Measuring the Impact of a Successful DDoS Attack on the Customer Behaviour of Managed DNS Service Providers

Abhishta Abhishta, Roland M. van Rijswijk-Deij, Lambert J.M. Nieuwenhuis

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

17 Downloads (Pure)

Abstract

Distributed Denial-of-Service (DDoS) attacks continue to pose a serious threat to the availability of Internet services. The Domain Name System (DNS) is part of the core of the Internet and a crucial factor in the successful delivery of Internet services. Because of the importance of DNS, specialist service providers have sprung up in the market, that provide managed DNS services. One of their key selling points is that they protect DNS for a domain against DDoS attacks. But what if such a service becomes the target of a DDoS attack, and that attack succeeds?
In this paper we analyse two such events, an attack on NS1 in May 2016, and an attack on Dyn in October 2016. We do this by analysing the change in the behaviour of the service's customers. For our analysis we leverage data from the OpenINTEL active DNS measurement system, which covers large parts of the global DNS over time. Our results show an almost immediate and statistically significant change in the behaviour of domains that use NS1 or Dyn as a DNS service provider. We observe a decline in the number of domains that exclusively use NS1 or Dyn as a managed DNS service provider, and see a shift toward risk spreading by using multiple providers. While a large managed DNS provider may be better equipped to protect against attacks, these two case studies show they are not impervious to them. This calls into question the wisdom of using a single provider for managed DNS. Our results show that spreading risk by using multiple providers is an effective countermeasure, albeit probably at a higher cost.
Original languageEnglish
Title of host publicationWTMC '18
Subtitle of host publicationProceedings of the 2018 Workshop on Traffic Measurements for Cybersecurity
Place of PublicationNew York, NY, USA
PublisherACM Press
Pages1-7
Number of pages7
ISBN (Electronic)978-1-4503-5910-8
DOIs
Publication statusPublished - 2018

Fingerprint

Internet
Sales
Availability
Denial-of-service attack
Costs

Keywords

  • Customer behaviour
  • DDoS attacks
  • Domain Name System
  • Dyn
  • Economic Impact
  • NS1

Cite this

Abhishta, A., van Rijswijk-Deij, R. M., & Nieuwenhuis, L. J. M. (2018). Measuring the Impact of a Successful DDoS Attack on the Customer Behaviour of Managed DNS Service Providers. In WTMC '18: Proceedings of the 2018 Workshop on Traffic Measurements for Cybersecurity (pp. 1-7). New York, NY, USA: ACM Press. https://doi.org/10.1145/3229598.3229599
Abhishta, Abhishta ; van Rijswijk-Deij, Roland M. ; Nieuwenhuis, Lambert J.M. / Measuring the Impact of a Successful DDoS Attack on the Customer Behaviour of Managed DNS Service Providers. WTMC '18: Proceedings of the 2018 Workshop on Traffic Measurements for Cybersecurity. New York, NY, USA : ACM Press, 2018. pp. 1-7
@inproceedings{197b83ebadc94bcd900d57a1e517e87c,
title = "Measuring the Impact of a Successful DDoS Attack on the Customer Behaviour of Managed DNS Service Providers",
abstract = "Distributed Denial-of-Service (DDoS) attacks continue to pose a serious threat to the availability of Internet services. The Domain Name System (DNS) is part of the core of the Internet and a crucial factor in the successful delivery of Internet services. Because of the importance of DNS, specialist service providers have sprung up in the market, that provide managed DNS services. One of their key selling points is that they protect DNS for a domain against DDoS attacks. But what if such a service becomes the target of a DDoS attack, and that attack succeeds?In this paper we analyse two such events, an attack on NS1 in May 2016, and an attack on Dyn in October 2016. We do this by analysing the change in the behaviour of the service's customers. For our analysis we leverage data from the OpenINTEL active DNS measurement system, which covers large parts of the global DNS over time. Our results show an almost immediate and statistically significant change in the behaviour of domains that use NS1 or Dyn as a DNS service provider. We observe a decline in the number of domains that exclusively use NS1 or Dyn as a managed DNS service provider, and see a shift toward risk spreading by using multiple providers. While a large managed DNS provider may be better equipped to protect against attacks, these two case studies show they are not impervious to them. This calls into question the wisdom of using a single provider for managed DNS. Our results show that spreading risk by using multiple providers is an effective countermeasure, albeit probably at a higher cost.",
keywords = "Customer behaviour, DDoS attacks, Domain Name System, Dyn, Economic Impact, NS1",
author = "Abhishta Abhishta and {van Rijswijk-Deij}, {Roland M.} and Nieuwenhuis, {Lambert J.M.}",
year = "2018",
doi = "10.1145/3229598.3229599",
language = "English",
pages = "1--7",
booktitle = "WTMC '18",
publisher = "ACM Press",

