{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,21]],"date-time":"2026-01-21T04:16:33Z","timestamp":1768968993336,"version":"3.49.0"},"reference-count":56,"publisher":"MDPI AG","issue":"11","license":[{"start":{"date-parts":[[2016,11,4]],"date-time":"2016-11-04T00:00:00Z","timestamp":1478217600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Concerns about security on Internet of Things (IoT) cover data privacy and integrity, access control, and availability. IoT abuse in distributed denial of service attacks is a major issue, as typical IoT devices\u2019 limited computing, communications, and power resources are prioritized in implementing functionality rather than security features. Incidents involving attacks have been reported, but without clear characterization and evaluation of threats and impacts. The main purpose of this work is to methodically assess the possible impacts of a specific class\u2013amplified reflection distributed denial of service attacks (AR-DDoS)\u2013against IoT. The novel approach used to empirically examine the threat represented by running the attack over a controlled environment, with IoT devices, considered the perspective of an attacker. The methodology used in tests includes that perspective, and actively prospects vulnerabilities in computer systems. This methodology defines standardized procedures for tool-independent vulnerability assessment based on strategy, and the decision flows during execution of penetration tests (pentests). After validation in different scenarios, the methodology was applied in amplified reflection distributed denial of service (AR-DDoS) attack threat assessment. Results show that, according to attack intensity, AR-DDoS saturates reflector infrastructure. Therefore, concerns about AR-DDoS are founded, but expected impact on abused IoT infrastructure and devices will be possibly as hard as on final victims.<\/jats:p>","DOI":"10.3390\/s16111855","type":"journal-article","created":{"date-parts":[[2016,11,4]],"date-time":"2016-11-04T11:18:38Z","timestamp":1478258318000},"page":"1855","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":17,"title":["A Methodological Approach for Assessing Amplified Reflection Distributed Denial of Service on the Internet of Things"],"prefix":"10.3390","volume":"16","author":[{"given":"Jo\u00e3o","family":"Costa Gondim","sequence":"first","affiliation":[{"name":"Electrical Engineering Department, University of Bras\u00edlia, Campus Universit\u00e1rio Darci Ribeiro, 70919-970 Bras\u00edlia DF, Brazil"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6717-3374","authenticated-orcid":false,"given":"Robson","family":"De Oliveira Albuquerque","sequence":"additional","affiliation":[{"name":"Electrical Engineering Department, University of Bras\u00edlia, Campus Universit\u00e1rio Darci Ribeiro, 70919-970 Bras\u00edlia DF, Brazil"}]},{"given":"Anderson","family":"Clayton Alves Nascimento","sequence":"additional","affiliation":[{"name":"Electrical Engineering Department, University of Bras\u00edlia, Campus Universit\u00e1rio Darci Ribeiro, 70919-970 Bras\u00edlia DF, Brazil"},{"name":"Center for Data Science, Institute of Technology, University of Washington, Tacoma, WA 98402-3100, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7573-6272","authenticated-orcid":false,"given":"Luis","family":"Garc\u00eda Villalba","sequence":"additional","affiliation":[{"name":"Group of Analysis, Security and Systems (GASS), Department of Software Engineering and Artificial Intelligence (DISIA), Faculty of Computer Science and Engineering, Office 431, Universidad Complutense de Madrid (UCM), Calle Profesor Jos\u00e9 Garc\u00eda Santesmases, 9, Ciudad Universitaria, Madrid 28040, Spain"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0117-8102","authenticated-orcid":false,"given":"Tai-Hoon","family":"Kim","sequence":"additional","affiliation":[{"name":"Department of Convergence Security, Sungshin Women\u2019s University, 249-1 Dongseon-Dong 3-ga, Seoul 136-742, Korea"}]}],"member":"1968","published-online":{"date-parts":[[2016,11,4]]},"reference":[{"key":"ref_1","unstructured":"Allen, N. Cybersecurity Weaknesses Threaten to Make Smart Cities More Costly and Dangerous Than Their Analog Predecessors. Available online: http:\/\/eprints.lse.ac.uk\/65816\/."},{"key":"ref_2","unstructured":"Wueest, C. The Continued Rise of DDoS Attacks. Available online: http:\/\/www.symantec.com\/content\/en\/us\/enterprise\/media\/securityresponse\/whitepapers\/the-continued-rise-of-ddos-attacks.pdf."},{"key":"ref_3","unstructured":"Jackson, W. (2013). How Hackers Can Turn the Internet of Things into a Weapon, GCN: Public Sector Media Group. Available online: https:\/\/gcn.com\/blogs\/cybereye\/2013\/05\/how-hackers-turn-internet-of-things-into-weapon.aspx."},{"key":"ref_4","unstructured":"Cox, R. (2013). 5 Notorious DDoS Attacks in 2013: Big Problem for the Internet of Things, SiliconANGLE Media Inc.. Available online: http:\/\/siliconangle.com\/blog\/2013\/08\/26\/5-notorious-ddos-attacks-in-2013-big-problem-for-the-internet-of-things\/."},{"key":"ref_5","unstructured":"Sharon, S. (2015). 2015 DDoS Attacks on the Rise, Attackers Shift Tactics, TechTarget Network. Available online: http:\/\/searchsecurity.techtarget.com\/news\/4500246858\/2015-DDoS-attacks-on-the-rise-attackers-shift-tactics."},{"key":"ref_6","unstructured":"Toms, L. (2016). Closed for Business\u2013The Impact of Denial of Service Attacks in the IoT, GlobalSign GMO Internet Group. Available online: https:\/\/www.globalsign.com\/en\/blog\/denial-of-service-in-the-iot\/."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"17","DOI":"10.1145\/66093.66095","article-title":"The Internet Worm Program: An Analysis","volume":"19","author":"Spafford","year":"1989","journal-title":"SIGCOMM Comput. Commun. Rev."},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Stoll, C. (1989). The Cuckoo\u2019s Egg: Tracking a Spy through the Maze of Computer Espionage, Doubleday.","DOI":"10.1063\/1.2810663"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Kumar, S.A., Vealey, T., and Srivastava, H. (2016, January 5\u20138). Security in Internet of Things: Challenges, Solutions and Future Directions. Proceedings of the 2016 49th Hawaii International Conference on System Sciences (HICSS), Koloa, HI, USA.","DOI":"10.1109\/HICSS.2016.714"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Yu, T., Sekar, V., Seshan, S., Agarwal, Y., and Xu, C. (2015, January 16\u201317). Handling a Trillion (Unfixable) Flaws on a Billion Devices: Rethinking Network Security for the Internet-of-Things. Proceedings of the 14th ACM Workshop on Hot Topics in Networks, Philadelphia, PA, USA.","DOI":"10.1145\/2834050.2834095"},{"key":"ref_11","first-page":"85","article-title":"The Internet of Things: New Interoperability, Management and Security Challenges","volume":"8","author":"Elkhodr","year":"2016","journal-title":"Int. J. Netw. Secur. Its Appl."},{"key":"ref_12","unstructured":"Cviti\u0107, I., Vuji\u0107, M., and Husnjak, S. (2015, January 21\u201324). Classification of Security Risks in the IoT Environment. Proceedings of the 26th DAAAM International Symposium on Intelligent Manufacturing and Automation, Zadar, Croatia."},{"key":"ref_13","unstructured":"Xylogiannopoulos, K., Karampelas, P., and Alhajj, R. (2016, January 17\u201318). Real Time Early Warning DDoS Attack Detection. Proceedings of the 11th International Conference on Cyber Warfare and Security, Boston, MA, USA."},{"key":"ref_14","first-page":"522","article-title":"IoTPOT: A Novel Honeypot for Revealing Current IoT Threats","volume":"24","author":"Pa","year":"2016","journal-title":"J. Inf. Process."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Ar\u0131\u015f, A., Oktu\u011f, S.F., and Yal\u00e7\u0131n, S.B.\u00d6. (2015, January 16\u201319). Internet-of-Things security: Denial of service attacks. Proceedings of the 2015 23nd Signal Processing and Communications Applications Conference (SIU), Malatya, Turkey.","DOI":"10.1109\/SIU.2015.7129976"},{"key":"ref_16","unstructured":"Pras, A., Santanna, J.J., Steinberger, J., and Sperotto, A. (2016). Measurement, Modelling and Evaluation of Dependable Computer and Communication Systems, Springer."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"367","DOI":"10.1007\/978-981-10-0135-2_36","article-title":"An Approach to Secure Internet of Things Against DDoS","volume":"Volume 2","author":"Sonar","year":"2016","journal-title":"Proceedings of the International Conference on ICT for Sustainable Development: ICT4SD"},{"key":"ref_18","unstructured":"Zhang, C., and Green, R. (2015, January 12\u201315). Communication Security in Internet of Thing: Preventive Measure and Avoid DDoS Attack over IoT Network. Proceedings of the 18th Symposium on Communications & Networking, Alexandria, VA, USA."