By Kyle Haefner, Cable Television Laboratories Inc.
Distributed Denial of Service (DDoS) attacks are among the preeminent threats facing the Internet today.
Predicting where the next DDoS attack will emanate at an endpoint/subscriber level is a long-sought goal of the cyber-security community.
This work evaluates attack data from five contributing members of the DDoS Information Sharing (DIS)project with the intent to provide an ISP/MSO the tools to predict at subscriber/endpoint granularity if they will start participating in a DDoS attack. The DIS data is combined with data from the Internet search engine, Shodan, to build a detailed dataset of recent/active attackers. Statistical and machine learning analysis of this composite dataset demonstrates that by evaluating network endpoints with certain features, it can be predicted that these endpoints will participate in a specific type of DDoS attack with accuracies between 91-98%.
Finally, each feature of the attacking network endpoint that was used in the machine learning model is ranked by its predictive significance, lending insight into how ISP/MSOs might preemptively detect and mitigate an endpoint even before it starts participating in a DDoS attack.