{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T17:12:14Z","timestamp":1772039534775,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":27,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,4,8]],"date-time":"2024-04-08T00:00:00Z","timestamp":1712534400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc-sa\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100003246","name":"Nederlandse Organisatie voor Wetenschappelijk Onderzoek","doi-asserted-by":"publisher","award":["CS.007"],"award-info":[{"award-number":["CS.007"]}],"id":[{"id":"10.13039\/501100003246","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,4,8]]},"DOI":"10.1145\/3605098.3635982","type":"proceedings-article","created":{"date-parts":[[2024,5,21]],"date-time":"2024-05-21T17:59:16Z","timestamp":1716314356000},"page":"1395-1404","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":1,"title":["Patch Pilgrimage: Exploring the Landscape of TCP Reflective Attacks and User Patching Expedition"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-0586-1373","authenticated-orcid":false,"given":"Joost","family":"Oortwijn","sequence":"first","affiliation":[{"name":"Delft University of Technology, Delft, Netherlands"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4699-3007","authenticated-orcid":false,"given":"Carlos","family":"Ga\u00f1\u00e1n","sequence":"additional","affiliation":[{"name":"Delft University of Technology, Delft, Netherlands"}]}],"member":"320","published-online":{"date-parts":[[2024,5,21]]},"reference":[{"key":"e_1_3_2_1_1_1","volume-title":"European Symposium on Research in Computer Security (ESORICS).","author":"Anghel Radu","year":"2023","unstructured":"Radu Anghel, Swaathi Vetrivel, Elsa Turcios Rodriguez, Kaichi Sameshima, Daisuke Makita, Katsunari Yoshioka, Carlos H. Ga\u00f1\u00e1n, and Yury Zhauniarovich. 2023. Peering into the Darkness: The Use of UTRS in Combating DDoS Attacks. In European Symposium on Research in Computer Security (ESORICS)."},{"key":"e_1_3_2_1_2_1","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Bock Kevin","year":"2021","unstructured":"Kevin Bock, Abdulrahman Alaraj, Yair Fax, Kyle Hurley, Eric Wustrow, and Dave Levin. 2021. Weaponizing middleboxes for TCP reflected amplification. In 30th USENIX Security Symposium (USENIX Security 21). 3345--3361."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"crossref","unstructured":"Dawn Branley-Bell Lynne Coventry Matt Dixon Adam Joinson Pam Briggs et al. 2022. Exploring age and gender differences in ICT cybersecurity behaviour. Human Behavior and Emerging Technologies 2022 (2022).","DOI":"10.1155\/2022\/2693080"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23438"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP.2019.00032"},{"key":"e_1_3_2_1_6_1","volume-title":"16th Workshop on the Economics of Information Security (WEIS","author":"Cetin Orcun","year":"2017","unstructured":"Orcun Cetin, Carlos Ga\u00f1\u00e1n, Maciej Korczynski, and Michel van Eeten. 2017. Make notifications great again: learning how to notify in the age of large-scale vulnerability scanning. In 16th Workshop on the Economics of Information Security (WEIS 2017)."},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1093\/cybsec\/tyw005"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"crossref","unstructured":"David Dittrich and Erin Kenneally. 2012. The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research.","DOI":"10.2139\/ssrn.2342036"},{"key":"e_1_3_2_1_9_1","volume-title":"There Is No Try: User Engagement May Not Improve Security Outcomes. In Twelfth Symposium on Usable Privacy and Security (SOUPS","author":"Forget Alain","year":"2016","unstructured":"Alain Forget, Sarah Pearman, Jeremy Thomas, Alessandro Acquisti, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, Marian Harbach, and Rahul Telang. 2016. Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). USENIX Association, Denver, CO, 97--111."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/3617072.3617109"},{"key":"e_1_3_2_1_11_1","volume-title":"How many interviews are enough? An experiment with data saturation and variability. Field methods 18, 1","author":"Guest Greg","year":"2006","unstructured":"Greg Guest, Arwen Bunce, and Laura Johnson. 2006. How many interviews are enough? An experiment with data saturation and variability. Field methods 18, 1 (2006), 59--82."