The far side of DNS amplification

Nawrocki, Marcin; Jonker, Mattijs; Schmidt, Thomas C.; Wählisch, Matthias

doi:10.1145/3487552.3487835

Cited by 16 publications

(11 citation statements)

References 52 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Reports of DDoS attacks in the news suggest that attackers increasingly use DNSSEC-signed domains in amplification attacks [14]. This is supported by observations using DDoS honeypots [23] as well as in a recent work that studies R&A attacks using IXP traces [31]. Whether or not an open resolver supports DNSSEC is thus a factor that influences its usability for amplification from an attacker's point of view.…”

Section: Support For Dns Protocol Featuresmentioning

confidence: 83%

See 1 more Smart Citation

A Matter of Degree: Characterizing the Amplification Power of Open DNS Resolvers

Yazdani

Rijswijk-Deij

Jonker

et al. 2022

Passive and Active Measurement

Self Cite

View full text Add to dashboard Cite

Open DNS resolvers are widely misused to bring about reflection and amplification DDoS attacks. Indiscriminate efforts to address the issue and take down all resolvers have not fully resolved the problem, and millions of open resolvers still remain available to date, providing attackers with enough options. This brings forward the question if we should not instead focus on eradicating the most problematic resolvers, rather than all open resolvers indiscriminately. Contrary to existing studies, which focus on quantifying the existence of open resolvers, this paper focuses on infrastructure diversity and aims at characterizing open resolvers in terms of their ability to bring about varying attack strengths. Such a characterization brings nuances to the problem of open resolvers and their role in amplification attacks, as it allows for more problematic resolvers to be identified. Our findings show that the population of open resolvers lies above 2.6M range over our one-year measurement period. On the positive side, we observe that the majority of identified open resolvers cut out when dealing with bulky and DNSSEC-related queries, thereby limiting their potential as amplifiers. We show, for example, that 59% of open resolvers lack DNSSEC support. On the downside, we see that a non-negligible number of open resolvers facilitate large responses to ANY and TXT queries (8.1% and 3.4% on average, respectively), which stands to benefit attackers. Finally we show that by removing around 20% of potent resolvers the global DNS amplification potential can be reduced by up to 80%.

show abstract

Section: Support For Dns Protocol Featuresmentioning

confidence: 83%

“…Nawrocki et al [31] studied the behavior of attackers in terms of which sets of open DNS resolvers they misuse in attacks. Their results show that attackers efficiently detect new resolvers and steadily rotate between them.…”

Section: Related Workmentioning

confidence: 99%

A Matter of Degree: Characterizing the Amplification Power of Open DNS Resolvers

Yazdani

Rijswijk-Deij

Jonker

et al. 2022

Passive and Active Measurement

Self Cite

View full text Add to dashboard Cite

show abstract

“…Recent research observes this for different honeypot deployments, which show very diverging event sets with incomplete pictures of attacks. Two independent studies show small overlaps of only 4% [23] and 8.18% [24] between UDP amplification attacks observed at common honeypots and different vantage points (i.e., other honeypot platforms and IXPs), challenging previous assumptions and claims of convergence. Furthermore, analyses based on the large HPI platform show that convergence differs by protocol and that a general approach to high attack visibility (i.e., 99%) is hard to achieve, e.g., RIP measurements require 60 sensors and other protocols ≈150 sensors [16].…”

Section: Current Methodsmentioning

confidence: 91%

“…They conclude that the CCC platform captures 85.1%-96.6% of all attacks [14]. Other work derives that 5 CCC sensors monitor > 99.5% of the DNS victims [23].…”

Section: Current Methodsmentioning

confidence: 96%

“…We observe continuous activity (scan or attacks) for all but one faulty sensor for NTP and LDAP, why we conclude that these services were run throughout the whole measurement period. We now reproduce the honeypot convergence based on a near-optimal sensor selection, analogous to prior work [12], [23]. We sort the sensors by the number of victims and perform a greedy selection, i.e., we select the sensors with the most unique victims first.…”

Section: Reproducing Convergencementioning

confidence: 99%

See 1 more Smart Citation

SoK: A Data-driven View on Methods to Detect Reflective Amplification DDoS Attacks Using Honeypots

Nawrocki¹,

Kristoff²,

Hiesgen³

et al. 2023

Preprint

View full text Add to dashboard Cite

In this paper, we revisit the use of honeypots for detecting reflective amplification attacks. These measurement tools require careful design of both data collection and data analysis including cautious threshold inference. We survey common amplification honeypot platforms as well as the underlying methods to infer attack detection thresholds and to extract knowledge from the data. By systematically exploring the threshold space, we find most honeypot platforms produce comparable results despite their different configurations. Moreover, by applying data from a large-scale honeypot deployment, network telescopes, and a real-world baseline obtained from a leading DDoS mitigation provider, we question the fundamental assumption of honeypot research that convergence of observations can imply their completeness. Conclusively we derive guidance on precise, reproducible honeypot research, and present open challenges.

show abstract

Routing Loops as Mega Amplifiers for DNS-Based DDoS Attacks

Nosyk

Korczyński

Duda

2022

Passive and Active Measurement

View full text Add to dashboard Cite

DDoS attacks are one of the biggest threats to the modern Internet as their magnitude is constantly increasing. They are highly effective because of the amplification and reflection potential of different Internet protocols. In this paper, we show how a single DNS query triggers a response packet flood to the query source, possibly because of middleboxes located in networks with routing loops. We send DNS A requests to 3 billion routable IPv4 hosts and find 15,909 query destinations from 1,742 autonomous systems that trigger up to 46.7 million repeating responses. We perform traceroute measurements towards destination hosts that resulted in the highest amplification, locate 115 routing loops on the way, and notify corresponding network operators. Finally, we analyze two years of historical scan data and find that such "mega amplifiers" are prevalent. In the worst case, a single DNS A request triggered 655 million responses, all returned to a single host.

show abstract

The far side of DNS amplification

Cited by 16 publications

References 52 publications

A Matter of Degree: Characterizing the Amplification Power of Open DNS Resolvers

A Matter of Degree: Characterizing the Amplification Power of Open DNS Resolvers

SoK: A Data-driven View on Methods to Detect Reflective Amplification DDoS Attacks Using Honeypots

Routing Loops as Mega Amplifiers for DNS-Based DDoS Attacks

Contact Info

Product

Resources

About