Characterizing infrastructure of DDoS attacks based onDDoSDB fingerprints

Distributed Denial of Service (DDoS) attacks are a big problem in the current digital landscape. Many research is conducted on various sub parts of DDoS. However, little is known about the infrastructure behind the attacks. It can be of interest to know how attacker choose their infrastructure. It is possible that they choose their attacking nodes very specific based on some characteristics. This paper aims to characterize the infrastructure of a DDoS attack to gain more insights in the infrastructures and how attackers choose their attacking nodes. The paper will focus on seven different attack types and will analyze their infrastructure. We will show that DNS recursion is still enabled on a lot of DNS resolvers, that the non-RFC-compliant implementation of Chargen in Windows is widely misused and that small ISPs are the most common in DDoS attacks attacking nodes.