Into the DDoS maelstrom: A longitudinal study of a scrubbing service

Giovane C.M. Moura, Cristian Hesselman, Gerald Schaapman, Nick Boerman, Octavia De Weerdt

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

4 Citations (Scopus)
2 Downloads (Pure)


Distributed denial-of-service (DDoS) attacks are nowadays easy and cheap to carry out, and have become bigger and more frequent over the last years. Cloud-based scrubbers have emerged as a service which victims can hire on demand to fend off attacks. There are many industry players, but not much insights into their operations. This work unravels for the first time the inner workings of a DDoS scrubber - NaWas - a non-profit scrubber in the Netherlands. We analyze 1800+ DDoS attacks spanning over a period of 22 months, and show that while most attacks are not very large, they are still large enough to disrupt services and likely to disturb links. We estimate the collateral damage incurred by DDoS attacks, and demonstrate that the number of victims of is at least quadratically larger (IP2) than the targeted addresses. Last, by correlating attacks metadata with authoritative DNS traffic, we show that DDoS attacks leave fingerprints on DNS traffic, which, in turn can be used to detect DDoS attacks at early stages, even if attackers attempt to deceive DNS based detection.

Original languageEnglish
Title of host publication5th IEEE European Symposium on Security and Privacy Workshops, Euro S and PW 2020
Number of pages9
ISBN (Electronic)9781728185972
Publication statusPublished - Sept 2020
EventIEEE European Symposium on Security and Privacy Workshops 2020 - Virtual Event, Genoa, Italy
Duration: 7 Sept 202011 Sept 2020


ConferenceIEEE European Symposium on Security and Privacy Workshops 2020


  • DDoS
  • DNS
  • Traffic scrubber
  • n/a OA procedure


Dive into the research topics of 'Into the DDoS maelstrom: A longitudinal study of a scrubbing service'. Together they form a unique fingerprint.

Cite this