Glossy Mirrors: On the Role of Open Resolvers in Reflection and Amplification DDoS Attacks

Ramin Yazdani, Max Resing, Anna Sperotto

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

22 Downloads (Pure)

Abstract

Open DNS resolvers are infamous contributors to DDoS attacks. Characteristics of open DNS resolvers have been studied in different aspects in the past. However, there is a gap in knowledge on the actual role of open resolvers acting involuntarily as DNS reflectors in DDoS attacks. In this paper, we study DNS reflectors in more than half a
million DDoS events using a large-scale DDoS telemetry dataset provided by a DDoS protection service provider with a global footprint. Our findings reveal that while the majority (∼79%) of reflectors misused in attacks are open resolvers capable of delivering large DNS responses, the contribution of reflectors with very small response sizes is not negligible either. Additionally, our analyses reveal that the distribution of misused open resolvers is biased toward certain countries and network operators, likely impacted by the IP churn of reflectors, while in terms of network types, there is no outstanding bias visible in an aggregated view. Finally, comparing the pool of misused open resolvers to the pool of all exposed and potentially abusable resolvers, the latter dwarfs the former, suggesting that the firepower of DNS-based DDoS attacks could substantially increase in the future.
Original languageEnglish
Title of host publication2024 20th International Conference on Network and Service Management (CNSM)
EditorsPál Varga, Pavel Čeleda, Tim Wauters, Mauro Tortonesi, Jérôme François, Jaime Galán Jiménez
PublisherInternational Federation for Information Processing (IFIP)
Number of pages9
Publication statusPublished - 2024

Fingerprint

Dive into the research topics of 'Glossy Mirrors: On the Role of Open Resolvers in Reflection and Amplification DDoS Attacks'. Together they form a unique fingerprint.

Cite this