SF-DRDoS: The store-and-flood distributed reflective denial of service attack

• We propose a novel reflective amplification DDoS attack called store-and-flood DRDoS.
• SF-DRDoS gains a high amplification factor by storing prepared data on reflectors.
• We implement prototypes on two Kademlia networks, Kad and BT-DHT.
• Real-world experiments achieves an average amplification factor of 2400 in Kad.
• The upper bound of attack bandwidth could be 670 Gbps and 10 Tbps for Kad and BTDHT.

Distributed reflective denial of service (DRDoS) attacks, especially those based on UDP reflection and amplification, can generate hundreds of gigabits per second of attack traffic, and have become a significant threat to Internet security. In this paper we show that an attacker can further make the DRDoS attack more dangerous. In particular, we describe a new DRDoS attack called store-and-flood DRDoS, or SF-DRDoS, which leverages peer-to-peer (P2P) file-sharing networks. An attacker can store carefully prepared data on reflector nodes before the flooding phase, to greatly increase the amplification factor of an attack. In this way, SF-DRDoS is more surreptitious and powerful than traditional DRDoS. We present two prototype SF-DRDoS attacks on two popular Kademlia-based P2P file-sharing networks, Kad and BT-DHT. Experiments in real-world environments showed that, this attack can achieve an amplification factor of 2400 on average in Kad, and reach an upper bound of attack bandwidth at 670 Gbps and 10 Tbps for Kad and BT-DHT, respectively. We also propose some candidate defenses to mitigate the SF-DRDoS threat.