Despite continuous defense efforts, DDoS attacks are still very prevalent on the Internet. In such arms races, attackers are becoming more agile and their strategies are more sophisticated to escape from detection. Effective defenses demand in-depth understanding of such strategies. In this paper, we set to investigate the DDoS landscape from the perspective of the attackers. We focus on the dynamics of the attacking force, aiming to explore the strategies behind the scenes, if any. Our study is based on 50,704 different Internet DDoS attacks across the globe in a seven-month period. Our results indicate that attackers deliberately schedule their controlled bots in a dynamic fashion, and such dynamics can be well captured by statistical distributions. Furthermore, different botnet families exhibit similar scheduling patterns, strongly suggesting their close relationship and potential collaborations. Such collaborations are further confirmed by bots rotating in multiple families, and such rotation patterns are examined and confirmed at various levels. These findings lay a promising foundation for predicting DDoS attacks in the future and aid mitigation efforts.

中文翻译：

---

DDoS 攻击及其动态的数据驱动研究

尽管做出了持续的防御努力，但 DDoS 攻击在 Internet 上仍然非常普遍。在这样的军备竞赛中，攻击者变得更加敏捷，他们的策略也更加复杂以逃避检测。有效的防御需要深入了解此类策略。在本文中，我们开始从攻击者的角度调查 DDoS 格局。我们专注于攻击力的动态，旨在探索幕后策略（如果有的话）。我们的研究基于 7 个月内全球 50,704 次不同的互联网 DDoS 攻击。我们的结果表明，攻击者故意以动态方式安排他们受控的机器人，并且可以通过统计分布很好地捕获这种动态。此外，不同的僵尸网络家族表现出相似的调度模式，强烈暗示他们的密切关系和潜在的合作。机器人在多个家族中轮换进一步证实了这种合作，并且这种轮换模式在各个层面得到了检查和确认。这些发现为预测未来的 DDoS 攻击和帮助缓解工作奠定了有希望的基础。