Using network flow data to analyse distributed reflection denial of service (DRDoS) attacks, as observed on the South African national research and education network (SANReN): A postmortem analysis of the memcached attack on the SANReN

Burke, Ivan DHerbert, AMooi, Roderick D2019-02-062019-02-062018-09Burke, I.D., Herbert, A. and Mooi, R.D. 2018. Using network flow data to analyse distributed reflection denial of service (DRDoS) attacks, as observed on the South African national research and education network (SANReN): A postmortem analysis of the memcached attack on the SANReN. Annual conference of the South African Institute of Computer Scientists and Information Technologists (SAICSIT 2018), Port Elizabeth, 26-28 September 2018, pp. 164-170978-1-4503-6647-2/18/09https://dl.acm.org/citation.cfm?doid=3278681.3278701http://hdl.handle.net/10204/10682Copyright: 2018 ACM. Due to copyright restrictions, the attached PDF file only contains the abstract of the full text item. For access to the full text item, please consult the publisher's website: https://dl.acm.org/citation.cfm?doid=3278681.3278701Distributed Denial of Service (DDoS) attacks cause significant disruption on critical networks within South Africa. Timely detection and mitigation is a key concern for the SANReN Cyber Security Incident Response Team (CSIRT). This paper presents an analysis on the Memcached reflection DDoS attack which occurred in February 2018. The attack was the largest DDoS attack to date. By analysing the attack and the impact it had on the SANReN network, this paper aims to show how network flow data can be used to detect network attacks, and perform post attack analysis to prevent future network attacks. The attack time-line is divided into three main phases: pre-attack, peek attack period and post attack residue.enNetwork attack analysisNetwork monitoringNational InfrastructureUsing network flow data to analyse distributed reflection denial of service (DRDoS) attacks, as observed on the South African national research and education network (SANReN): A postmortem analysis of the memcached attack on the SANReNConference PresentationBurke, I. D., Herbert, A., & Mooi, R. D. (2018). Using network flow data to analyse distributed reflection denial of service (DRDoS) attacks, as observed on the South African national research and education network (SANReN): A postmortem analysis of the memcached attack on the SANReN. Association for Computing Machinery. http://hdl.handle.net/10204/10682Burke, Ivan D, A Herbert, and Roderick D Mooi. "Using network flow data to analyse distributed reflection denial of service (DRDoS) attacks, as observed on the South African national research and education network (SANReN): A postmortem analysis of the memcached attack on the SANReN." (2018): http://hdl.handle.net/10204/10682Burke ID, Herbert A, Mooi RD, Using network flow data to analyse distributed reflection denial of service (DRDoS) attacks, as observed on the South African national research and education network (SANReN): A postmortem analysis of the memcached attack on the SANReN; Association for Computing Machinery; 2018. http://hdl.handle.net/10204/10682 .TY - Conference Presentation AU - Burke, Ivan D AU - Herbert, A AU - Mooi, Roderick D AB - Distributed Denial of Service (DDoS) attacks cause significant disruption on critical networks within South Africa. Timely detection and mitigation is a key concern for the SANReN Cyber Security Incident Response Team (CSIRT). This paper presents an analysis on the Memcached reflection DDoS attack which occurred in February 2018. The attack was the largest DDoS attack to date. By analysing the attack and the impact it had on the SANReN network, this paper aims to show how network flow data can be used to detect network attacks, and perform post attack analysis to prevent future network attacks. The attack time-line is divided into three main phases: pre-attack, peek attack period and post attack residue. DA - 2018-09 DB - ResearchSpace DP - CSIR KW - Network attack analysis KW - Network monitoring KW - National Infrastructure LK - https://researchspace.csir.co.za PY - 2018 SM - 978-1-4503-6647-2/18/09 T1 - Using network flow data to analyse distributed reflection denial of service (DRDoS) attacks, as observed on the South African national research and education network (SANReN): A postmortem analysis of the memcached attack on the SANReN TI - Using network flow data to analyse distributed reflection denial of service (DRDoS) attacks, as observed on the South African national research and education network (SANReN): A postmortem analysis of the memcached attack on the SANReN UR - http://hdl.handle.net/10204/10682 ER -