Distributed Denial of Service (DDoS) attacks are among the preeminent threats facing the Internet today.
Predicting where the next DDoS attack will emanate at an endpoint/subscriber level is a long-sought goal of the cyber-security community.
This work evaluates attack data from five contributing members of the DDoS Information Sharing (DIS)project with the intent to provide an ISP/MSO the tools to predict at subscriber/endpoint granularity if they will start participating in a DDoS attack. The DIS data is combined with data from the Internet search engine, Shodan, to build a detailed dataset of recent/active attackers. Statistical and machine learning analysis of this composite dataset demonstrates that by evaluating network endpoints with certain features, it can be predicted that these endpoints will participate in a specific type of DDoS attack with accuracies between 91-98%.
Finally, each feature of the attacking network endpoint that was used in the machine learning model is ranked by its predictive significance, lending insight into how ISP/MSOs might preemptively detect and mitigate an endpoint even before it starts participating in a DDoS attack.