A matter of degree: characterizing the amplification power of open DNS resolvers

Ramin Yazdani; Roland van Rijswijk-Deij; Mattijs Jonker; Anna Sperotto

doi:10.1007/978-3-030-98785-5_13

A matter of degree: characterizing the amplification power of open DNS resolvers

Ramin Yazdani, Roland van Rijswijk-Deij, Mattijs Jonker, Anna Sperotto

Research output: Chapter in Book/Report/Conference proceeding › Chapter › Academic › peer-review

1 Citation (Scopus)

21 Downloads (Pure)

Abstract

Open DNS resolvers are widely misused to bring about reflection and amplification DDoS attacks. Indiscriminate efforts to address the issue and take down all resolvers have not fully resolved the problem, and millions of open resolvers still remain available to date, providing attackers with enough options. This brings forward the question if we should not instead focus on eradicating the most problematic resolvers, rather than all open resolvers indiscriminately. Contrary to existing studies, which focus on quantifying the existence of open resolvers, this paper focuses on infrastructure diversity and aims at characterizing open resolvers in terms of their ability to bring about varying attack strengths. Such a characterization brings nuances to the problem of open resolvers and their role in amplification attacks, as it allows for more problematic resolvers to be identified. Our findings show that the population of open resolvers lies above 2.6M range over our one-year measurement period. On the positive side, we observe that the majority of identified open resolvers cut out when dealing with bulky and DNSSEC-related queries, thereby limiting their potential as amplifiers. We show, for example, that 59% of open resolvers lack DNSSEC support. On the downside, we see that a non-negligible number of open resolvers facilitate large responses to ANY and TXT queries (8.1% and 3.4% on average, respectively), which stands to benefit attackers. Finally we show that by removing around 20% of potent resolvers the global DNS amplification potential can be reduced by up to 80%.

Original language	English
Title of host publication	Passive and Active Network Measurement
Subtitle of host publication	23rd International Conference, PAM 2022, Virtual Event, March 28–30, 2022, Proceedings
Editors	Oliver Hohlfeld, Giovane Moura, Cristel Pelsser
Place of Publication	Cham
Publisher	Springer
Pages	293-318
Number of pages	26
ISBN (Electronic)	978-3-030-98785-5
ISBN (Print)	978-3-030-98784-8
DOIs	https://doi.org/10.1007/978-3-030-98785-5_13
Publication status	Published - 21 Mar 2022
Event	23rd Passive and Active Measurement Conference, PAM 2022 - Virtual Conference Duration: 28 Mar 2022 → 30 Mar 2022 Conference number: 23 https://pam2022.nl/

Conference

Conference	23rd Passive and Active Measurement Conference, PAM 2022
Abbreviated title	PAM 2022
City	Virtual Conference
Period	28/03/22 → 30/03/22
Internet address	https://pam2022.nl/

Keywords

22/4 OA procedure

Access to Document

10.1007/978-3-030-98785-5_13

ArticleFinal published version, 720 KBLicence: Taverne

https://www.youtube.com/watch?v=wRdFVnPv0ts

Cite this

Yazdani, R., Rijswijk-Deij, R. V., Jonker, M., & Sperotto, A. (2022). A matter of degree: characterizing the amplification power of open DNS resolvers. In O. Hohlfeld, G. Moura, & C. Pelsser (Eds.), Passive and Active Network Measurement: 23rd International Conference, PAM 2022, Virtual Event, March 28–30, 2022, Proceedings (pp. 293-318). Springer. https://doi.org/10.1007/978-3-030-98785-5_13

Yazdani, Ramin ; Rijswijk-Deij, Roland van ; Jonker, Mattijs et al. / A matter of degree : characterizing the amplification power of open DNS resolvers. Passive and Active Network Measurement: 23rd International Conference, PAM 2022, Virtual Event, March 28–30, 2022, Proceedings. editor / Oliver Hohlfeld ; Giovane Moura ; Cristel Pelsser. Cham : Springer, 2022. pp. 293-318

@inbook{b79d4984d8be447bbb8a41a4cd3eef22,

title = "A matter of degree: characterizing the amplification power of open DNS resolvers",

abstract = "Open DNS resolvers are widely misused to bring about reflection and amplification DDoS attacks. Indiscriminate efforts to address the issue and take down all resolvers have not fully resolved the problem, and millions of open resolvers still remain available to date, providing attackers with enough options. This brings forward the question if we should not instead focus on eradicating the most problematic resolvers, rather than all open resolvers indiscriminately. Contrary to existing studies, which focus on quantifying the existence of open resolvers, this paper focuses on infrastructure diversity and aims at characterizing open resolvers in terms of their ability to bring about varying attack strengths. Such a characterization brings nuances to the problem of open resolvers and their role in amplification attacks, as it allows for more problematic resolvers to be identified. Our findings show that the population of open resolvers lies above 2.6M range over our one-year measurement period. On the positive side, we observe that the majority of identified open resolvers cut out when dealing with bulky and DNSSEC-related queries, thereby limiting their potential as amplifiers. We show, for example, that 59% of open resolvers lack DNSSEC support. On the downside, we see that a non-negligible number of open resolvers facilitate large responses to ANY and TXT queries (8.1% and 3.4% on average, respectively), which stands to benefit attackers. Finally we show that by removing around 20% of potent resolvers the global DNS amplification potential can be reduced by up to 80%.",

keywords = "22/4 OA procedure",

author = "Ramin Yazdani and Rijswijk-Deij, {Roland van} and Mattijs Jonker and Anna Sperotto",

