A Traffic analyzer for the automated detection of protocols usable for amplification attacks

A Traffic analyzer for the automated detection of protocols usable for amplification attacks

Master Thesis

Today, the number of Distributed Denial of Service (DDoS) attacks is becoming more and more a threat in terms of cyber criminality. The motivations for this kind of attacks are financial and economical gain, revenge, ideological belief, intellectual challenge, and Cyberwarfare.
One famous DDoS form is the amplification attack. In general, an amplification attack means a short spoofed network protocol request and a huge response that is reflected to a victim. These messages are flooded to the victim to exhaust the bandwidth. The abused services for this kind of attack must have at least two properties. First, the service should base on UDP, which is stateless. The benefit of UDP is the direct transport layer interaction without any network session establishment like the TCP Three-Way-Handshake. Second, make protocol requests whose responses are significantly bigger that it works as amplifier. Currently, different services are in focus of hackers to run this kind of attack.
Before vulnerability’s in a service is abused, the potential for an amplification in a protocol must be known. This thesis will develop an automatic tool for the detection of protocols that are vulnerable for amplification attacks. After a protocol is detected, a crawler will check the popularity of the service. Other hosts that offer the same service are penetrated with packets that are crafted from previous captured traffic. This behavior checks if the other service provider are vulnerable too. A detection mechanism is integrated into an existing IDS. The analysis of the intercepted traffic elects requests response pairs. If they are linked, different measurements are calculated. The main contribution of the thesis is a protocol analysis system that detects protocols that are vulnerable to amplification attacks and a crawler that checks the impact of the detection.

Start: 14.01.2015

Ende: 16.07.2015


  • Carlos Garcia C. (carlos.garcia(a-t)tk.informatik.tu-darmstadt.de)
  • Mathias Fischer (mathias.fischer(a-t)tk.informatik.tu-darmstadt.de)

Forschungsgebiete: CASED, Telecooperation , – SSI – Area Secure Smart Infrastructures