Mirrors in the Sky: On the Potential of Clouds in DNS Reflection-based Denial-of-Service Attacks

Ramin Yazdani; Alden Hilton; Jeroen van der Ham; Roland Martijn van Rijswijk - Deij; Cassey Deccio; Anna Sperotto; Mattijs Jonker

doi:10.1145/3545948.3545959

Mirrors in the Sky: On the Potential of Clouds in DNS Reflection-based Denial-of-Service Attacks

Ramin Yazdani
, Alden Hilton
, Jeroen van der Ham
, Roland Martijn van Rijswijk - Deij
, Cassey Deccio
, Anna Sperotto
, Mattijs Jonker

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

7 Citations (Scopus)

174 Downloads (Pure)

Abstract

Clouds are likely to be well-provisioned in terms of network capacity by design. The rapid growth of cloud-based services means an increased availability of network infrastructure for all types of customers. However, it could also provide attackers opportunity to misuse cloud infrastructure to bring about attacks, or to target the cloud infrastructure itself.

In this paper we study, focusing on DNS-based reflection DDoS attacks, how cloud networks can be misused to carry out attacks, with possible consequences for the internal cloud infrastructure itself. A straightforward way to misuse cloud infrastructure would be to host open DNS resolvers in the cloud – a phenomenon that we quantify in the paper. More importantly, we structurally analyze how the internal DNS infrastructure of a cloud can be misused. The novelty of this paper lies in identifying and formalizing six attack models for how DNS cloud infrastructure can be abused to bring about reflection attacks, and testing these increasingly complex and progressively specific models against real cloud providers.

Our findings reveal that a steady average of 12% of open DNS resolvers are hosted in cloud or datacenter networks, which gives them well-provisioned network access. Much more worryingly, our results reveal that a number of providers, several of which among market leaders, expose parts of their DNS infrastructure to outsiders, allowing abuse against a provider’s infrastructure, its customers, as well as hosts in external networks. In the course of our study, we responsibly disclosed our findings to these providers.

Original language	English
Title of host publication	Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses
Place of Publication	New York, NY, USA
Publisher	Association for Computing Machinery
Pages	263-275
Number of pages	13
ISBN (Electronic)	9781450397049
DOIs	https://doi.org/10.1145/3545948.3545959
Publication status	Published - 26 Oct 2022
Event	25th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2022 - Limassol, Cyprus Duration: 26 Oct 2022 → 28 Oct 2022 Conference number: 25 https://raid2022.cs.ucy.ac.cy/

Conference

Conference	25th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2022
Abbreviated title	RAID 2022
Country/Territory	Cyprus
City	Limassol
Period	26/10/22 → 28/10/22
Internet address	https://raid2022.cs.ucy.ac.cy/

Keywords

cloud networks, DDoS, spoofing, DNS-based reflection

Access to Document

10.1145/3545948.3545959Licence: CC BY-NC-SA

3545948.3545959Final published version, 1.14 MBLicence: CC BY-NC-SA

Cite this

Yazdani, R., Hilton, A., van der Ham, J., van Rijswijk - Deij, R. M., Deccio, C., Sperotto, A., & Jonker, M. (2022). Mirrors in the Sky: On the Potential of Clouds in DNS Reflection-based Denial-of-Service Attacks. In Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses (pp. 263-275). Association for Computing Machinery. https://doi.org/10.1145/3545948.3545959

@inproceedings{0856cb7ebff74ec7acd9e9ca242e101b,

title = "Mirrors in the Sky: On the Potential of Clouds in DNS Reflection-based Denial-of-Service Attacks",

abstract = "Clouds are likely to be well-provisioned in terms of network capacity by design. The rapid growth of cloud-based services means an increased availability of network infrastructure for all types of customers. However, it could also provide attackers opportunity to misuse cloud infrastructure to bring about attacks, or to target the cloud infrastructure itself. In this paper we study, focusing on DNS-based reflection DDoS attacks, how cloud networks can be misused to carry out attacks, with possible consequences for the internal cloud infrastructure itself. A straightforward way to misuse cloud infrastructure would be to host open DNS resolvers in the cloud – a phenomenon that we quantify in the paper. More importantly, we structurally analyze how the internal DNS infrastructure of a cloud can be misused. The novelty of this paper lies in identifying and formalizing six attack models for how DNS cloud infrastructure can be abused to bring about reflection attacks, and testing these increasingly complex and progressively specific models against real cloud providers. Our findings reveal that a steady average of 12\% of open DNS resolvers are hosted in cloud or datacenter networks, which gives them well-provisioned network access. Much more worryingly, our results reveal that a number of providers, several of which among market leaders, expose parts of their DNS infrastructure to outsiders, allowing abuse against a provider{\textquoteright}s infrastructure, its customers, as well as hosts in external networks. In the course of our study, we responsibly disclosed our findings to these providers.",

keywords = "cloud networks, DDoS, spoofing, DNS-based reflection",

author = "Ramin Yazdani and Alden Hilton and \{van der Ham\}, Jeroen and \{van Rijswijk - Deij\}, \{Roland Martijn\} and Cassey Deccio and Anna Sperotto and Mattijs Jonker",

