### Rating (1--4): + 3: Weak Accept -- This paper may have flaws, but I would not argue against it at a major conference * very weak accept ### What did this paper do well? + Presented an interesting way to identify amplification DDos threat actor - a very challenging task + While having quite a good number of assumptions, the paper did spend time to form some mathematical models to back up certain points. ### Where did this paper fall short? + "assume that attackers use only a single system to launch their attacks." --> per the paper, this was based on the fact that a single machine can scan IPv4 space --> attacker may use ips from a bot net to scan as a way to avoid detections by ISPs. + "further assume that scanners do not spoof their source addresses when performing a scan" --> to me, this is quite a big assumption. + There are some limitations in just identifying the source of attacks based on one simple rule of 100 "ping" per hour. + There are some difficulties with proposed attribution method. The paper admitted "This raises the question whether our attribution is actually robust under such real-world conditions." Further more, the amount of supported honeypot IP per protocol varies greatly. For example, with SSDP, only 9.38 (avg) IPs were used. + While discussing how to improve the confidence of the attribution, the paper argued that reducing the response ratio and increasing the network size are two different things which, in my opinion, is not true. Since response ratio is dependent on the network size, they are actually the same thing and increasing network size actually makes more sense (more honeypot IPs). While a mathematical model was presented, the paper did not perform evaluations on the correlation between increases in network size and increases in attribution confidence. + This paper is full of assumptions. ### What did you learn from reading this paper? + The scale and the significance of amplification attacks (more than 10k per day) + The term "trilateration", and linking scanners to attack origins based on hop counts + Attributing of possible reflection ddos threat actors by mapping scan infrastructures to attack infrastructures ### What questions do you have about the paper or the area? + Why scans cannot forge their source IP ? + How to stage honey pots and how to make sure scanners will be attracted to honeypots? + What are "similar traffic sources" ? + What went wrong with the sources the method can't identify ? + Why attackers won't use botnet (small part of it) to launch the seeds of the reflection attack? + Why TTL matters in deciding "same infrastructure" ? (the papper then admitted that TTL can easily be changed/spoofed)
