On the potential of IPv6 open resolvers for DDoS attacks

Luuk Hendriks, Ricardo de Oliveira Schmidt, Roland van Rijswijk-Deij, Aiko Pras

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    2 Citations (Scopus)

    Abstract

    Distributed Denial of Service (DDoS) attacks have become a daily problem in today’s Internet. These attacks aim at overwhelm- ing online services or network infrastrucure. Some DDoS attacks explore open services to perform reflected and amplified attacks; and the DNS is one of the most (mis)used systems by attackers. This problem can be further aggravated in the near future by the increasing number of IPv6-enabled services in the Internet. Given that the deployment of IPv6-enabled services is increasing, it becomes impor- tant to find vulnerable IPv6 open services that could be (mis)used by attackers, and prevent that misuse. However, unlike with IPv4, simply scanning the IPv6 address space to find these open services is impractical. In this paper we present an active measurement approach to enumer- ate a relevant list of open resolvers on IPv6 in the wild that could be potentially exploited in a DDoS attack. Based on the assumption that IPv6 open resolvers can be found via IPv4 ones, we show that IPv6-based amplified DDoS attacks are a significantly potential threat in the Inter- net: the analyzed resolvers, of which 72% are assumingly infrastructural servers, showed a median amplification factor of 50. 1
    Original languageEnglish
    Title of host publicationPassive and Active Measurement
    Subtitle of host publication18th International Conference, PAM 2017, Sydney, NSW, Australia, March 30-31, 2017, Proceedings
    EditorsMohamed Ali Kaafar, Steve Uhlig, Johanna Amann
    Place of PublicationCham
    PublisherSpringer
    Pages17-29
    Number of pages13
    ISBN (Electronic)978-3-319-54328-4
    ISBN (Print)978-3-319-54327-7
    DOIs
    Publication statusPublished - 2017
    Event18th International Conference Passive and Active Measurement, PAM 2017 - Sydney, Australia
    Duration: 30 Mar 201730 Mar 2017
    Conference number: 18

    Publication series

    NameLecture Notes in Computer Science
    PublisherSpringer
    Volume10176
    ISSN (Print)0302-9743
    ISSN (Electronic)1611-3349
    NameLecture Notes in Computer Communication Networks and Telecommunications
    PublisherSpringer

    Conference

    Conference18th International Conference Passive and Active Measurement, PAM 2017
    Abbreviated titlePAM
    CountryAustralia
    CitySydney
    Period30/03/1730/03/17

    Fingerprint

    Internet
    Amplification
    Servers
    Scanning
    Denial-of-service attack

    Keywords

    • Open Resolver
    • Domain Name System
    • IPv6 Address
    • Response Size
    • Shared Cache

    Cite this

    Hendriks, L., de Oliveira Schmidt, R., van Rijswijk-Deij, R., & Pras, A. (2017). On the potential of IPv6 open resolvers for DDoS attacks. In M. A. Kaafar, S. Uhlig, & J. Amann (Eds.), Passive and Active Measurement: 18th International Conference, PAM 2017, Sydney, NSW, Australia, March 30-31, 2017, Proceedings (pp. 17-29). (Lecture Notes in Computer Science; Vol. 10176), (Lecture Notes in Computer Communication Networks and Telecommunications). Cham: Springer. https://doi.org/10.1007/978-3-319-54328-4_2
    Hendriks, Luuk ; de Oliveira Schmidt, Ricardo ; van Rijswijk-Deij, Roland ; Pras, Aiko . / On the potential of IPv6 open resolvers for DDoS attacks. Passive and Active Measurement: 18th International Conference, PAM 2017, Sydney, NSW, Australia, March 30-31, 2017, Proceedings. editor / Mohamed Ali Kaafar ; Steve Uhlig ; Johanna Amann. Cham : Springer, 2017. pp. 17-29 (Lecture Notes in Computer Science). (Lecture Notes in Computer Communication Networks and Telecommunications).
    @inproceedings{b40bc12309444f21b83aed79b905554f,
    title = "On the potential of IPv6 open resolvers for DDoS attacks",
    abstract = "Distributed Denial of Service (DDoS) attacks have become a daily problem in today’s Internet. These attacks aim at overwhelm- ing online services or network infrastrucure. Some DDoS attacks explore open services to perform reflected and amplified attacks; and the DNS is one of the most (mis)used systems by attackers. This problem can be further aggravated in the near future by the increasing number of IPv6-enabled services in the Internet. Given that the deployment of IPv6-enabled services is increasing, it becomes impor- tant to find vulnerable IPv6 open services that could be (mis)used by attackers, and prevent that misuse. However, unlike with IPv4, simply scanning the IPv6 address space to find these open services is impractical. In this paper we present an active measurement approach to enumer- ate a relevant list of open resolvers on IPv6 in the wild that could be potentially exploited in a DDoS attack. Based on the assumption that IPv6 open resolvers can be found via IPv4 ones, we show that IPv6-based amplified DDoS attacks are a significantly potential threat in the Inter- net: the analyzed resolvers, of which 72{\%} are assumingly infrastructural servers, showed a median amplification factor of 50. 1",
    keywords = "Open Resolver, Domain Name System, IPv6 Address, Response Size, Shared Cache",
    author = "Luuk Hendriks and {de Oliveira Schmidt}, Ricardo and {van Rijswijk-Deij}, Roland and Aiko Pras",
    year = "2017",
    doi = "10.1007/978-3-319-54328-4_2",
    language = "English",
    isbn = "978-3-319-54327-7",
    series = "Lecture Notes in Computer Science",
    publisher = "Springer",
    pages = "17--29",
    editor = "Kaafar, {Mohamed Ali} and Steve Uhlig and Johanna Amann",
    booktitle = "Passive and Active Measurement",

    }

    Hendriks, L, de Oliveira Schmidt, R, van Rijswijk-Deij, R & Pras, A 2017, On the potential of IPv6 open resolvers for DDoS attacks. in MA Kaafar, S Uhlig & J Amann (eds), Passive and Active Measurement: 18th International Conference, PAM 2017, Sydney, NSW, Australia, March 30-31, 2017, Proceedings. Lecture Notes in Computer Science, vol. 10176, Lecture Notes in Computer Communication Networks and Telecommunications, Springer, Cham, pp. 17-29, 18th International Conference Passive and Active Measurement, PAM 2017, Sydney, Australia, 30/03/17. https://doi.org/10.1007/978-3-319-54328-4_2

    On the potential of IPv6 open resolvers for DDoS attacks. / Hendriks, Luuk ; de Oliveira Schmidt, Ricardo ; van Rijswijk-Deij, Roland; Pras, Aiko .

    Passive and Active Measurement: 18th International Conference, PAM 2017, Sydney, NSW, Australia, March 30-31, 2017, Proceedings. ed. / Mohamed Ali Kaafar; Steve Uhlig; Johanna Amann. Cham : Springer, 2017. p. 17-29 (Lecture Notes in Computer Science; Vol. 10176), (Lecture Notes in Computer Communication Networks and Telecommunications).

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    TY - GEN

    T1 - On the potential of IPv6 open resolvers for DDoS attacks

    AU - Hendriks, Luuk

    AU - de Oliveira Schmidt, Ricardo

    AU - van Rijswijk-Deij, Roland

    AU - Pras, Aiko

    PY - 2017

    Y1 - 2017

    N2 - Distributed Denial of Service (DDoS) attacks have become a daily problem in today’s Internet. These attacks aim at overwhelm- ing online services or network infrastrucure. Some DDoS attacks explore open services to perform reflected and amplified attacks; and the DNS is one of the most (mis)used systems by attackers. This problem can be further aggravated in the near future by the increasing number of IPv6-enabled services in the Internet. Given that the deployment of IPv6-enabled services is increasing, it becomes impor- tant to find vulnerable IPv6 open services that could be (mis)used by attackers, and prevent that misuse. However, unlike with IPv4, simply scanning the IPv6 address space to find these open services is impractical. In this paper we present an active measurement approach to enumer- ate a relevant list of open resolvers on IPv6 in the wild that could be potentially exploited in a DDoS attack. Based on the assumption that IPv6 open resolvers can be found via IPv4 ones, we show that IPv6-based amplified DDoS attacks are a significantly potential threat in the Inter- net: the analyzed resolvers, of which 72% are assumingly infrastructural servers, showed a median amplification factor of 50. 1

    AB - Distributed Denial of Service (DDoS) attacks have become a daily problem in today’s Internet. These attacks aim at overwhelm- ing online services or network infrastrucure. Some DDoS attacks explore open services to perform reflected and amplified attacks; and the DNS is one of the most (mis)used systems by attackers. This problem can be further aggravated in the near future by the increasing number of IPv6-enabled services in the Internet. Given that the deployment of IPv6-enabled services is increasing, it becomes impor- tant to find vulnerable IPv6 open services that could be (mis)used by attackers, and prevent that misuse. However, unlike with IPv4, simply scanning the IPv6 address space to find these open services is impractical. In this paper we present an active measurement approach to enumer- ate a relevant list of open resolvers on IPv6 in the wild that could be potentially exploited in a DDoS attack. Based on the assumption that IPv6 open resolvers can be found via IPv4 ones, we show that IPv6-based amplified DDoS attacks are a significantly potential threat in the Inter- net: the analyzed resolvers, of which 72% are assumingly infrastructural servers, showed a median amplification factor of 50. 1

    KW - Open Resolver

    KW - Domain Name System

    KW - IPv6 Address

    KW - Response Size

    KW - Shared Cache

    U2 - 10.1007/978-3-319-54328-4_2

    DO - 10.1007/978-3-319-54328-4_2

    M3 - Conference contribution

    SN - 978-3-319-54327-7

    T3 - Lecture Notes in Computer Science

    SP - 17

    EP - 29

    BT - Passive and Active Measurement

    A2 - Kaafar, Mohamed Ali

    A2 - Uhlig, Steve

    A2 - Amann, Johanna

    PB - Springer

    CY - Cham

    ER -

    Hendriks L, de Oliveira Schmidt R, van Rijswijk-Deij R, Pras A. On the potential of IPv6 open resolvers for DDoS attacks. In Kaafar MA, Uhlig S, Amann J, editors, Passive and Active Measurement: 18th International Conference, PAM 2017, Sydney, NSW, Australia, March 30-31, 2017, Proceedings. Cham: Springer. 2017. p. 17-29. (Lecture Notes in Computer Science). (Lecture Notes in Computer Communication Networks and Telecommunications). https://doi.org/10.1007/978-3-319-54328-4_2