Deciphering DDoS Attacks through a Global Lens

With a rising frequency and scale, Distributed Denial-of-Service (DDoS) attacks persist as a critical cybersecurity issue. While shared attack fingerprints aid many intrusion detection systems in identifying threats, their application for DDoS attacks remains limited due to their distinct nature. However, fingerprints observed from multiple locations can provide valuable insights. This paper presents Reassembler, a novel platform for achieving a global DDoS attack analysis using attack fingerprints recorded from various locations. Reassembler consolidates these fingerprints into a unified view allowing to obtain a global overview of DDoS attacks. The evaluation, conducted on four simulated scenarios, demonstrates Reassembler's ability to extract novel properties, such as the count of intermediate nodes and the estimated percentage of spoofed IPs.