Abstract
Open DNS resolvers are widely misused to bring about reflection and amplification DDoS attacks. Indiscriminate efforts to address the issue and take down all resolvers have not fully resolved the problem, and millions of open resolvers still remain available to date, providing attackers with enough options. This brings forward the question if we should not instead focus on eradicating the most problematic resolvers, rather than all open resolvers indiscriminately. Contrary to existing studies, which focus on quantifying the existence of open resolvers, this paper focuses on infrastructure diversity and aims at characterizing open resolvers in terms of their ability to bring about varying attack strengths. Such a characterization brings nuances to the problem of open resolvers and their role in amplification attacks, as it allows for more problematic resolvers to be identified. Our findings show that the population of open resolvers lies above 2.6M range over our one-year measurement period. On the positive side, we observe that the majority of identified open resolvers cut out when dealing with bulky and DNSSEC-related queries, thereby limiting their potential as amplifiers. We show, for example, that 59% of open resolvers lack DNSSEC support. On the downside, we see that a non-negligible number of open resolvers facilitate large responses to ANY and TXT queries (8.1% and 3.4% on average, respectively), which stands to benefit attackers. Finally we show that by removing around 20% of potent resolvers the global DNS amplification potential can be reduced by up to 80%.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
The discontinuity seen on the plot for our scans on 2021-06-28 was the result of a one-day measurement failure.
References
2.5Tbps DDoS Attack on Google. https://cloud.google.com/blog/products/identity-security/identifying-and-protecting-against-the-largest-ddos-attacks. Accessed 11 Jan 2022
dnspython. https://www.dnspython.org/. Accessed 11 Jan 2022
IP2Location. https://www.ip2location.com/. Accessed 11 Jan 2022
MassDNS, A high-performance DNS stub resolver. https://github.com/blechschmidt/massdns. Accessed 11 Jan 2022
Open Resolver Project. https://web.archive.org/web/20200603050044/http://openresolverproject.org/. Accessed 11 Jan 2022
The Measurement Factory. http://dns.measurement-factory.com/surveys/openresolvers.html. Accessed 11 Jan 2022
University of Oregon Route Views Project. http://www.routeviews.org. Accessed 11 Jan 2022
ZIterate, ZMap IP permutation generator. https://github.com/zmap/zmap/blob/main/src/ziterate.1.ronn. Accessed 11 Jan 2022
Abley, J., Gumundsson, Ó., Majkowski, M., Hunt, E.: Providing minimal-sized responses to DNS queries that have QTYPE=ANY. RFC 8482, January 2019. https://doi.org/10.17487/RFC8482, https://rfc-editor.org/rfc/rfc8482.txt
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4033 - DNS security introduction and requirements (2005). http://tools.ietf.org/html/rfc4033
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4034 - resource records for the DNS security extensions (2005). http://tools.ietf.org/html/rfc4034
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4035 - protocol modifications for the DNS security extensions (2005). http://tools.ietf.org/html/rfc4035
Bonica, R., Baker, F., Huston, G., Hinden, R., Troan, O., Gont, F.: RFC 8900 - IP fragmentation considered fragile (2020). https://www.rfc-editor.org/info/rfc8900
Constantin, L.: Attackers use DNSSEC amplification to launch multi-vector DDoS attacks (2016). http://www.computerworld.com/article/3097364/security/attackers-use-dnssec-amplification-to-launch-multi-vector-ddos-attacks.html
Damas, J., Graff, M., Vixie, P.: RFC 6891 - extension mechanisms for DNS (EDNS(0)) (2013). http://tools.ietf.org/html/rfc6891
Deccio, C., Hilton, A., Briggs, M., Avery, T., Richardson, R.: Behind closed doors: a network tale of spoofing, intrusion, and false DNS security. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC, pp. 65–77 (2020). https://doi.org/10.1145/3419394.3423649
Durumeric, Z., Bailey, M., Halderman, J.A.: An internet-wide view of internet-wide scanning. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 65–78 (2014)
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: Proceedings of the 22nd USENIX Security Symposium, pp. 605–619 (2013)
Fachkha, C., Bou-Harb, E., Debbabi, M.: Fingerprinting internet DNS amplification DDoS activities. In: 2014 6th International Conference on New Technologies, Mobility and Security (NTMS), pp. 1–5. IEEE (2014)
Hendriks, L., de Oliveira Schmidt, R., van Rijswijk-Deij, R., Pras, A.: On the potential of IPv6 open resolvers for DDoS attacks. In: Kaafar, M.A., Uhlig, S., Amann, J. (eds.) PAM 2017. LNCS, vol. 10176, pp. 17–29. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-54328-4_2
Jiang, J., Liang, J., Li, K., Li, J., Duan, H., Wu, J.: Ghost domain names: revoked yet still resolvable (2012)
