In this paper, we revisit the use of honeypots for detecting reflective amplification attacks. These measurement tools require careful design of both data collection and data analysis including cautious threshold inference. We survey common amplification honeypot platforms as well as the underlying methods to infer attack detection thresholds and to extract knowledge from the data. By systematically exploring the threshold space, we find most honeypot platforms produce comparable results despite their different configurations. Moreover, by applying data from a large-scale honeypot deployment, network telescopes, and a real-world baseline obtained from a leading DDoS mitigation provider, we question the fundamental assumption of honeypot research that convergence of observations can imply their completeness. Conclusively we derive guidance on precise, reproducible honeypot research, and present open challenges.

翻译：本文重新审视了利用蜜罐检测反射放大攻击的方法。这类测量工具需要在数据采集和数据分析两方面进行谨慎设计，包括审慎的阈值推断。我们调研了常见的放大攻击蜜罐平台，以及用于推断攻击检测阈值和从数据中提取知识的底层方法。通过系统性地探索阈值空间，我们发现大多数蜜罐平台尽管配置不同，却能产生可比的结果。此外，通过应用大规模蜜罐部署、网络望远镜以及来自领先DDoS缓解服务商提供的真实世界基线数据，我们质疑了蜜罐研究中"观测收敛性能够证明其完备性"这一基本假设。最后，我们推导出关于精确、可复现蜜罐研究的指导原则，并提出了当前面临的开放性挑战。