Characterizing Optimal DNS Amplification Attacks and Effective Mitigation

MacFarland, Douglas C.; Shue, Craig A.; Kalafut, Andrew J.

doi:10.1007/978-3-319-15509-8_2

Cited by 26 publications

(14 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In more recent work, Rossow [27] provides an in-depth study into attacks performed in 2014, analyzing captured traces on various protocols and evaluating open amplification services on the Internet. Subsequently Kührer et al have performed significant work to reduce vulnerable NTP services and IP address spoofing [20], complemented by others that have focused on amplification using specific protocols, such as DNS [3,8,10,21,22,31] or NTP [6,25,28,30]. The largest study on amplification attacks to date has been performed by Thomas et al, who capture attack traces using a mean of 59.7 honeypots over 1010 days [32].…”

Section: Related Workmentioning

confidence: 99%

Scan, Test, Execute: Adversarial Tactics in Amplification DDoS Attacks

Griffioen

Oosthoek

Knaap

et al. 2021

Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Amplification attacks generate an enormous flood of unwanted traffic towards a victim and are generated with the help of open, unsecured services, to which an adversary sends spoofed service requests that trigger large answer volumes to a victim. However, the actual execution of the packet flood is only one of the activities necessary for a successful attack. Adversaries need, for example, to develop attack tools, select open services to abuse, test them, and adapt the attacks if necessary, each of which can be implemented in myriad ways. Thus, to understand the entire ecosystem and how adversaries work, we need to look at the entire chain of activities.This paper analyzes adversarial techniques, tactics, and procedures (TTPs) based on 549 honeypots deployed in 5 clouds that were rallied to participate in 13,479 attacks. Using a traffic shaping approach to prevent meaningful participation in DDoS activities while allowing short bursts of adversarial testing, we find that adversaries actively test for plausibility, packet loss, and amplification benefits of these servers, and show evidence of a "memory" of previously exploited servers among attackers. In practice, we demonstrate that even for commonplace amplification attacks, adversaries exhibit differences in how they work. CCS CONCEPTS• Security and privacy → Denial-of-service attacks.

show abstract

Section: Related Workmentioning

confidence: 99%

Scan, Test, Execute: Adversarial Tactics in Amplification DDoS Attacks

Griffioen

Oosthoek

Knaap

et al. 2021

Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

show abstract

“…These, in turn, leave the users of subverted resolvers vulnerable to being re-directed to malicious services. Second, open resolvers are susceptible to being leveraged in reflection and amplification DDoS attacks (e.g., [37]). The DNS port on servers is less open via IPv6 than IPv4.…”

Section: Dns and Ntpmentioning

confidence: 99%

Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy

Czyz¹,

Luckie²,

Allman³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

There is growing operational awareness of the challenges in securely operating IPv6 networks. Through a measurement study of 520,000 dual-stack servers and 25,000 dual-stack routers, we examine the extent to which security policy codified in IPv4 has also been deployed in IPv6. We find several high-value target applications with a comparatively open security policy in IPv6 including: (i) SSH, Telnet, SNMP, are more than twice as open on routers in IPv6 as they are in IPv4; (ii) nearly half of routers with BGP open were only open in IPv6; and (iii) in the server dataset, SNMP was twice as open in IPv6 as in IPv4. We conduct a detailed study of where port blocking policy is being applied and find that protocol openness discrepancies are consistent within network boundaries, suggesting a systemic failure in organizations to deploy consistent security policy. We successfully communicate our findings with twelve network operators and all twelve confirm that the relative openness was unintentional. Ten of the twelve immediately moved to deploy a congruent IPv6 security policy, reflecting real operational concern. Finally, we revisit the belief that the security impact of this comparative openness in IPv6 is mitigated by the infeasibility of IPv6 network-wide scanning-we find that, for both of our datasets, host addressing practices make discovering these high-value hosts feasible by scanning alone. To help operators accurately measure their own IPv6 security posture, we make our probing system publicly available. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

show abstract

“…The authors of [5] propose to install a preliminary DNS resolver and create a tunnel using IPSec or the SSL protocol between the preliminary resolver and the DNS resolver on the client side. All external DNS requests arrive at the preliminary DNS resolver and cannot directly enter the client's DNS server from external sources.…”

Section: Related Workmentioning

confidence: 99%

Development of protection mechanisms against DRDoS-attacks and combined DRDoS-attacks

Bekeneva¹,

Shorov²

2017

Vib. proced.

View full text Add to dashboard Cite

Distributed "denial of service" attacks based on the traffic reflection and amplification (DRDoS attacks) still are a powerful threat for computer networks. More than half of all attacks were executed by using multiple types of attacks. Development of new protection mechanisms against such attacks is one of the most important tasks in the field of computer security. In this paper, we present experiments on DNS attack, NTP attacks and combined DRDoS-attack simulation. We simulated several protection mechanisms as well as a mechanism developed by us. We compared these protection mechanisms for different kinds of attacks.

show abstract

Characterizing Optimal DNS Amplification Attacks and Effective Mitigation

Cited by 26 publications

References 8 publications

Scan, Test, Execute: Adversarial Tactics in Amplification DDoS Attacks

Scan, Test, Execute: Adversarial Tactics in Amplification DDoS Attacks

Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy

Development of protection mechanisms against DRDoS-attacks and combined DRDoS-attacks

Contact Info

Product

Resources

About