Measuring exposure in DDoS protection services

Denial-of-Service attacks have rapidly gained in popularity over the last decade. The increase in frequency, size, and complexity of attacks has made DDoS Protection Services (DPS) an attractive mitigation solution to which the protection of services can be outsourced. Despite a thriving market and increasing adoption of protection services, a DPS can often be bypassed, and direct attacks can be launched against the origin of a target. Many protection services leverage the Domain Name System (DNS) to protect, e.g., Web sites. When the DNS is misconfigured, the origin IP address of a target can leak to attackers, which defeats the purpose of outsourcing protection. We perform a large-scale analysis of this phenomenon by using three large data sets that cover a 16-month period: a data set of active DNS measurements; a DNS-based data set that focuses on DPS adoption; and a data set of DoS attacks inferred from backscatter traffic to a sizable darknet. We analyze nearly 11k Web sites on Alexa's top 1M that outsource protection, for eight leading DPS providers. Our results show that 40% of these Web sites expose the origin in the DNS. Moreover, we show that the origin of 19% of these Web sites is targeted after outsourcing protection.

[1]  Christopher Krügel,et al.  A layout-similarity-based approach for detecting phishing pages , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[2]  Michael Bailey,et al.  Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks , 2014, Internet Measurement Conference.

[3]  Kaizhong Zhang,et al.  Simple Fast Algorithms for the Editing Distance Between Trees and Related Problems , 1989, SIAM J. Comput..

[4]  Scott Kitterman,et al.  Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1 , 2014, RFC.

[5]  Aiko Pras,et al.  A High-Performance, Scalable Infrastructure for Large-Scale Active DNS Measurements , 2016, IEEE Journal on Selected Areas in Communications.

[6]  Ramaswamy Chandramouli,et al.  Information Leakage through the Domain Name System , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[7]  Aiko Pras,et al.  Measuring the Adoption of DDoS Protection Services , 2016, Internet Measurement Conference.

[8]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[9]  Ramesh K. Sitaraman,et al.  The Akamai network: a platform for high-performance internet applications , 2010, OPSR.

[10]  Aiko Pras,et al.  DNSSEC and its potential for DDoS attacks: a comprehensive measurement study , 2014, Internet Measurement Conference.

[11]  Vern Paxson,et al.  On the Potential Abuse of IGMP , 2017, CCRV.

[12]  Giovane C. M. Moura,et al.  ENTRADA: A high-performance network traffic data streaming warehouse , 2016, NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium.

[13]  Giovane C. M. Moura,et al.  Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event , 2016, Internet Measurement Conference.

[14]  Florian Weimer,et al.  Passive DNS Replication , 2005 .

[15]  John Pescatore DDoS Attacks Advancing and Enduring : A SANS Survey , 2015 .

[16]  Keith W. Ross,et al.  Measuring and Evaluating Large-Scale CDNs , 2008 .

[17]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[18]  Wouter Joosen,et al.  Maneuvering Around Clouds: Bypassing Cloud-based Security Providers , 2015, CCS.