note = "Funding Information: Acknowledgments. We would like to thank the anonymous PAM reviewers for their valuable feedback on our paper. This research is funded by the EU H2020 projects CONCORDIA (#830927) and partially funded by SIDNfonds. Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 23rd Passive and Active Measurement Conference, PAM 2022, PAM 2022 ; Conference date: 28-03-2022 Through 30-03-2022",

year = "2022",

month = mar,

day = "21",

doi = "10.1007/978-3-030-98785-5_13",

language = "English",

isbn = "978-3-030-98784-8",

pages = "293--318",

editor = "Oliver Hohlfeld and Giovane Moura and Cristel Pelsser",

booktitle = "Passive and Active Network Measurement",

publisher = "Springer",

url = "https://pam2022.nl/",

}

Yazdani, R, Rijswijk-Deij, RV , Jonker, M & Sperotto, A 2022, A matter of degree: characterizing the amplification power of open DNS resolvers. in O Hohlfeld, G Moura & C Pelsser (eds), Passive and Active Network Measurement: 23rd International Conference, PAM 2022, Virtual Event, March 28–30, 2022, Proceedings. Springer, Cham, pp. 293-318, 23rd Passive and Active Measurement Conference, PAM 2022, Virtual Conference, 28/03/22. https://doi.org/10.1007/978-3-030-98785-5_13

A matter of degree : characterizing the amplification power of open DNS resolvers. / Yazdani, Ramin; Rijswijk-Deij, Roland van ; Jonker, Mattijs et al.

Passive and Active Network Measurement: 23rd International Conference, PAM 2022, Virtual Event, March 28–30, 2022, Proceedings. ed. / Oliver Hohlfeld; Giovane Moura; Cristel Pelsser. Cham : Springer, 2022. p. 293-318.

Research output: Chapter in Book/Report/Conference proceeding › Chapter › Academic › peer-review

TY - CHAP

T1 - A matter of degree

T2 - 23rd Passive and Active Measurement Conference, PAM 2022

AU - Yazdani, Ramin

AU - Rijswijk-Deij, Roland van

AU - Jonker, Mattijs

AU - Sperotto, Anna

N1 - Conference code: 23

PY - 2022/3/21

Y1 - 2022/3/21

N2 - Open DNS resolvers are widely misused to bring about reflection and amplification DDoS attacks. Indiscriminate efforts to address the issue and take down all resolvers have not fully resolved the problem, and millions of open resolvers still remain available to date, providing attackers with enough options. This brings forward the question if we should not instead focus on eradicating the most problematic resolvers, rather than all open resolvers indiscriminately. Contrary to existing studies, which focus on quantifying the existence of open resolvers, this paper focuses on infrastructure diversity and aims at characterizing open resolvers in terms of their ability to bring about varying attack strengths. Such a characterization brings nuances to the problem of open resolvers and their role in amplification attacks, as it allows for more problematic resolvers to be identified. Our findings show that the population of open resolvers lies above 2.6M range over our one-year measurement period. On the positive side, we observe that the majority of identified open resolvers cut out when dealing with bulky and DNSSEC-related queries, thereby limiting their potential as amplifiers. We show, for example, that 59% of open resolvers lack DNSSEC support. On the downside, we see that a non-negligible number of open resolvers facilitate large responses to ANY and TXT queries (8.1% and 3.4% on average, respectively), which stands to benefit attackers. Finally we show that by removing around 20% of potent resolvers the global DNS amplification potential can be reduced by up to 80%.

AB - Open DNS resolvers are widely misused to bring about reflection and amplification DDoS attacks. Indiscriminate efforts to address the issue and take down all resolvers have not fully resolved the problem, and millions of open resolvers still remain available to date, providing attackers with enough options. This brings forward the question if we should not instead focus on eradicating the most problematic resolvers, rather than all open resolvers indiscriminately. Contrary to existing studies, which focus on quantifying the existence of open resolvers, this paper focuses on infrastructure diversity and aims at characterizing open resolvers in terms of their ability to bring about varying attack strengths. Such a characterization brings nuances to the problem of open resolvers and their role in amplification attacks, as it allows for more problematic resolvers to be identified. Our findings show that the population of open resolvers lies above 2.6M range over our one-year measurement period. On the positive side, we observe that the majority of identified open resolvers cut out when dealing with bulky and DNSSEC-related queries, thereby limiting their potential as amplifiers. We show, for example, that 59% of open resolvers lack DNSSEC support. On the downside, we see that a non-negligible number of open resolvers facilitate large responses to ANY and TXT queries (8.1% and 3.4% on average, respectively), which stands to benefit attackers. Finally we show that by removing around 20% of potent resolvers the global DNS amplification potential can be reduced by up to 80%.

KW - 22/4 OA procedure

U2 - 10.1007/978-3-030-98785-5_13

DO - 10.1007/978-3-030-98785-5_13

M3 - Chapter

SN - 978-3-030-98784-8

SP - 293

EP - 318

BT - Passive and Active Network Measurement

A2 - Hohlfeld, Oliver

A2 - Moura, Giovane

A2 - Pelsser, Cristel

PB - Springer

CY - Cham

Y2 - 28 March 2022 through 30 March 2022

ER -

Yazdani R, Rijswijk-Deij RV , Jonker M , Sperotto A. A matter of degree: characterizing the amplification power of open DNS resolvers. In Hohlfeld O, Moura G, Pelsser C, editors, Passive and Active Network Measurement: 23rd International Conference, PAM 2022, Virtual Event, March 28–30, 2022, Proceedings. Cham: Springer. 2022. p. 293-318 doi: 10.1007/978-3-030-98785-5_13

A matter of degree: characterizing the amplification power of open DNS resolvers

Abstract

Conference

Keywords

Access to Document

Fingerprint

Cite this