Skip to main content
SpringerLink
Log in

A Matter of Degree: Characterizing the Amplification Power of Open DNS Resolvers

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13210))

Included in the following conference series:

Abstract

Open DNS resolvers are widely misused to bring about reflection and amplification DDoS attacks. Indiscriminate efforts to address the issue and take down all resolvers have not fully resolved the problem, and millions of open resolvers still remain available to date, providing attackers with enough options. This brings forward the question if we should not instead focus on eradicating the most problematic resolvers, rather than all open resolvers indiscriminately. Contrary to existing studies, which focus on quantifying the existence of open resolvers, this paper focuses on infrastructure diversity and aims at characterizing open resolvers in terms of their ability to bring about varying attack strengths. Such a characterization brings nuances to the problem of open resolvers and their role in amplification attacks, as it allows for more problematic resolvers to be identified. Our findings show that the population of open resolvers lies above 2.6M range over our one-year measurement period. On the positive side, we observe that the majority of identified open resolvers cut out when dealing with bulky and DNSSEC-related queries, thereby limiting their potential as amplifiers. We show, for example, that 59% of open resolvers lack DNSSEC support. On the downside, we see that a non-negligible number of open resolvers facilitate large responses to ANY and TXT queries (8.1% and 3.4% on average, respectively), which stands to benefit attackers. Finally we show that by removing around 20% of potent resolvers the global DNS amplification potential can be reduced by up to 80%.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://unbound.net/.

  2. 2.

    The discontinuity seen on the plot for our scans on 2021-06-28 was the result of a one-day measurement failure.

References

  1. 2.5Tbps DDoS Attack on Google. https://cloud.google.com/blog/products/identity-security/identifying-and-protecting-against-the-largest-ddos-attacks. Accessed 11 Jan 2022

  2. dnspython. https://www.dnspython.org/. Accessed 11 Jan 2022

  3. IP2Location. https://www.ip2location.com/. Accessed 11 Jan 2022

  4. MassDNS, A high-performance DNS stub resolver. https://github.com/blechschmidt/massdns. Accessed 11 Jan 2022

  5. Open Resolver Project. https://web.archive.org/web/20200603050044/http://openresolverproject.org/. Accessed 11 Jan 2022

  6. The Measurement Factory. http://dns.measurement-factory.com/surveys/openresolvers.html. Accessed 11 Jan 2022

  7. University of Oregon Route Views Project. http://www.routeviews.org. Accessed 11 Jan 2022

  8. ZIterate, ZMap IP permutation generator. https://github.com/zmap/zmap/blob/main/src/ziterate.1.ronn. Accessed 11 Jan 2022

  9. Abley, J., Gumundsson, Ó., Majkowski, M., Hunt, E.: Providing minimal-sized responses to DNS queries that have QTYPE=ANY. RFC 8482, January 2019. https://doi.org/10.17487/RFC8482, https://rfc-editor.org/rfc/rfc8482.txt

  10. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4033 - DNS security introduction and requirements (2005). http://tools.ietf.org/html/rfc4033

  11. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4034 - resource records for the DNS security extensions (2005). http://tools.ietf.org/html/rfc4034

  12. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4035 - protocol modifications for the DNS security extensions (2005). http://tools.ietf.org/html/rfc4035

  13. Bonica, R., Baker, F., Huston, G., Hinden, R., Troan, O., Gont, F.: RFC 8900 - IP fragmentation considered fragile (2020). https://www.rfc-editor.org/info/rfc8900

  14. Constantin, L.: Attackers use DNSSEC amplification to launch multi-vector DDoS attacks (2016). http://www.computerworld.com/article/3097364/security/attackers-use-dnssec-amplification-to-launch-multi-vector-ddos-attacks.html

  15. Damas, J., Graff, M., Vixie, P.: RFC 6891 - extension mechanisms for DNS (EDNS(0)) (2013). http://tools.ietf.org/html/rfc6891

  16. Deccio, C., Hilton, A., Briggs, M., Avery, T., Richardson, R.: Behind closed doors: a network tale of spoofing, intrusion, and false DNS security. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC, pp. 65–77 (2020). https://doi.org/10.1145/3419394.3423649

  17. Durumeric, Z., Bailey, M., Halderman, J.A.: An internet-wide view of internet-wide scanning. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 65–78 (2014)

    Google Scholar 

  18. Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: Proceedings of the 22nd USENIX Security Symposium, pp. 605–619 (2013)

    Google Scholar 

  19. Fachkha, C., Bou-Harb, E., Debbabi, M.: Fingerprinting internet DNS amplification DDoS activities. In: 2014 6th International Conference on New Technologies, Mobility and Security (NTMS), pp. 1–5. IEEE (2014)

    Google Scholar 

  20. Hendriks, L., de Oliveira Schmidt, R., van Rijswijk-Deij, R., Pras, A.: On the potential of IPv6 open resolvers for DDoS attacks. In: Kaafar, M.A., Uhlig, S., Amann, J. (eds.) PAM 2017. LNCS, vol. 10176, pp. 17–29. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54328-4_2

    Chapter  Google Scholar 

  21. Jiang, J., Liang, J., Li, K., Li, J., Duan, H., Wu, J.: Ghost domain names: revoked yet still resolvable (2012)

    Google Scholar 

  22. Korczyński, M., Nosyk, Y., Lone, Q., Skwarek, M., Jonglez, B., Duda, A.: Don’t forget to lock the front door! inferring the deployment of source address validation of inbound traffic. In: Sperotto, A., Dainotti, A., Stiller, B. (eds.) PAM 2020. LNCS, vol. 12048, pp. 107–121. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44081-7_7

