Abstract
In this paper, we shed new light on the DNS amplification ecosystem, by studying complementary data sources, bolstered by orthogonal methodologies. First, we introduce a passive attack detection method for the Internet core, i.e., at Internet eXchange Points (IXPs). Surprisingly, IXPs and honeypots observe mostly disjoint sets of attacks: 96% of IXP-inferred attacks were invisible to a sizable honeypot platform. Second, we assess the effectiveness of observed DNS attacks by studying IXP traces jointly with diverse data from independent measurement infrastructures. We find that attackers efficiently detect new reflectors and purposefully rotate between them. At the same time, we reveal that attackers are a small step away from bringing about significantly higher amplification factors (14×). Third, we identify and fingerprint a major attack entity by studying patterns in attack traces. We show that this entity dominates the DNS amplification ecosystem by carrying out 59% of the attacks, and provide an in-depth analysis of its behavior over time. Finally, our results reveal that operators of various .gov names do not adhere to DNSSEC key rollover best practices, which exacerbates amplification potential. We can verifiably connect this operational behavior to misuses and attacker decision-making.
| Original language | English |
|---|---|
| Title of host publication | IMC 2021 - Proceedings of the 2021 ACM Internet Measurement Conference |
| Publisher | ACM Publishing |
| Pages | 419-434 |
| Number of pages | 16 |
| ISBN (Electronic) | 9781450391290 |
| DOIs | |
| Publication status | Published - 2 Nov 2021 |
| Event | 2021 ACM Internet Measurement Conference, IMC 2021 - Virtual Duration: 2 Nov 2021 → 4 Nov 2021 https://conferences.sigcomm.org/imc/2021/ |
Conference
| Conference | 2021 ACM Internet Measurement Conference, IMC 2021 |
|---|---|
| Abbreviated title | IMC 2021 |
| City | Virtual |
| Period | 2/11/21 → 4/11/21 |
| Internet address |
Keywords
- 2022 OA procedure