Ramin Yazdani scite author profile

Ramin Yazdani

4Publications

3Citation Statements Received

54Citation Statements Given

How they've been cited

How they cite others

Affiliations

University of Twente

Publications

Order By: Most citations

A Matter of Degree: Characterizing the Amplification Power of Open DNS Resolvers

Yazdani

Rijswijk-Deij

Jonker

et al. 2022

View full text Add to dashboard Cite

Open DNS resolvers are widely misused to bring about reflection and amplification DDoS attacks. Indiscriminate efforts to address the issue and take down all resolvers have not fully resolved the problem, and millions of open resolvers still remain available to date, providing attackers with enough options. This brings forward the question if we should not instead focus on eradicating the most problematic resolvers, rather than all open resolvers indiscriminately. Contrary to existing studies, which focus on quantifying the existence of open resolvers, this paper focuses on infrastructure diversity and aims at characterizing open resolvers in terms of their ability to bring about varying attack strengths. Such a characterization brings nuances to the problem of open resolvers and their role in amplification attacks, as it allows for more problematic resolvers to be identified. Our findings show that the population of open resolvers lies above 2.6M range over our one-year measurement period. On the positive side, we observe that the majority of identified open resolvers cut out when dealing with bulky and DNSSEC-related queries, thereby limiting their potential as amplifiers. We show, for example, that 59% of open resolvers lack DNSSEC support. On the downside, we see that a non-negligible number of open resolvers facilitate large responses to ANY and TXT queries (8.1% and 3.4% on average, respectively), which stands to benefit attackers. Finally we show that by removing around 20% of potent resolvers the global DNS amplification potential can be reduced by up to 80%.

show abstract

A Case of Identity: Detection of Suspicious IDN Homograph Domains Using Active DNS Measurements

Yazdani

Toorn

Sperotto

2020

View full text Add to dashboard Cite

The possibility to include Unicode characters in domain names allows users to deal with domains in their regional languages. This is done by introducing Internationalized Domain Names (IDN). However, the visual similarity between different Unicode characters -called homoglyphs -is a potential security threat, as visually similar domain names are often used in phishing attacks. Timely detection of suspicious homograph domain names is an important step towards preventing sophisticated attacks, since this can prevent unaware users to access those homograph domains that actually carry malicious content. We therefore propose a structured approach to identify suspicious homograph domain names based not on use, but on characteristics of the domain name itself and its associated DNS records.To achieve this, we leverage the OpenINTEL active DNS measurement platform, which performs a daily snapshot of more than 65% of the DNS namespace. In this paper, we first extend the existing Unicode homoglyph tables (confusion tables). This allows us to detect on average 2.97 times homograph domains compared to existing tables. Our proactive detection of suspicious IDN homograph domains provides an early alert that would help both domain owners as well as security researchers in preventing IDN homograph abuse.

show abstract

Mirrors in the Sky: On the Potential of Clouds in DNS Reflection-based Denial-of-Service Attacks

Yazdani

Hilton

Ham

et al. 2022

View full text Add to dashboard Cite

Hazardous Echoes: The DNS Resolvers that Should Be Put on Mute

Yazdani

Nosyk

Holz

et al. 2023

View full text Add to dashboard Cite

Connectionless networking protocols such as DNS continue to be widely misused for Reflection & Amplification (R&A) DDoS attacks. Early efforts to address the main cause of DNS-based R&A were focused on identifying and attempting to eradicate open DNS resolvers. One characteristic of open resolvers that has not received much attention so far is that -as a result of unexpected behavior -resolvers can react to a single query with multiple DNS responses. We refer to these as Echoing Resolvers.In this paper, we quantify the problem of echoing resolvers in the wild. We identify thousands of such resolvers on the Internet and show how some reply on the order of tens of thousands of times to a single query, further escalating the potential of R&A DDoS attacks. We analyze the cause of response repetition, study behavioral differences among echoing resolvers, and categorize resolvers on the basis of the underlying causes of the observed behavior. We show how the interplay between DNS traffic and the traversed networks is responsible for echoing resolvers. In particular, we identify IP broadcasting as a cause of echoing resolvers, on top of phenomena already described in the literature (e.g., routing loops). Furthermore, we show that using sensitive labels in queries can lead to a more powerful echoing effect while using different query types does not significantly affect echoing behavior. Finally, seeing how some underlying causes of response repetition also affect or can be turned against authoritative nameservers, we quantify the potential impact of echoing resolvers on these as well.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Ramin Yazdani

A Matter of Degree: Characterizing the Amplification Power of Open DNS Resolvers

A Case of Identity: Detection of Suspicious IDN Homograph Domains Using Active DNS Measurements

Mirrors in the Sky: On the Potential of Clouds in DNS Reflection-based Denial-of-Service Attacks

Hazardous Echoes: The DNS Resolvers that Should Be Put on Mute

Contact Info

Product

Resources

About