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Furfaro, A., Malena, G., Molina, L., and Parise, A. (2015, January 25\u201327). A Simulation Model for the Analysis of DDoS Amplification Attacks. Proceedings of the 17th USKSIM-AMSS International Conference on Modelling and Simulation, Cambridge, UK.","DOI":"10.1109\/UKSim.2015.52"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Hu, F. (2016). Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations, CRC Press.","DOI":"10.1201\/b19516"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Sgouras, K.I., Birda, A.D., and Labridis, D.P. (2014, January 19\u201322). Cyber attack impact on critical Smart Grid infrastructures. Proceedings of the 2014 IEEE PES Innovative Smart Grid Technologies Conference (ISGT), Washington, DC, USA.","DOI":"10.1109\/ISGT.2014.6816504"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Solis, P., Pacheco, L., Gondim, J., and Alchieri, E. (November, January 31). Evaluation of Distributed Denial of Service Threat in the Internet of Things. Proceedings of the 2016 IEEE 15th International Symposium on Network Computing and Applications (NCA), Cambridge, MA, USA, NY, USA.","DOI":"10.1109\/NCA.2016.7778599"},{"key":"ref_23","unstructured":"Nagpal, B., Sharma, P., Chauhan, N., and Panesar, A. (2015, January 11\u201313). DDoS tools: Classification, analysis and comparison. Proceedings of the 2015 2nd International Conference on Computing for Sustainable Global Development (INDIACom), New Delhi, India."},{"key":"ref_24","first-page":"94","article-title":"The innocent perpetrators: Reflectors and reflection attacks","volume":"4","author":"Arukonda","year":"2015","journal-title":"Adv. Comput. Sci."},{"key":"ref_25","unstructured":"Bright, P. Spamhaus DDoS Grows to Internet-Threatening Size. Available online: http:\/\/arstechnica.com\/security\/2013\/03\/spamhaus-ddos-grows-to-internetthreatening-size\/."},{"key":"ref_26","unstructured":"Prince, M. The DDoS That Knocked Spamhaus Offline (and How We Mitigated It). Available online: https:\/\/blog.cloudflare.com\/the-ddos-that-knocked-spamhaus-offline-and-ho\/."},{"key":"ref_27","unstructured":"US-CERT (2014). Alert (TA14-017A UDP-Based Amplification Attacks), Available online: https:\/\/www.us-cert.gov\/ncas\/alerts\/TA14-017A."},{"key":"ref_28","unstructured":"Goodin, D. Record-Breaking DDoS Reportedly Delivered by >145 k Hacked Cameras. Available online: http:\/\/arstechnica.com\/security\/2016\/09\/botnet-of-145k-cameras-reportedly-deliver-internets-biggest-ddos-ever\/."},{"key":"ref_29","unstructured":"Herzog, P. Open Source Security Testing Methodology Manual (OSSTMM). Available online: https:\/\/www.pcisecuritystandards.org\/documents\/PenetrationTestingGuidanceMarch2015.pdf."},{"key":"ref_30","unstructured":"Penetration Testing Execution Standard: Penetration Testing Execution Standard. Available online: http:\/\/www.pentest-standard.org."},{"key":"ref_31","unstructured":"SANS Institute Conducting a Penetration Test on an Organization. Available online: http:\/\/resources.infosecinstitute.com\/penetration-testing-methodology-web-applications\/."},{"key":"ref_32","unstructured":"OWASP Testing Guide. Available online: https:\/\/www.owasp.org\/index.php\/OWASPTestingGuidev4TableofContents."},{"key":"ref_33","unstructured":"Conducting a Penetration Test on an Organization. Available online: http:\/\/www.sans.org\/reading-room\/whitepapers\/auditing\/conducting-penetration-test-organization-67."},{"key":"ref_34","unstructured":"PCI Data Security Standard (PCI DSS) Information Supplement: Penetration Testing Guidance, Version: 1.0. Available online: https:\/\/www.pcisecuritystandards.org\/documents\/Penetration_Testing_Guidance_March_2015.pdf."},{"key":"ref_35","first-page":"43","article-title":"Methodology for Penetration Testing","volume":"2","author":"Alisherov","year":"2009","journal-title":"Int. J. Grid Distrib. Comput."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Scarfone, K.A., Souppaya, M.P., Cody, A., and Orebaugh, A.D. (2008). SP 800-115. Technical Guide to Information Security Testing and Assessment, NIST: National Institute of Standards and Technology, US Department of Commerce. Technical Report.","DOI":"10.6028\/NIST.SP.800-115"},{"key":"ref_37","unstructured":"Shewhart, W.A. (1939). Statistical Method from the Viewpoint of Quality Control, Courier Corporation."