1: \begin{abstract}

2: 

3: In this paper, we revisit the use of honeypots for detecting reflective amplification attacks.

4: These measurement tools require careful design of both data collection and data analysis including cautious threshold inference.

5: We survey common amplification honeypot platforms as well as the underlying methods to infer attack detection thresholds and to extract knowledge from the data.

6: By systematically exploring the threshold space, we find most honeypot platforms produce comparable results despite their different configurations.

7: Moreover, by applying data from a large-scale honeypot deployment, network telescopes, and a real-world baseline obtained from a leading DDoS mitigation provider, we question the fundamental assumption of honeypot research that convergence of observations can imply their completeness.

8: Conclusively we derive guidance on precise, reproducible honeypot research, and present open challenges.

9: 

10: 

11: \end{abstract}

12: