Using this infrastructure, we develop two estimators based on the set of honeypots receiving spoofed traffic and on variations in observed TTL values, while accounting for natural path instability. Analyzing 287 days of amplification attacks, we find that at least 21.0% originate from multiple network locations, indicating that attackers frequently distribute spoofing activity across networks. Our findings suggest that combating spoofing requires coordinated and distributed defenses, and inform the design of future attribution techniques.
Problem

Research questions and friction points this paper is trying to address.

DRDoS
IP spoofing
source estimation
anycast honeypots
DDoS attribution
Innovation

Methods, ideas, or system contributions that make the work stand out.

anycast honeypots
DRDoS
spoofing source estimation
TTL variation
distributed reflection denial-of-service
πŸ”Ž Similar Papers
No similar papers found.