Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

Korczyński, Maciej; Nosyk, Yevheniya; Lone, Qasim; Skwarek, Marcin; Jonglez, Baptiste; Duda, Andrzej

doi:10.1007/978-3-030-44081-7_7

Cited by 17 publications

(20 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We have started longitudinal measurements to infer the deployment of SAV in both IPv4 and IPv6 address spaces [6] and plan to notify all parties affected by the vulnerability.…”

Section: Results and Conclusionmentioning

confidence: 99%

See 1 more Smart Citation

Inferring the Deployment of Inbound Source Address Validation Using DNS Resolvers

Korczyński

Nosyk

Lone³

et al. 2020

Proceedings of the Applied Networking Research Workshop

Self Cite

View full text Add to dashboard Cite

This paper reports on the first Internet-wide active measurement study to enumerate networks not filtering incoming packets based on their source address. Our method identifies closed and open DNS resolvers handling requests from the outside of the network with the source address in the prefix of the tested network. The study gives the most complete picture of the inbound Source Address Validation deployment at network providers: 32,673 IPv4 ASes and 197,641 IPv4 BGP prefixes are vulnerable to spoofing of inbound traffic. CCS CONCEPTS • Networks → Network measurement; Security.

show abstract

“…We have started longitudinal measurements to infer the deployment of SAV in both IPv4 and IPv6 address spaces [6] and plan to notify all parties affected by the vulnerability.…”

Section: Results and Conclusionmentioning

confidence: 99%

“…In this paper, we report on the results of the Closed Resolver Project [6,7,19]. We propose a new method to identify networks not filtering inbound traffic based on source IP addresses.…”

Section: Introductionmentioning

confidence: 99%

Inferring the Deployment of Inbound Source Address Validation Using DNS Resolvers

Korczyński

Nosyk

Lone³

et al. 2020

Proceedings of the Applied Networking Research Workshop

Self Cite

View full text Add to dashboard Cite

show abstract

“…ISPs should also follow security bestpractices to mitigate abuse. Examples of some security best-practices for ISPs include the use of walled-gardens to quarantine and isolate infected machines connected to the Internet (C ¸etin et al 2018, 2019), or deploying Source Address Validation, also known as BCP38, to prevent Distributed Denial-of-Service (DDoS) attacks from being launched via their infrastructure (Luckie et al 2019; Korczyński et al 2020;Lone et al 2017). Yet, again, the voluntary nature of implementing such best practices results in certain ISPs experiencing a higher level of abuse than others due to having laxer security practices.…”

Section: Internet Service Providersmentioning

confidence: 99%

Security Reputation Metrics

Korczyński,

Noroozian

2023

Preprint

View full text Add to dashboard Cite

Security reputation metrics (aka. security metrics) quantify the security levels of organization (e.g., hosting or Internet access providers) relative to comparable entities. They enable benchmarking and are essential tools for decision and policy-making in security, and may be used to govern and steer responsible parties towards investing in security when economic or other decision-making factors may drive them to do otherwise.

show abstract

“…Lack of destination side source address validation results in hosts behind a firewall to become partially accessible to externals leveraging source IP address spoofing [16,22]. DNS resolvers residing in such networks are known to be vulnerable to DNS cache poisoning attacks, but can also be misused in DDoS attacks.…”

Section: Related Workmentioning

confidence: 99%

A Matter of Degree: Characterizing the Amplification Power of Open DNS Resolvers

Yazdani

Rijswijk-Deij

Jonker

et al. 2022

Passive and Active Measurement

View full text Add to dashboard Cite

Open DNS resolvers are widely misused to bring about reflection and amplification DDoS attacks. Indiscriminate efforts to address the issue and take down all resolvers have not fully resolved the problem, and millions of open resolvers still remain available to date, providing attackers with enough options. This brings forward the question if we should not instead focus on eradicating the most problematic resolvers, rather than all open resolvers indiscriminately. Contrary to existing studies, which focus on quantifying the existence of open resolvers, this paper focuses on infrastructure diversity and aims at characterizing open resolvers in terms of their ability to bring about varying attack strengths. Such a characterization brings nuances to the problem of open resolvers and their role in amplification attacks, as it allows for more problematic resolvers to be identified. Our findings show that the population of open resolvers lies above 2.6M range over our one-year measurement period. On the positive side, we observe that the majority of identified open resolvers cut out when dealing with bulky and DNSSEC-related queries, thereby limiting their potential as amplifiers. We show, for example, that 59% of open resolvers lack DNSSEC support. On the downside, we see that a non-negligible number of open resolvers facilitate large responses to ANY and TXT queries (8.1% and 3.4% on average, respectively), which stands to benefit attackers. Finally we show that by removing around 20% of potent resolvers the global DNS amplification potential can be reduced by up to 80%.

show abstract

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

Cited by 17 publications

References 33 publications

Inferring the Deployment of Inbound Source Address Validation Using DNS Resolvers

Inferring the Deployment of Inbound Source Address Validation Using DNS Resolvers

Security Reputation Metrics

A Matter of Degree: Characterizing the Amplification Power of Open DNS Resolvers

Contact Info

Product

Resources

About