26–27 Oct 2024
Clarion Congress Hotel Prague
Europe/Prague timezone

Characterizing the DDoS Amplification Power of Open DNS Resolvers to Facilitate Prioritized Mitigation

27 Oct 2024, 11:15
10m
Tycho/Kepler Rooms (Clarion Congress Hotel Prague)

Tycho/Kepler Rooms

Clarion Congress Hotel Prague

Freyova 33 Praha 9 ⁠-⁠ Vysočany 190 00 Česká republika
In-person Panel Main Session Session 2

Speaker

Ramin Yazdani (University of Twente)

Description

Distributed Denial of Service (DDoS) attacks have been a persistent and ever-growing threat to the availability of networks and services on the Internet. Reflection & Amplification (R&A) is one of the popular DDoS attack types and the DNS is one of the most common attack vectors for this attack type. DNS-based DDoS attacks typically misuse open DNS resolvers by sending them queries with spoofed source addresses. These resolvers in return send a response (which is typically larger than the query in size) to a victim, and, in orchestration, can exhaust the victim’s network capacity or its upstream infrastructure.

Despite many efforts in patching exposed open resolvers, the shrinkage of their pool has slowed down and there is still a long tail of millions of open resolvers available on the Internet. The majority (∼99%) of open resolvers are likely unintentionally exposed as we show in [1]. Thus, we argue that the pool of exposed open resolvers is likely not going to substantially shrink in size in the close future.

Open resolvers are, however, not equally powerful in delivering DDoS attack traffic. For example, a CPE running an open resolver in a household with a limited network connectivity is likely not going to be able to keep up with delivering bursts of attack traffic, while a host in a datacenter likely has ample misusable link capacity. In another research [2], we show that a sizable subset (∼12%) of open resolvers run in datacenter networks. Even when open resolvers would not suffer from a limited link capacity there are other factors that can limit their firepower. One such factor is the internal configuration of open resolvers which results in certain open resolvers being capable of handling specific queries with large response sizes. We investigate this in [3] and show that the collective bandwidth amplification power of open resolvers can be reduced by ∼80% if we patch the top 20% most-potent open resolvers. Several phenomena in the network can indirectly impact the amplification power of open resolvers. We studied this in [4] and show that certain artifacts in the network such as directed IP broadcast can ramp up the amplification power of open resolvers by multiple orders of magnitude. Considering the diversities we observe in the amplification power of open resolvers, we advocate for their prioritized take-downs rather than fitting all of them under the same umbrella. This could proactively reduce the exposed reflection and amplification potential in an efficient way.

Finally, the pool of exposed open resolvers is significantly larger, by multiple orders of magnitude, than the typical number of reflectors that are misused in attacks in practice. This raises the question if there is any rationale behind the selection of the exploited reflecting infrastructure. Knowing the diversities in the open resolver population, it stands to reason that DDoS attacks could be more efficient if attackers would leverage reflectors with a higher amplification power. To quantify this, we investigate real-life DDoS attacks to learn more about reflector selection practices followed by attackers. Our findings reveal that attackers do not yet leverage the full power of DNS reflectors neither considering the number of misused reflectors nor in terms of the amplification potential of each reflector. This means that we can expect attacks to become even more powerful in the future if we do not act in time to make the exposed reflection potential lower.

[1] R. Yazdani, M. Jonker and A. Sperotto. Swamp of Reflectors: Investigating the Ecosystem of Open DNS Resolvers. In International Conference on Passive and Active Network Measurement (PAM ’24), doi: 10.1007/978-3-031-56252-5_1.

[2] R. Yazdani, A. Hilton, J. van der Ham - de Vos, R. van Rijswijk – Deij, C. Deccio, A. Sperotto and M. Jonker. Mirrors in the Sky: On the Potential of Clouds in DNS Reflection-based Denial-of-Service Attacks. In Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID ’22), doi: 10.1145/3545948.3545959.

[3] R. Yazdani, R. van Rijswijk - Deij, M. Jonker and A. Sperotto. A Matter of Degree: Characterizing the Amplification Power of Open DNS Resolvers. In International Conference on Passive and Active Network Measurement (PAM ’22), doi: 10.1007/978-3-030-98785-5_13.

[4] R. Yazdani, Y. Nosyk, R. Holz, M. Korczyński, M. Jonker and A. Sperotto. Hazardous Echoes: The DNS Resolvers that Should Be Put on Mute. 7th Network Traffic Measurement and Analysis Conference (TMA ’23), doi: 10.23919/TMA58422.2023.10198955.

Talk duration 10 Minutes (+discussion panel time)

Primary author

Ramin Yazdani (University of Twente)

Presentation materials