A Simulation Model for the Analysis of DDoS Amplification Attacks Angelo Furfaro, Giovanna Malena, Lorena Molina DIMES – University of Calabria I-87036 Rende (CS) – Italy Email: a.furfaro@dimes.unical.it malena.giovanna@libero.it l.molina@dimes.unical.it Andrea Parise Open Knowledge Technologies s.r.l. Piazza Vermicelli I-87036 Rende (CS) – Italy Email: andrea.parise@okt-srl.com Abstract — The ever increasing growth of Internet has achieved global connections among millions of networks and devices which exchange information through computer systems in companies, organizations and governments. At the same time, hackers have developed skills that imply critical issues related to network and information security. Distributed Denial of Service (DDoS) is one of the most sophisticated and effective attack techniques. In view of this, it is fundamental that DDoS prevention/defense algorithms could be evaluated through suit- able discrete-event simulation models in order to assess their effectiveness before they get deployed in production systems. This paper proposes a simulation model for the analysis of a specific type of DDoS, i.e. DDoS amplification, that can exploit NTP or DNS protocols. The developed model, which has been implemented within NeSSi 2 , allowed to compare the effects of the attack under the two scenarios. Keywords – DDoS Amplification Attacks; Network Time Pro- tocol; Modelling and Simulation; Network Simulation; I. INTRODUCTION Nowadays network security is threatened by various types of cyber attacks. Among these, the most common and effec- tive one is the Distributed Denial-of-Services (DDoS) [1]. A DDoS attack is a malicious attempt to coordinate the behaviors of several of hosts in order for them to flood a victim host with a high number of packets, so that its band- width and/or its computational resources are exhausted [2]. To performs the first task, the attacker try to generate an huge volume of network traffic in order to flood the link that connects the victim with the network. This type of DDoS operates at the network level of the ISO/OSI stack. The second type of attack is instead performed at application or session levels. During a DDoS attack, the aggressor orchestrates the behavior of a network (botnet) of slave hosts (zombies), which have previously been infected by a malicious code, through messages that indicate a specific victim to be flooded [3]. DDoS attacks can be classified according to various dimensions. A taxonomy based on degree of automation, exploited vulnerability, attack rate dynamics and impact is reported in [4] and it is summarized in Fig. 1. A recent survey on defense mechanisms against DDoS is given in [5]. Figure 1. DDoS attacks classification In this paper, we focus on two techniques adopted together in order to increase the effect of a DDoS attack, i.e. reflection and amplification. A reflection-based DDoS attack exploits the IP spoofing vulnerability. The attacker sends a network request, with a forged IP source address (i.e. the victim’s address) to a network entity (usually a server) which is exploited as reflector [6], i.e. it will direct its responses to the fake source address. This technique can be performed both on TCP and UDP protocols. In the case of the TCP this reflection attack is also known as SYN-ACK or SYN- flood [5]. When executed over UDP, a typical attack employs a DNS server as reflector. The impact of reflection attacks can be augmented when the size of the response generated by the reflector is much bigger than that of the request. Such effect is referred to as amplification. Usually, DDoS amplification attacks are performed on connectionless protocols. A particular amplification technique, the so called smurf attack [7], exploits a misconfiguration of a local network that 2015 17th UKSIM-AMSS International Conference on Modelling and Simulation 978-1-4799-8713-9/15 $31.00 © 2015 IEEE DOI 10.1109/UKSim.2015.52 267