The far side of DNS amplification: tracing the DDoS attack ecosystem from the internet core

In this paper, we shed new light on the DNS amplification ecosystem, by studying complementary data sources, bolstered by orthogonal methodologies. First, we introduce a passive attack detection method for the Internet core, i.e., at Internet eXchange Points (IXPs). Surprisingly, IXPs and honeypots observe mostly disjoint sets of attacks: 96% of IXP-inferred attacks were invisible to a sizable honeypot platform. Second, we assess the effectiveness of observed DNS attacks by studying IXP traces jointly with diverse data from independent measurement infrastructures. We find that attackers efficiently detect new reflectors and purposefully rotate between them. At the same time, we reveal that attackers are a small step away from bringing about significantly higher amplification factors (14×). Third, we identify and fingerprint a major attack entity by studying patterns in attack traces. We show that this entity dominates the DNS amplification ecosystem by carrying out 59% of the attacks, and provide an in-depth analysis of its behavior over time. Finally, our results reveal that operators of various .gov names do not adhere to DNSSEC key rollover best practices, which exacerbates amplification potential. We can verifiably connect this operational behavior to misuses and attacker decision-making.

[1]  Craig A. Shue,et al.  Characterizing Optimal DNS Amplification Attacks and Effective Mitigation , 2015, PAM.

[2]  Aiko Pras,et al.  DNSSEC and its potential for DDoS attacks: a comprehensive measurement study , 2014, Internet Measurement Conference.

[3]  Ítalo S. Cunha,et al.  Tracking Down Sources of Spoofed IP Packets , 2019, 2020 IFIP Networking Conference (Networking).

[4]  Michael Backes,et al.  Linking Amplification DDoS Attacks to Booter Services , 2017, RAID.

[5]  Marcin Nawrocki,et al.  Down the Black Hole: Dismantling Operational Practices of BGP Blackholing at IXPs , 2019, Internet Measurement Conference.

[6]  Yehuda Afek,et al.  NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities , 2020, IACR Cryptol. ePrint Arch..

[7]  Yifei Yuan,et al.  Accurately Measuring Global Risk of Amplification Attacks using AmpMap , 2021, USENIX Security Symposium.

[8]  Hans-Peter Kriegel,et al.  A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise , 1996, KDD.

[9]  Thomas C. Schmidt,et al.  Security of Alerting Authorities in the WWW: Measuring Namespaces, DNSSEC, and Web PKI , 2021, WWW.

[10]  Michael Graff,et al.  Extension Mechanisms for DNS (EDNS(0)) , 2013, Request for Comments.

[11]  Christian Rossow,et al.  On the Origin of Scanning: The Impact of Location on Internet-Wide Scans , 2020, Internet Measurement Conference.

[12]  Anja Feldmann,et al.  Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses , 2017, Internet Measurement Conference.

[13]  Bruce M. Maggs,et al.  A Longitudinal, End-to-End View of the DNSSEC Ecosystem , 2017, USENIX Security Symposium.

[14]  Mark Allman,et al.  On measuring the client-side DNS infrastructure , 2013, Internet Measurement Conference.

[15]  Bradley Huffaker,et al.  Challenges in inferring spoofed traffic at IXPs , 2019, CoNEXT.

[16]  Paul E. Hoffman,et al.  DNS Queries over HTTPS (DoH) , 2018, RFC.

[17]  Thomas C. Schmidt,et al.  Amplification and DRDoS Attack Defense - A Survey and New Perspectives , 2015, ArXiv.

[18]  Thomas C. Schmidt,et al.  Transparent forwarders: an unnoticed component of the open DNS infrastructure , 2021, CoNEXT.

[19]  Anja Feldmann,et al.  On the benefits of using a large IXP as an internet vantage point , 2013, Internet Measurement Conference.

[20]  Michael Backes,et al.  On the Feasibility of TTL-Based Filtering for DRDoS Mitigation , 2016, RAID.

[21]  Aziz Mohaisen,et al.  Where Are You Taking Me? Behavioral Analysis of Open DNS Resolvers , 2019, 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[22]  Ron Aitchison,et al.  Pro DNS and BIND 10 , 2011 .

[23]  Thomas C. Schmidt,et al.  A Reproducibility Study of "IP Spoofing Detection in Inter-Domain Traffic" , 2019, ArXiv.

