The Closed Resolver Project: Measuring the Deployment of Inbound Source Address Validation

Source Address Validation (SAV) is a standard aimed at discarding packets with spoofed source IP addresses. The absence of SAV for outgoing traffic has been known as a root cause of Distributed Denial-of-Service (DDoS) attacks and received widespread attention. While less obvious, the absence of inbound filtering enables an attacker to appear as an internal host of a network and may reveal valuable information about the network infrastructure. Inbound IP spoofing may amplify other attack vectors such as DNS cache poisoning or the recently discovered NXNSAttack. In this paper, we present the preliminary results of the Closed Resolver Project that aims at mitigating the problem of inbound IP spoofing. We perform the first Internet-wide active measurement study to enumerate networks that filter or do not filter incoming packets by their source address, for both the IPv4 and IPv6 address spaces. To achieve this, we identify closed and open DNS resolvers that accept spoofed requests coming from the outside of their network. The proposed method provides the most complete picture of inbound SAV deployment by network providers. Our measurements cover over 55 % IPv4 and 27 % IPv6 Autonomous Systems (AS) and reveal that the great majority of them are fully or partially vulnerable to inbound spoofing. By identifying dual-stacked DNS resolvers, we additionally show that inbound filtering is less often deployed for IPv6 than it is for IPv4. Overall, we discover 13.9 K IPv6 open resolvers that can be exploited for amplification DDoS attacks - 13 times more than previous work. Furthermore, we enumerate uncover 4.25 M IPv4 and 103 K IPv6 vulnerable closed resolvers that could only be detected thanks to our spoofing technique, and that pose a significant threat when combined with the NXNSAttack.

[1]  M. V. Eeten,et al.  Deployment of Source Address Validation by Network Operators: A Randomized Control Trial , 2022, 2022 IEEE Symposium on Security and Privacy (SP).

[2]  C. Deccio,et al.  Behind Closed Doors: A Network Tale of Spoofing, Intrusion, and False DNS Security , 2020, Internet Measurement Conference.

[3]  A. Bremler-Barr,et al.  NXNSAttack: Recursive DNS Inefficiencies and Vulnerabilities , 2020, IACR Cryptol. ePrint Arch..

[4]  Andrzej Duda,et al.  Don't Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic , 2020, PAM.

[5]  Bradley Huffaker,et al.  Challenges in inferring spoofed traffic at IXPs , 2019, CoNEXT.

[6]  Robert Beverly,et al.  Network Hygiene, Incentives, and Regulation: Deployment of Source Address Validation in the Internet , 2019, CCS.

[7]  Andrzej Duda,et al.  Characterizing Vulnerability of DNS AXFR Transfers with Global-Scale Scanning , 2019, 2019 IEEE Security and Privacy Workshops (SPW).

[8]  台灣電腦網路危機處理暨協調中心 Mutually Agreed Norms for Routing Security , 2019 .

[9]  Kai Chen,et al.  A Large Scale Analysis of DNS Water Torture Attack , 2018, CSAI '18.

[10]  Christian Rossow,et al.  Unchained : Amplified Application-Layer DoS Attacks Against DNS Authoritatives , 2018 .

[11]  Georg Carle,et al.  Clusters in the Expanse: Understanding and Unbiasing IPv6 Hitlists , 2018, Internet Measurement Conference.

[12]  Matthew J. Luckie,et al.  Using Crowdsourcing Marketplaces for Network Measurements: The Case of Spoofer , 2018, 2018 Network Traffic Measurement and Analysis Conference (TMA).

[13]  Anja Feldmann,et al.  In rDNS We Trust: Revisiting a Common Data-Source's Reliability , 2018, PAM.

[14]  Ahmed Elmokashfi,et al.  Measuring IPv6 Adoption in Africa , 2017, AFRICOMM.

[15]  Anja Feldmann,et al.  Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses , 2017, Internet Measurement Conference.

[16]  Matthew J. Luckie,et al.  Using Loops Observed in Traceroute to Infer the Ability to Spoof , 2017, PAM.

[17]  Aiko Pras,et al.  On the Potential of IPv6 Open Resolvers for DDoS Attacks , 2017, PAM.

[18]  Michal Król,et al.  Zone Poisoning: The How and Where of Non-Secure DNS Dynamic Updates , 2016, Internet Measurement Conference.

[19]  Georg Carle,et al.  Large-scale classification of IPv6-IPv4 siblings with variable clock skew , 2016, 2017 Network Traffic Measurement and Analysis Conference (TMA).

[20]  Roch Guérin,et al.  Migrating the Internet to IPv6: An Exploration of the When and Why , 2016, IEEE/ACM Transactions on Networking.

[21]  Christian Rossow,et al.  Going Wild: Large-Scale Classification of Open DNS Resolvers , 2015, Internet Measurement Conference.

[22]  Robert Beverly,et al.  Server Siblings: Identifying Shared IPv4/IPv6 Infrastructure Via Active Fingerprinting , 2015, PAM.

[23]  Christian Rossow,et al.  Exit from Hell? Reducing the Impact of Amplification DDoS Attacks , 2014, USENIX Security Symposium.

[24]  Christian Rossow,et al.  Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks , 2014, WOOT.

[25]  Mark Allman,et al.  Measuring IPv6 adoption , 2014, SIGCOMM.

[26]  Andrzej Duda,et al.  Markov chain fingerprinting to classify encrypted traffic , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[27]  Robert Beverly,et al.  Internet nameserver IPv4 and IPv6 address relationships , 2013, Internet Measurement Conference.

[28]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[29]  Craig A. Shue,et al.  Resolvers Revealed: Characterizing DNS Resolvers and their Clients , 2013, TOIT.

[30]  D. Dittrich,et al.  The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research , 2012 .

[31]  David L. Mills,et al.  Internet Engineering Task Force (ietf) Network Time Protocol Version 4: Protocol and Algorithms Specification , 2010 .

[32]  Robert Beverly,et al.  Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.

[33]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[34]  Tim Chown,et al.  IPv6 Implications for Network Scanning , 2008, RFC.

[35]  David Conrad,et al.  Requirements for a Mechanism Identifying a Name Server Instance , 2007, RFC.

[36]  Dmitri V. Krioukov,et al.  AS relationships: inference and validation , 2006, CCRV.

[37]  Randall Gellens,et al.  Message Submission for Mail , 2006, RFC.

[38]  Robert Beverly,et al.  The spoofer project: inferring the extent of source address filtering on the internet , 2005 .

[39]  Fred Baker,et al.  Ingress Filtering for Multihomed Networks , 2004, RFC.

[40]  Paul E. Hoffman,et al.  SMTP Service Extension for Secure SMTP over Transport Layer Security , 2002, RFC.

[41]  Anja Feldmann,et al.  IP network configuration for intradomain traffic engineering , 2001, IEEE Netw..

[42]  Yakov Rekhter,et al.  Dynamic Updates in the Domain Name System (DNS UPDATE) , 1997, RFC.

[43]  David Barr,et al.  Common DNS Operational and Configuration Errors , 1996, RFC.

[44]  M. V. Eeten,et al.  SAVing the Internet: Explaining the Adoption of Source Address Validation by Internet Service Providers , 2020 .

[45]  Mark Allman,et al.  Don't Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy , 2016, NDSS.

[46]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[47]  Robert Beverly,et al.  Tracefilter : A Tool for Locating Network Source Address Validation Filters , 2007 .

[48]  Tatu Ylönen,et al.  The Secure Shell (ssh) Transport Layer Protocol , 2006 .

[49]  Michael H. Smith,et al.  Denial of Service Attacks , 2001 .

[50]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.