Measuring exposure in DDoS protection services

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    6 Citations (Scopus)
    11 Downloads (Pure)


    Denial-of-Service attacks have rapidly gained in popularity over the last decade. The increase in frequency, size, and complexity of attacks has made DDoS Protection Services (DPS) an attractive mitigation solution to which the protection of services can be outsourced. Despite a thriving market and increasing adoption of protection services, a DPS can often be bypassed, and direct attacks can be launched against the origin of a target. Many protection services leverage the Domain Name System (DNS) to protect, e.g., Web sites. When the DNS is misconfigured, the origin IP address of a target can leak to attackers, which defeats the purpose of outsourcing protection. We perform a large-scale analysis of this phenomenon by using three large data sets that cover a 16-month period: a data set of active DNS measurements; a DNS-based data set that focuses on DPS adoption; and a data set of DoS attacks inferred from backscatter traffic to a sizable darknet. We analyze nearly 11k Web sites on Alexa's top 1M that outsource protection, for eight leading DPS providers. Our results show that 40% of these Web sites expose the origin in the DNS. Moreover, we show that the origin of 19% of these Web sites is targeted after outsourcing protection.
    Original languageEnglish
    Title of host publication2017 13th International Conference on Network and Service Management (CNSM)
    Number of pages9
    ISBN (Print)􃻥􃻣􃻤􃻙􃻟􃻙􃻥􃻜􃻝􃻤􃻤􃻞􃻙􃻥􃻤􃻙􃻞
    Publication statusPublished - 30 Nov 2017
    Event13th International Conference on Network and Service Management, CNSM 2017 - Waseda University, Tokyo, Japan
    Duration: 27 Nov 20171 Dec 2017
    Conference number: 13


    Conference13th International Conference on Network and Service Management, CNSM 2017
    Abbreviated titleCNSM
    Internet address


    Dive into the research topics of 'Measuring exposure in DDoS protection services'. Together they form a unique fingerprint.

    Cite this