}

Abhishta, A, van Rijswijk-Deij, RM & Nieuwenhuis, LJM 2018, Measuring the Impact of a Successful DDoS Attack on the Customer Behaviour of Managed DNS Service Providers. in WTMC '18: Proceedings of the 2018 Workshop on Traffic Measurements for Cybersecurity. ACM Press, New York, NY, USA, pp. 1-7. https://doi.org/10.1145/3229598.3229599

Measuring the Impact of a Successful DDoS Attack on the Customer Behaviour of Managed DNS Service Providers. / Abhishta, Abhishta ; van Rijswijk-Deij, Roland M.; Nieuwenhuis, Lambert J.M.

WTMC '18: Proceedings of the 2018 Workshop on Traffic Measurements for Cybersecurity. New York, NY, USA : ACM Press, 2018. p. 1-7.

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - Measuring the Impact of a Successful DDoS Attack on the Customer Behaviour of Managed DNS Service Providers

AU - Abhishta, Abhishta

AU - van Rijswijk-Deij, Roland M.

AU - Nieuwenhuis, Lambert J.M.

PY - 2018

Y1 - 2018

N2 - Distributed Denial-of-Service (DDoS) attacks continue to pose a serious threat to the availability of Internet services. The Domain Name System (DNS) is part of the core of the Internet and a crucial factor in the successful delivery of Internet services. Because of the importance of DNS, specialist service providers have sprung up in the market, that provide managed DNS services. One of their key selling points is that they protect DNS for a domain against DDoS attacks. But what if such a service becomes the target of a DDoS attack, and that attack succeeds?In this paper we analyse two such events, an attack on NS1 in May 2016, and an attack on Dyn in October 2016. We do this by analysing the change in the behaviour of the service's customers. For our analysis we leverage data from the OpenINTEL active DNS measurement system, which covers large parts of the global DNS over time. Our results show an almost immediate and statistically significant change in the behaviour of domains that use NS1 or Dyn as a DNS service provider. We observe a decline in the number of domains that exclusively use NS1 or Dyn as a managed DNS service provider, and see a shift toward risk spreading by using multiple providers. While a large managed DNS provider may be better equipped to protect against attacks, these two case studies show they are not impervious to them. This calls into question the wisdom of using a single provider for managed DNS. Our results show that spreading risk by using multiple providers is an effective countermeasure, albeit probably at a higher cost.

AB - Distributed Denial-of-Service (DDoS) attacks continue to pose a serious threat to the availability of Internet services. The Domain Name System (DNS) is part of the core of the Internet and a crucial factor in the successful delivery of Internet services. Because of the importance of DNS, specialist service providers have sprung up in the market, that provide managed DNS services. One of their key selling points is that they protect DNS for a domain against DDoS attacks. But what if such a service becomes the target of a DDoS attack, and that attack succeeds?In this paper we analyse two such events, an attack on NS1 in May 2016, and an attack on Dyn in October 2016. We do this by analysing the change in the behaviour of the service's customers. For our analysis we leverage data from the OpenINTEL active DNS measurement system, which covers large parts of the global DNS over time. Our results show an almost immediate and statistically significant change in the behaviour of domains that use NS1 or Dyn as a DNS service provider. We observe a decline in the number of domains that exclusively use NS1 or Dyn as a managed DNS service provider, and see a shift toward risk spreading by using multiple providers. While a large managed DNS provider may be better equipped to protect against attacks, these two case studies show they are not impervious to them. This calls into question the wisdom of using a single provider for managed DNS. Our results show that spreading risk by using multiple providers is an effective countermeasure, albeit probably at a higher cost.

KW - Customer behaviour

KW - DDoS attacks

KW - Domain Name System

KW - Dyn

KW - Economic Impact

KW - NS1

U2 - 10.1145/3229598.3229599

DO - 10.1145/3229598.3229599

M3 - Conference contribution

SP - 1

EP - 7

BT - WTMC '18

PB - ACM Press

CY - New York, NY, USA

ER -

Abhishta A, van Rijswijk-Deij RM, Nieuwenhuis LJM. Measuring the Impact of a Successful DDoS Attack on the Customer Behaviour of Managed DNS Service Providers. In WTMC '18: Proceedings of the 2018 Workshop on Traffic Measurements for Cybersecurity. New York, NY, USA: ACM Press. 2018. p. 1-7 https://doi.org/10.1145/3229598.3229599

Access to Document