note = "Funding Information: We would like to thank the anonymous reviewers for their valuable feedback on our paper. We gratefully acknowledge CAIDA for providing us access to their infrastructure to carry out part of our experiment. This research is partially funded by the EU H2020 project CONCORDIA (\#830927), by the SIDNfonds, and by the Comcast Innovation Fund. Publisher Copyright: {\textcopyright} 2022 Owner/Author.; 25th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2022, RAID 2022 ; Conference date: 26-10-2022 Through 28-10-2022",

year = "2022",

month = oct,

day = "26",

doi = "10.1145/3545948.3545959",

language = "English",

pages = "263--275",

booktitle = "Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses",

publisher = "Association for Computing Machinery",

address = "United States",

url = "https://raid2022.cs.ucy.ac.cy/",

}

Yazdani, R, Hilton, A, van der Ham, J , van Rijswijk - Deij, RM, Deccio, C, Sperotto, A & Jonker, M 2022, Mirrors in the Sky: On the Potential of Clouds in DNS Reflection-based Denial-of-Service Attacks. in Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses. Association for Computing Machinery, New York, NY, USA, pp. 263-275, 25th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2022, Limassol, Cyprus, 26/10/22. https://doi.org/10.1145/3545948.3545959

Mirrors in the Sky: On the Potential of Clouds in DNS Reflection-based Denial-of-Service Attacks. / Yazdani, Ramin; Hilton, Alden; van der Ham, Jeroen et al.
Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses. New York, NY, USA: Association for Computing Machinery, 2022. p. 263-275.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Mirrors in the Sky: On the Potential of Clouds in DNS Reflection-based Denial-of-Service Attacks

AU - Yazdani, Ramin

AU - Hilton, Alden

AU - van der Ham, Jeroen

AU - van Rijswijk - Deij, Roland Martijn

AU - Deccio, Cassey

AU - Sperotto, Anna

AU - Jonker, Mattijs

N1 - Conference code: 25

PY - 2022/10/26

Y1 - 2022/10/26

N2 - Clouds are likely to be well-provisioned in terms of network capacity by design. The rapid growth of cloud-based services means an increased availability of network infrastructure for all types of customers. However, it could also provide attackers opportunity to misuse cloud infrastructure to bring about attacks, or to target the cloud infrastructure itself. In this paper we study, focusing on DNS-based reflection DDoS attacks, how cloud networks can be misused to carry out attacks, with possible consequences for the internal cloud infrastructure itself. A straightforward way to misuse cloud infrastructure would be to host open DNS resolvers in the cloud – a phenomenon that we quantify in the paper. More importantly, we structurally analyze how the internal DNS infrastructure of a cloud can be misused. The novelty of this paper lies in identifying and formalizing six attack models for how DNS cloud infrastructure can be abused to bring about reflection attacks, and testing these increasingly complex and progressively specific models against real cloud providers. Our findings reveal that a steady average of 12% of open DNS resolvers are hosted in cloud or datacenter networks, which gives them well-provisioned network access. Much more worryingly, our results reveal that a number of providers, several of which among market leaders, expose parts of their DNS infrastructure to outsiders, allowing abuse against a provider’s infrastructure, its customers, as well as hosts in external networks. In the course of our study, we responsibly disclosed our findings to these providers.

AB - Clouds are likely to be well-provisioned in terms of network capacity by design. The rapid growth of cloud-based services means an increased availability of network infrastructure for all types of customers. However, it could also provide attackers opportunity to misuse cloud infrastructure to bring about attacks, or to target the cloud infrastructure itself. In this paper we study, focusing on DNS-based reflection DDoS attacks, how cloud networks can be misused to carry out attacks, with possible consequences for the internal cloud infrastructure itself. A straightforward way to misuse cloud infrastructure would be to host open DNS resolvers in the cloud – a phenomenon that we quantify in the paper. More importantly, we structurally analyze how the internal DNS infrastructure of a cloud can be misused. The novelty of this paper lies in identifying and formalizing six attack models for how DNS cloud infrastructure can be abused to bring about reflection attacks, and testing these increasingly complex and progressively specific models against real cloud providers. Our findings reveal that a steady average of 12% of open DNS resolvers are hosted in cloud or datacenter networks, which gives them well-provisioned network access. Much more worryingly, our results reveal that a number of providers, several of which among market leaders, expose parts of their DNS infrastructure to outsiders, allowing abuse against a provider’s infrastructure, its customers, as well as hosts in external networks. In the course of our study, we responsibly disclosed our findings to these providers.

KW - cloud networks, DDoS, spoofing, DNS-based reflection

U2 - 10.1145/3545948.3545959

DO - 10.1145/3545948.3545959

M3 - Conference contribution

SP - 263

EP - 275

BT - Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses

PB - Association for Computing Machinery

CY - New York, NY, USA

T2 - 25th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2022

Y2 - 26 October 2022 through 28 October 2022

ER -

Yazdani R, Hilton A, van der Ham J , van Rijswijk - Deij RM, Deccio C, Sperotto A et al. Mirrors in the Sky: On the Potential of Clouds in DNS Reflection-based Denial-of-Service Attacks. In Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses. New York, NY, USA: Association for Computing Machinery. 2022. p. 263-275 doi: 10.1145/3545948.3545959

Mirrors in the Sky: On the Potential of Clouds in DNS Reflection-based Denial-of-Service Attacks

Abstract

Conference

Keywords

Access to Document

Fingerprint

Cite this