On the Potential of IPv6 Open Resolvers for DDoS Attacks

  • Luuk Hendriks
  • Ricardo de Oliveira Schmidt
  • Roland van Rijswijk-Deij
  • Aiko Pras
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10176)


Distributed Denial of Service (DDoS) attacks have become a daily problem in today’s Internet. These attacks aim at overwhelming online services or network infrastrucure. Some DDoS attacks explore open services to perform reflected and amplified attacks; and the DNS is one of the most (mis)used systems by attackers.

This problem can be further aggravated in the near future by the increasing number of IPv6-enabled services in the Internet. Given that the deployment of IPv6-enabled services is increasing, it becomes important to find vulnerable IPv6 open services that could be (mis)used by attackers, and prevent that misuse. However, unlike with IPv4, simply scanning the IPv6 address space to find these open services is impractical.

In this paper we present an active measurement approach to enumerate a relevant list of open resolvers on IPv6 in the wild that could be potentially exploited in a DDoS attack. Based on the assumption that IPv6 open resolvers can be found via IPv4 ones, we show that IPv6-based amplified DDoS attacks are a significantly potential threat in the Internet: the analyzed resolvers, of which 72% are assumingly infrastructural servers, showed a median amplification factor of 50.


Open Resolver Domain Name System IPv6 Address Response Size Shared Cache 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Open Resolver Project (2016).
  2. 2.
    State of the Internet/Security. Technical report, Akamai, Q2 (2016).
  3. 3.
    WISR. Technical report, Arbor Networks (2016).
  4. 4.
    Berger, A., Weaver, N., Beverly, R., Campbell, L.: Internet nameserver IPv4 and IPv6 address relationships. In: ACM IMC (2013)Google Scholar
  5. 5.
    Beverly, R., Berger, A., Siblings, S.: Identifying shared IPv4/IPv6 infrastructure via active fingerprinting. In: PAM (2015)Google Scholar
  6. 6.
    Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., Karir, M.: The rise and decline of NTP DDoS attacks. In: ACM IMC (2014)Google Scholar
  7. 7.
    Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: USENIX Security (2013)Google Scholar
  8. 8.
    Gasser, O., Scheitle, Q., Gebhard, S., Carle, G.: Scanning the IPv6 internet: towards a comprehensive hitlist. In: IFIP TMA (2016)Google Scholar
  9. 9.
    Moura, G.C.M., Schmidt, R.O., Heidemann, J., Vries, W.B., Müller, M., Wan, L., Hesselman, C.: Anycast vs. DDoS: evaluating the November 2015 root DNS event. In: ACM IMC (2016)Google Scholar
  10. 10.
    Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from Hell? Reducing the impact of amplification DDoS attacks. In: USENIX Security (2014)Google Scholar
  11. 11.
    MacFarland, D.C., Shue, C.A., Kalafut, A.J.: Characterizing optimal DNS amplification attacks and effective mitigation. In: Mirkovic, J., Liu, Y. (eds.) PAM 2015. LNCS, vol. 8995, pp. 15–27. Springer, Heidelberg (2015). doi: 10.1007/978-3-319-15509-8_2 Google Scholar
  12. 12.
    Rossow, C., Hell, A.: Revisiting network protocols for DDoS abuse. In: NDSS (2014)Google Scholar
  13. 13.
    Schomp, K., Callahan, T., Rabinovich, M., Allman, M.: On measuring the client-side DNS infrastructure. In: ACM IMC (2013)Google Scholar
  14. 14.
    Takano, Y., Ando, R., Takahashi, T., Uda, S., Inoue, T.: A measurement study of open resolvers and DNS server version. In: Internet Conference (IEICE) (2013)Google Scholar
  15. 15.
    Ullrich, J., Kieseberg, P., Krombholz, K., Weippl, E.: On reconnaissance with IPv6: a pattern-based scanning approach. In: IEEE ARES (2015)Google Scholar
  16. 16.
    van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks - a comprehensive measurement study. In: ACM IMC (2014)Google Scholar
  17. 17.
    Welzel, A., Rossow, C., Bos, H.: On measuring the impact of DDoS Botnets. In: ACM EUROSEC (2014)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Luuk Hendriks
    • 1
  • Ricardo de Oliveira Schmidt
    • 1
  • Roland van Rijswijk-Deij
    • 2
  • Aiko Pras
    • 1
  1. 1.Faculty of Electrical Engineering, Mathematics and Computer ScienceUniversity of TwenteEnschedeThe Netherlands
  2. 2.SURFnet BVUtrechtThe Netherlands

Personalised recommendations