    Chapter  Google Scholar 

  23. Krämer, L., et al.: AmpPot: monitoring and defending against amplification DDoS attacks. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 615–636. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_28

    Chapter  Google Scholar 

  24. Kührer, M., Hupperich, T., Bushart, J., Rossow, C., Holz, T.: Going wild - large-scale classification of open DNS resolvers. In: Proceedings of the 2015 ACM Internet Measurement Conference - IMC 2015, pp. 355–368. ACM Press, New York (2015). https://doi.org/10.1145/2815675.2815683, http://dl.acm.org/citation.cfm?doid= 2815675.2815683

  25. Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? Reducing the impact of amplification DDoS attacks. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 111–125 (2014)

    Google Scholar 

  26. Laurie, B., Sisson, G., Arends, R., Blacka, D.: RFC 5155 - DNS security (DNSSEC) hashed authenticated denial of existence (2008). http://tools.ietf.org/html/rfc5155

  27. Leverett, E., Kaplan, A.: Towards estimating the untapped potential: a global malicious DDoS mean capacity estimate. J. Cyber Policy 2(2), 195–208 (2017)

    Article  Google Scholar 

  28. Mockapetris, P.: RFC 1035 - domain names - implementation and specification (1987). http://tools.ietf.org/html/rfc1035

  29. Moon, S.J., Yin, Y., Sharma, R.A., Yuan, Y., Spring, J.M., Sekar, V.: Accurately measuring global risk of amplification attacks using AmpMap. Technical report, Technical report CMU-CyLab-19-004 (2020)

    Google Scholar 

  30. Moura, G.C.M., Müller, M., Davids, M., Wullink, M., Hesselman, C.: Fragmentation, truncation, and timeouts: are large DNS messages falling to bits? In: Hohlfeld, O., Lutu, A., Levin, D. (eds.) PAM 2021. LNCS, vol. 12671, pp. 460–477. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-72582-2_27

    Chapter  Google Scholar 

  31. Nawrocki, M., Jonker, M., Schmidt, T.C., Waehlisch, M.: The far side of DNS amplification: tracing the DDoS attack ecosystem from the internet core. In: Proceedings of the 2021 ACM Internet Measurement Conference (IMC 2021) (2021). https://doi.org/10.1145/3487552.3487835

  32. Park, J., Khormali, A., Mohaisen, M., Mohaisen, A.: Where are you taking me? Behavioral analysis of open DNS resolvers. In: 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 493–504. IEEE (2019)

    Google Scholar 

  33. Randall, A., et al.: Trufflehunter: cache snooping rare domains at large public DNS resolvers. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC, pp. 50–64 (2020). https://doi.org/10.1145/3419394.3423640

  34. van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks. In: Proceedings of ACM IMC 2014. ACM Press, Vancouver (2014). https://doi.org/10.1145/2663716.2663731

  35. Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: Proceedings of the 2014 Network and Distributed Systems Security Symposium (NDSS 2014), no. February, pp. 23–26. Internet Society, San Diego (2014). http://www.internetsociety.org/sites/default/files/01_5.pdf

  36. Rudman, L., Irwin, B.: Characterization and analysis of NTP amplification based DDoS attacks. In: 2015 Information Security for South Africa (ISSA), pp. 1–5. IEEE (2015)

    Google Scholar 

  37. Santanna, J.J., et al.: Booters - an analysis of DDoS-as-a-service attacks. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 243–251. IEEE, Ottawa, May 2015. https://doi.org/10.1109/INM.2015.7140298

  38. van der Toorn, O., Krupp, J., Jonker, M., van Rijswijk-Deij, R., Rossow, C., Sperotto, A.: ANYway: measuring the amplification DDoS potential of domains. In: 2021 17th International Conference on Network and Service Management (CNSM) (2021)

    Google Scholar 

  39. Vixie, P., Schryver, V.: DNS response rate limiting (DNS RRL). Technical report (2012). https://web.archive.org/web/20160307112057/, http://ss.vix.su/~vixie/isc-tn-2012-1.txt. Accessed 11 Jan 2022

  40. Wan, G., et al.: On the origin of scanning: the impact of location on internet-wide scans. In: Proceedings of the ACM Internet Measurement Conference, pp. 662–679 (2020)

    Google Scholar 

Download references

Acknowledgments

We would like to thank the anonymous PAM reviewers for their valuable feedback on our paper. This research is funded by the EU H2020 projects CONCORDIA (#830927) and partially funded by SIDNfonds.

Author information

Authors and Affiliations

  1. Faculty of Electrical Engineering, Mathematics and Computer Science, University of Twente, Enschede, The Netherlands

    Ramin Yazdani, Roland van Rijswijk-Deij, Mattijs Jonker & Anna Sperotto

Authors
  1. Ramin Yazdani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Roland van Rijswijk-Deij
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mattijs Jonker
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Anna Sperotto
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ramin Yazdani .

Editor information

Editors and Affiliations

  1. Brandenburg University of Technology, Cottbus, Germany

    Oliver Hohlfeld

  2. SIDN Labs - TU Delft, Arnhem, The Netherlands

    Giovane Moura

  3. ICube - University of Strasbourg, Illkirch, France

    Cristel Pelsser

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Yazdani, R., van Rijswijk-Deij, R., Jonker, M., Sperotto, A. (2022). A Matter of Degree: Characterizing the Amplification Power of Open DNS Resolvers. In: Hohlfeld, O., Moura, G., Pelsser, C. (eds) Passive and Active Measurement. PAM 2022. Lecture Notes in Computer Science, vol 13210. Springer, Cham. https://doi.org/10.1007/978-3-030-98785-5_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-98785-5_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-98784-8

  • Online ISBN: 978-3-030-98785-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation