Swamp of Reflectors: Investigating the Ecosystem of Open DNS Resolvers

Ramin Yazdani*, Mattijs Jonker, Anna Sperotto

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

24 Downloads (Pure)

Abstract

DNS reflection-based DDoS attacks rely on open DNS resolvers to reflect and amplify attack traffic towards victims. While the majority of these resolvers are considered to be open because of misconfiguration, there remains a lot to be learned about the open resolver ecosystem. In this paper, we investigate and characterize open DNS resolvers from multiple angles. First, we look at indicators that likely suggest an intention behind the existence of open resolvers. To this end, we cross open resolver IP addresses with reverse DNS measurement data and show that a relatively small group of open resolvers unmistakably indicate their service in hostnames (i.e., PTR records). Second, we investigate the extent to which anycast technique is used among open resolvers and show that this is mainly driven by hypergiants. Additionally, we take a look at the exposure of the authoritative nameservers as open recursive resolvers and show that a non-negligible number of authoritative nameservers also serve as open recursors. Finally, we look at the persistency of open resolvers over time. We study open resolvers longitudinally over a three-year period and show that 1% of open resolvers persistently appear in more than 95% of the measurement snapshots.

Original languageEnglish
Title of host publicationPassive and Active Measurement
Subtitle of host publication25th International Conference, PAM 2024, Virtual Event, March 11–13, 2024, Proceedings, Part II
EditorsPhilipp Richter, Vaibhav Bajpai, Esteban Carisimo
Place of PublicationCham
PublisherSpringer
Pages3-18
Number of pages16
ISBN (Electronic)978-3-031-56252-5
ISBN (Print)978-3-031-56251-8
DOIs
Publication statusPublished - 20 Mar 2024
Event25th International Conference on Passive and Active Network Measurement, PAM 2024 - Virtual
Duration: 10 Mar 202413 Mar 2024
Conference number: 25

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume14538
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference25th International Conference on Passive and Active Network Measurement, PAM 2024
Abbreviated titlePAM 2024
CityVirtual
Period10/03/2413/03/24

Keywords

  • 2024 OA procedure
  • DDoS
  • DNS reflection
  • Open resolvers
  • Amplification

Fingerprint

Dive into the research topics of 'Swamp of Reflectors: Investigating the Ecosystem of Open DNS Resolvers'. Together they form a unique fingerprint.

Cite this