[24]  Michael Bailey,et al.  Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks , 2014, Internet Measurement Conference.

[25]  Giovane C. M. Moura,et al.  Cache Me If You Can: Effects of DNS Time-to-Live , 2019, Internet Measurement Conference.

[26]  Christian Rossow,et al.  Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks , 2014, WOOT.

[27]  Michael Backes,et al.  Identifying the Scan and Attack Infrastructures Behind Amplification DDoS Attacks , 2016, CCS.

[28]  Mourad Debbabi,et al.  Fingerprinting Internet DNS Amplification DDoS Activities , 2014, 2014 6th International Conference on New Technologies, Mobility and Security (NTMS).

[29]  Stefan Savage,et al.  Trufflehunter: Cache Snooping Rare Domains at Large Public DNS Resolvers , 2020, Internet Measurement Conference.

[30]  Alberto Dainotti,et al.  Millions of targets under attack: a macroscopic characterization of the DoS ecosystem , 2017, Internet Measurement Conference.

[31]  Katsunari Yoshioka,et al.  Who Gets the Boot? Analyzing Victimization by DDoS-as-a-Service , 2016, RAID.

[32]  Andrew H. Sung,et al.  Detection of Virtual Environments and Low Interaction Honeypots , 2007 .

[33]  Georgios Kambourakis,et al.  DNS amplification attack revisited , 2013, Comput. Secur..

[34]  Aiko Pras,et al.  A High-Performance, Scalable Infrastructure for Large-Scale Active DNS Measurements , 2016, IEEE Journal on Selected Areas in Communications.

[35]  Stefan Savage,et al.  Trufflehunter , 2020, Proceedings of the ACM Internet Measurement Conference.

[36]  Anja Feldmann,et al.  Anatomy of a large european IXP , 2012, SIGCOMM '12.

[37]  Christian Rossow,et al.  Going Wild: Large-Scale Classification of Open DNS Resolvers , 2015, Internet Measurement Conference.

[38]  T. Holz,et al.  Detecting honeypots and other suspicious environments , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[39]  Damon McCoy,et al.  Stress Testing the Booters: Understanding and Undermining the Business of DDoS Services , 2016, WWW.

[40]  Geoffrey E. Hinton,et al.  Visualizing Data using t-SNE , 2008 .

[41]  Lukas Krämer,et al.  AmpPot: Monitoring and Defending Against Amplification DDoS Attacks , 2015, RAID.

[42]  Daniel Kopp,et al.  DDoS Never Dies? An IXP Perspective on DDoS Amplification Attacks , 2021, PAM.

[43]  Paul E. Hoffman,et al.  Specification for DNS over Transport Layer Security (TLS) , 2016, RFC.

[44]  R. Gieben,et al.  DNSSEC Operational Practices, Version 2 , 2012, RFC.

[45]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[46]  Daniel Kopp,et al.  DDoS Hide & Seek: On the Effectiveness of a Booter Services Takedown , 2019, Internet Measurement Conference.

[47]  Marcin Nawrocki,et al.  A Survey on Honeypot Software and Data Analysis , 2016, ArXiv.

[48]  Tanmay De,et al.  Detection of DDoS DNS Amplification Attack Using Classification Algorithm , 2016, ICIA.

[49]  Alastair R. Beresford,et al.  1000 days of UDP amplification DDoS attacks , 2017, 2017 APWG Symposium on Electronic Crime Research (eCrime).

[50]  Christian Rossow,et al.  Exit from Hell? Reducing the Impact of Amplification DDoS Attacks , 2014, USENIX Security Symposium.

[51]  A. Duda,et al.  Inferring the Deployment of Inbound Source Address Validation Using DNS Resolvers , 2020, ANRW.

[52]  Thomas C. Schmidt,et al.  From the Beginning: Key Transitions in the First 15 Years of DNSSEC , 2021, ArXiv.

[53]  Olafur Gudmundsson,et al.  Providing Minimal-Sized Responses to DNS Queries That Have QTYPE=ANY , 2018, RFC.

[54]  Lei Wu,et al.  Honeypot detection in advanced botnet attacks , 2010, Int. J. Inf. Comput. Secur..

[55]  Aiko Pras,et al.  Booters — An analysis of DDoS-as-a-service attacks , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).