},{"key":"ref_38","unstructured":"Deming, W.E. (1986). Out of the Crisis, MIT Press. MIT Center for Advanced Engineering Study."},{"key":"ref_39","unstructured":"Boyd, J.R. Available online: http:\/\/www.dnipogo.org\/boyd\/pdf\/poc.pdf."},{"key":"ref_40","unstructured":"Boyd, J.R. Available online: http:\/\/dnipogo.org\/john-r-boyd\/."},{"key":"ref_41","unstructured":"McDowell, M. (2009). Understanding Denial-of-Service Attacks, Technical Report."},{"key":"ref_42","doi-asserted-by":"crossref","unstructured":"Damon, E., Dale, J., Laron, E., Mache, J., Land, N., and Weiss, R. (2012, January 12\u201313). Hands-on Denial of Service Lab Exercises Using SlowLoris and RUDY. Proceedings of the 2012 Information Security Curriculum Development Conference, Kennesaw, GA, USA.","DOI":"10.1145\/2390317.2390321"},{"key":"ref_43","unstructured":"Kenney, M. Ping of Death. Available online: http:\/\/insecure.org\/sploits\/ping-o-death.html."},{"key":"ref_44","doi-asserted-by":"crossref","first-page":"38","DOI":"10.1145\/505659.505664","article-title":"An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks","volume":"31","author":"Paxson","year":"2001","journal-title":"ACM SIGCOMM Computer Commun. Rev."},{"key":"ref_45","unstructured":"Ali, F. IP Spoofing. Available online: http:\/\/www.cisco.com\/web\/about\/ac123\/ac147\/archivedissues\/ipj10-4\/104ip-spoofing.html."},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Rossow, C. (2014, January 23\u201326). Amplification Hell: Revisiting Network Protocols for DDoS Abuse. Proceedings of the 21st Annual Network and Distributed System Security Symposium, NDSS 2014, San Diego, CA, USA.","DOI":"10.14722\/ndss.2014.23233"},{"key":"ref_47","unstructured":"Allweyer, T. (2010). ISBN-10: 383709331X, ISBN-13: 978-3837093315 BoD\u2013Books on Demand."},{"key":"ref_48","unstructured":"Transactional Process\u2013Construction: Bizagi Process Modeler. Available online: http:\/\/www.bizagi.com."},{"key":"ref_49","doi-asserted-by":"crossref","unstructured":"Shelby, Z., Hartke, K., and Bormann, C. (2014). The Constrained Application Protocol (CoAP), Internet Engineering Task Force (IETF). RFC 7959.","DOI":"10.17487\/rfc7252"},{"key":"ref_50","unstructured":"UPnP Forum UPnP Device Architecture Version 1.0, Revised on 24 April 2008. Available online: http:\/\/www.upnp.org\/specs\/arch\/UPnP-arch-DeviceArchitecture-v1.0-20080424.pdf."},{"key":"ref_51","doi-asserted-by":"crossref","unstructured":"Case, J., Fedor, M., Schoffstall, M., and Davin, J. (1990). Simple Network Management Protocol (SNMP), Internet Engineering Task Force (IETF). RFC 1157 (Historic).","DOI":"10.17487\/rfc1157"},{"key":"ref_52","unstructured":"Prolexic Threat Advisory: SNMP Reflection DDoS Attacks. Available online: https:\/\/www.akamai.com\/us\/en\/multimedia\/documents\/state-of-the-internet\/snmp-reflector-attacks-threat-advisory.pdf."},{"key":"ref_53","doi-asserted-by":"crossref","unstructured":"Blumenthal, U., and Wijnen, B. (2002). User-based Security Model (USM) for Version 3 of the Simple Network Management Protocol (SNMPv3), Internet Engineering Task Force (IETF). RFC 3414.","DOI":"10.17487\/rfc3414"},{"key":"ref_54","doi-asserted-by":"crossref","unstructured":"Case, J., McCloghrie, K., Rose, M., and Waldbusser, S. (1996). Introduction to Community-Based SNMPv2, Internet Engineering Task Force (IETF). RFC 1901.","DOI":"10.17487\/rfc1901"},{"key":"ref_55","unstructured":"Open SNMP Scanning Project. Available online: https:\/\/snmpscan.shadowserver.org."},{"key":"ref_56","unstructured":"Wireshark Foundation. Available online: https:\/\/www.wireshark.org."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/16\/11\/1855\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T19:34:47Z","timestamp":1760211287000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/16\/11\/1855"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2016,11,4]]},"references-count":56,"journal-issue":{"issue":"11","published-online":{"date-parts":[[2016,11]]}},"alternative-id":["s16111855"],"URL":"https:\/\/doi.org\/10.3390\/s16111855","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2016,11,4]]}}}