Abstract
DNS reflection-based DDoS attacks rely on open DNS resolvers to reflect and amplify attack traffic towards victims. While the majority of these resolvers are considered to be open because of misconfiguration, there remains a lot to be learned about the open resolver ecosystem. In this paper, we investigate and characterize open DNS resolvers from multiple angles. First, we look at indicators that likely suggest an intention behind the existence of open resolvers. To this end, we cross open resolver IP addresses with reverse DNS measurement data and show that a relatively small group of open resolvers unmistakably indicate their service in hostnames (i.e., PTR records). Second, we investigate the extent to which anycast technique is used among open resolvers and show that this is mainly driven by hypergiants. Additionally, we take a look at the exposure of the authoritative nameservers as open recursive resolvers and show that a non-negligible number of authoritative nameservers also serve as open recursors. Finally, we look at the persistency of open resolvers over time. We study open resolvers longitudinally over a three-year period and show that 1% of open resolvers persistently appear in more than 95% of the measurement snapshots.
Original language | English |
---|---|
Title of host publication | Passive and Active Measurement |
Subtitle of host publication | 25th International Conference, PAM 2024, Virtual Event, March 11–13, 2024, Proceedings, Part II |
Editors | Philipp Richter, Vaibhav Bajpai, Esteban Carisimo |
Place of Publication | Cham |
Publisher | Springer |
Pages | 3-18 |
Number of pages | 16 |
ISBN (Electronic) | 978-3-031-56252-5 |
ISBN (Print) | 978-3-031-56251-8 |
DOIs | |
Publication status | Published - 20 Mar 2024 |
Event | 25th International Conference on Passive and Active Network Measurement, PAM 2024 - Virtual Duration: 10 Mar 2024 → 13 Mar 2024 Conference number: 25 |
Publication series
Name | Lecture Notes in Computer Science |
---|---|
Publisher | Springer |
Volume | 14538 |
ISSN (Print) | 0302-9743 |
ISSN (Electronic) | 1611-3349 |
Conference
Conference | 25th International Conference on Passive and Active Network Measurement, PAM 2024 |
---|---|
Abbreviated title | PAM 2024 |
City | Virtual |
Period | 10/03/24 → 13/03/24 |
Keywords
- 2024 OA procedure
- DDoS
- DNS reflection
- Open resolvers
- Amplification