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2015.2457491"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2017.201"},{"key":"e_1_3_2_1_14_1","volume-title":"25th USENIX Security Symposium (USENIX Security 16)","author":"Li Frank","year":"2016","unstructured":"Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxson. 2016. You've got vulnerability: Exploring effective vulnerability notifications. In 25th USENIX Security Symposium (USENIX Security 16). 1033--1050."},{"key":"e_1_3_2_1_16_1","unstructured":"Gordon Lyon. 2008. Nmap Network Scanning. (2008)."},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP51992.2021.00031"},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.11591\/ijece.v11i6.pp5327-5341"},{"key":"e_1_3_2_1_19_1","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Rodr\u00edguez Elsa","year":"2023","unstructured":"Elsa Rodr\u00edguez, Radu Anghel, Simon Parkin, Michel Van Eeten, and Carlos Ga\u00f1\u00e1n. 2023. Two Sides of the Shield: Understanding Protective DNS adoption factors. In 32nd USENIX Security Symposium (USENIX Security 23). 3135--3152."},{"key":"e_1_3_2_1_20_1","volume-title":"But Not for Me: Measuring the Difficulty and User Experience of Remediating Persistent IoT Malware. In 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P). 392--409","author":"Rodriguez Elsa","year":"2022","unstructured":"Elsa Rodriguez, Max Fukkink, Simon Parkin, Michel van Eeten, and Carlos Ga\u00f1\u00e1n. 2022. Difficult for Thee, But Not for Me: Measuring the Difficulty and User Experience of Remediating Persistent IoT Malware. In 2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P). 392--409."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1093\/cybsec\/tyab015"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23233"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.23919\/SOFTCOM.2017.8115504"},{"key":"e_1_3_2_1_24_1","volume-title":"Number of Internet of Things (IoT) connected devices worldwide from 2019 to","year":"2021","unstructured":"Statista. 2022. Number of Internet of Things (IoT) connected devices worldwide from 2019 to 2021, with forecasts from 2022 to 2030. https:\/\/www.statista.com\/statistics\/1183457\/iot-connected-devices-worldwide\/"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23171"},{"key":"e_1_3_2_1_26_1","volume-title":"USENIX Security Symposium (USENIX Security 16)","author":"Stock Ben","year":"2016","unstructured":"Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes. 2016. Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification. In USENIX Security Symposium (USENIX Security 16). 1015--1032."},{"key":"e_1_3_2_1_27_1","volume-title":"Easier Said Than Done: The Failure of Top-Level Cybersecurity Advice for Consumer IoT Devices. arXiv preprint arXiv:2310.00942","author":"van Harten Veerle","year":"2023","unstructured":"Veerle van Harten, Carlos Ga\u00f1\u00e1n, Michel van Eeten, and Simon Parkin. 2023. Easier Said Than Done: The Failure of Top-Level Cybersecurity Advice for Consumer IoT Devices. arXiv preprint arXiv:2310.00942 (2023)."},{"key":"e_1_3_2_1_28_1","volume-title":"22nd Workshop on the Economics of Information Security (WEIS","author":"Vetrivel Swaathi","year":"2023","unstructured":"Swaathi Vetrivel, Arman Noroozian, Daisuke Makita, Katsunari Yoshioka, Michel van Eeten, and Carlos H Ga\u00f1\u00e1n. 2023. Birds of a Feather? A Comparative Analysis of DDoS Victimisation by IoT Botnet and Amplification Attacks. In 22nd Workshop on the Economics of Information Security (WEIS 2023)."}],"event":{"name":"SAC '24: 39th ACM\/SIGAPP Symposium on Applied Computing","location":"Avila Spain","acronym":"SAC '24","sponsor":["SIGAPP ACM Special Interest Group on Applied Computing"]},"container-title":["Proceedings of the 39th ACM\/SIGAPP Symposium on Applied Computing"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3605098.3635982","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3605098.3635982","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:36:15Z","timestamp":1750178175000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3605098.3635982"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,4,8]]},"references-count":27,"alternative-id":["10.1145\/3605098.3635982","10.1145\/3605098"],"URL":"https:\/\/doi.org\/10.1145\/3605098.3635982","relation":{},"subject":[],"published":{"date-parts":[[2024,4,8]]},"assertion":[{"value":"2024-05-21","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}