ANYway: Measuring the Amplification DDoS Potential of Domains

Olivier van der Toorn, Johannes Krupp, Mattijs Jonker, Roland Martijn van Rijswijk - Deij, Christian Rossow, Anna Sperotto

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

6 Citations (Scopus)
239 Downloads (Pure)

Abstract

DDoS attacks threaten Internet security and stability, with attacks reaching the Tbps range. A popular approach involves DNS-based reflection and amplification, a type of attack in which a domain name, known to return a large answer, is queried using spoofed requests. Do the chosen names offer the largest amplification, however, or have we yet to see the full amplification potential? And while operational countermeasures are proposed, chiefly limiting responses to ‘ANY’ queries, up to what point will these countermeasures be effective? In this paper we make three main contributions. First, we propose and validate a scalable method to estimate the amplification potential of a domain name, based on the expected ANY response size. Second, we create estimates for hundreds of millions of domain names and rank them by their amplification potential. By comparing the overall ranking to the set of domains observed in actual attacks in honeypot data, we show whether attackers are using the most-potent domains for their attacks, or if we may expect larger attacks in the future. Finally, we evaluate the effectiveness of blocking ANY queries, as proposed by the IETF, to limit DNS-based DDoS attacks, by estimating the decrease in attack volume when switching from ANY to other query types. Our results show that by blocking ANY, the response size of domains observed in attacks can be reduced by 57%, and the size of most-potent domains decreases by 69%. However, we also show that dropping ANY is not an absolute solution to DNS-based DDoS, as a small but potent portion of domains remain leading to an expected response size of over 2,048 bytes to queries other than ANY.
Original languageEnglish
Title of host publication2021 17th International Conference on Network and Service Management (CNSM)
Place of PublicationPiscataway, NJ
PublisherIEEE
Number of pages9
ISBN (Electronic)978-3-903176-36-2
ISBN (Print)978-1-6654-2457-8
DOIs
Publication statusPublished - 25 Oct 2021
Event17th International Conference on Network and Service Management, CNSM 2021 - Izmir, Turkey
Duration: 25 Oct 202129 Oct 2021
Conference number: 17

Publication series

NameInternational Conference on Network and Service Management (CNSM)
PublisherIEEE
Volume2021
ISSN (Print)2165-9605
ISSN (Electronic)2165-963X

Conference

Conference17th International Conference on Network and Service Management, CNSM 2021
Abbreviated titleCNSM
Country/TerritoryTurkey
CityIzmir
Period25/10/2129/10/21

Fingerprint

Dive into the research topics of 'ANYway: Measuring the Amplification DDoS Potential of Domains'. Together they form a unique fingerprint.

Cite this