Korczyński, M., Nosyk, Y., Lone, Q., Skwarek, M., Jonglez, B., Duda, A.: Don’t forget to lock the front door! inferring the deployment of source address validation of inbound traffic. In: Sperotto, A., Dainotti, A., Stiller, B. (eds.) PAM 2020. LNCS, vol. 12048, pp. 107–121. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44081-7_7
Krämer, L., et al.: AmpPot: monitoring and defending against amplification DDoS attacks. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 615–636. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_28
Kührer, M., Hupperich, T., Bushart, J., Rossow, C., Holz, T.: Going wild - large-scale classification of open DNS resolvers. In: Proceedings of the 2015 ACM Internet Measurement Conference - IMC 2015, pp. 355–368. ACM Press, New York (2015). https://doi.org/10.1145/2815675.2815683, http://dl.acm.org/citation.cfm?doid= 2815675.2815683
Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? Reducing the impact of amplification DDoS attacks. In: 23rd USENIX Security Symposium (USENIX Security 2014), pp. 111–125 (2014)
Laurie, B., Sisson, G., Arends, R., Blacka, D.: RFC 5155 - DNS security (DNSSEC) hashed authenticated denial of existence (2008). http://tools.ietf.org/html/rfc5155
Leverett, E., Kaplan, A.: Towards estimating the untapped potential: a global malicious DDoS mean capacity estimate. J. Cyber Policy 2(2), 195–208 (2017)
Mockapetris, P.: RFC 1035 - domain names - implementation and specification (1987). http://tools.ietf.org/html/rfc1035
Moon, S.J., Yin, Y., Sharma, R.A., Yuan, Y., Spring, J.M., Sekar, V.: Accurately measuring global risk of amplification attacks using AmpMap. Technical report, Technical report CMU-CyLab-19-004 (2020)
Moura, G.C.M., Müller, M., Davids, M., Wullink, M., Hesselman, C.: Fragmentation, truncation, and timeouts: are large DNS messages falling to bits? In: Hohlfeld, O., Lutu, A., Levin, D. (eds.) PAM 2021. LNCS, vol. 12671, pp. 460–477. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-72582-2_27
Nawrocki, M., Jonker, M., Schmidt, T.C., Waehlisch, M.: The far side of DNS amplification: tracing the DDoS attack ecosystem from the internet core. In: Proceedings of the 2021 ACM Internet Measurement Conference (IMC 2021) (2021). https://doi.org/10.1145/3487552.3487835
Park, J., Khormali, A., Mohaisen, M., Mohaisen, A.: Where are you taking me? Behavioral analysis of open DNS resolvers. In: 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 493–504. IEEE (2019)
Randall, A., et al.: Trufflehunter: cache snooping rare domains at large public DNS resolvers. In: Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC, pp. 50–64 (2020). https://doi.org/10.1145/3419394.3423640
van Rijswijk-Deij, R., Sperotto, A., Pras, A.: DNSSEC and its potential for DDoS attacks. In: Proceedings of ACM IMC 2014. ACM Press, Vancouver (2014). https://doi.org/10.1145/2663716.2663731
Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: Proceedings of the 2014 Network and Distributed Systems Security Symposium (NDSS 2014), no. February, pp. 23–26. Internet Society, San Diego (2014). http://www.internetsociety.org/sites/default/files/01_5.pdf
Rudman, L., Irwin, B.: Characterization and analysis of NTP amplification based DDoS attacks. In: 2015 Information Security for South Africa (ISSA), pp. 1–5. IEEE (2015)
Santanna, J.J., et al.: Booters - an analysis of DDoS-as-a-service attacks. In: 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM), pp. 243–251. IEEE, Ottawa, May 2015. https://doi.org/10.1109/INM.2015.7140298
van der Toorn, O., Krupp, J., Jonker, M., van Rijswijk-Deij, R., Rossow, C., Sperotto, A.: ANYway: measuring the amplification DDoS potential of domains. In: 2021 17th International Conference on Network and Service Management (CNSM) (2021)
Vixie, P., Schryver, V.: DNS response rate limiting (DNS RRL). Technical report (2012). https://web.archive.org/web/20160307112057/, http://ss.vix.su/~vixie/isc-tn-2012-1.txt. Accessed 11 Jan 2022
Wan, G., et al.: On the origin of scanning: the impact of location on internet-wide scans. In: Proceedings of the ACM Internet Measurement Conference, pp. 662–679 (2020)
Acknowledgments
We would like to thank the anonymous PAM reviewers for their valuable feedback on our paper. This research is funded by the EU H2020 projects CONCORDIA (#830927) and partially funded by SIDNfonds.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Yazdani, R., van Rijswijk-Deij, R., Jonker, M., Sperotto, A. (2022). A Matter of Degree: Characterizing the Amplification Power of Open DNS Resolvers. In: Hohlfeld, O., Moura, G., Pelsser, C. (eds) Passive and Active Measurement. PAM 2022. Lecture Notes in Computer Science, vol 13210. Springer, Cham. https://doi.org/10.1007/978-3-030-98785-5_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-98785-5_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-98784-8
Online ISBN: 978-3-030-98785-5
eBook Packages: Computer ScienceComputer Science (R0)