Inferring the Deployment of Inbound Source Address Validation Using DNS Resolvers

Korczyński, Maciej; Nosyk, Yevheniya; Lone, Qasim; Skwarek, Marcin; Jonglez, Baptiste; Duda, Andrzej

doi:10.1145/3404868.3406668

Cited by 6 publications

(3 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This method allows for fast scanning with pre-built DNS queries and also limits the traffic at our authoritative nameserver since forwarders using the same resolver will return a cached entry. The relation between forwarders and resolvers has been measured before, but the previous methodologies [6,25,56] embed the IP address of each target into the subdomain. This embedding requires the analysis of queries at the authoritative nameserver, which impedes reproducibility.…”

Section: Cache Snooping To Check Name Popularitymentioning

confidence: 99%

The far side of DNS amplification

Nawrocki

Jonker

Schmidt

et al. 2021

Proceedings of the 21st ACM Internet Measurement Conference

View full text Add to dashboard Cite

In this paper, we shed new light on the DNS amplification ecosystem, by studying complementary data sources, bolstered by orthogonal methodologies. First, we introduce a passive attack detection method for the Internet core, i.e., at Internet eXchange Points (IXPs). Surprisingly, IXPs and honeypots observe mostly disjoint sets of attacks: 96% of IXP-inferred attacks were invisible to a sizable honeypot platform. Second, we assess the effectiveness of observed DNS attacks by studying IXP traces jointly with diverse data from independent measurement infrastructures. We find that attackers efficiently detect new reflectors and purposefully rotate between them. At the same time, we reveal that attackers are a small step away from bringing about significantly higher amplification factors (14×). Third, we identify and fingerprint a major attack entity by studying patterns in attack traces. We show that this entity dominates the DNS amplification ecosystem by carrying out 59% of the attacks, and provide an in-depth analysis of its behavior over time. Finally, our results reveal that operators of various .gov names do not adhere to DNSSEC key rollover best practices, which exacerbates amplification potential. We can verifiably connect this operational behavior to misuses and attacker decision-making. CCS CONCEPTS• Security and privacy → Denial-of-service attacks; • Networks → Naming and addressing; Public Internet.

show abstract

Section: Cache Snooping To Check Name Popularitymentioning

confidence: 99%

The far side of DNS amplification

Nawrocki

Jonker

Schmidt

et al. 2021

Proceedings of the 21st ACM Internet Measurement Conference

View full text Add to dashboard Cite

show abstract

“…Open DNS resolvers also received substantial attention from the research community. In 2015, Kührer et al [46] enumerated more than 26 million open IPv4 resolvers but the collective remediation efforts decreased this number to several million by 2021-2022 [43], [44], [56], [58], [60], [78]. Hendriks et al [28] specifically focused on the IPv6 address space and discovered 1,038 IPv6 resolvers by traversal from IPv4-only to IPv6-only zones.…”

Section: Related Workmentioning

confidence: 99%

Unveiling the Weak Links: Exploring DNS Infrastructure Vulnerabilities and Fortifying Defenses

Nosyk

Hureau

Fernández

et al. 2023

2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

Self Cite

View full text Add to dashboard Cite

In the past decades, DNS has gradually risen into one of the most important systems on the Internet. Malicious actors have long misused it in reflection and amplification DDoS attacks, but given its criticality, DNS quickly became an attractive attack target itself. There appeared a number of activities that make use of domain names and the DNS protocol to perform illegal actions, collectively referred to as DNS abuse. In this paper, we measure the landscape of DNS infrastructure vulnerabilities across millions of recursive resolvers and authoritative nameservers. We enumerate domain names deploying cache poisoning protection (DNSSEC), email authentication (SPF/DMARC), and resolvers accepting DNS requests from arbitrary clients. We show that DNS infrastructure is not sufficiently protected against cybersecurity threats and propose a set of recommendations to mitigate the existing problems. Conducted in the frame of a European Commission project, our findings will be considered for inclusion in the upcoming European Union legislation on cybersecurity.

show abstract

“…It happens when SAV for incoming traffic drops the packet from the outside with the source IP belonging to the inner network. However, recent work showed that inbound SAV is not widely deployed [25,12,23,24].…”

Section: Threat Modelmentioning

confidence: 99%

Routing Loops as Mega Amplifiers for DNS-Based DDoS Attacks

Nosyk

Korczyński

Duda

2022

Passive and Active Measurement

Self Cite

View full text Add to dashboard Cite

DDoS attacks are one of the biggest threats to the modern Internet as their magnitude is constantly increasing. They are highly effective because of the amplification and reflection potential of different Internet protocols. In this paper, we show how a single DNS query triggers a response packet flood to the query source, possibly because of middleboxes located in networks with routing loops. We send DNS A requests to 3 billion routable IPv4 hosts and find 15,909 query destinations from 1,742 autonomous systems that trigger up to 46.7 million repeating responses. We perform traceroute measurements towards destination hosts that resulted in the highest amplification, locate 115 routing loops on the way, and notify corresponding network operators. Finally, we analyze two years of historical scan data and find that such "mega amplifiers" are prevalent. In the worst case, a single DNS A request triggered 655 million responses, all returned to a single host.

show abstract

Inferring the Deployment of Inbound Source Address Validation Using DNS Resolvers

Cited by 6 publications

References 8 publications

The far side of DNS amplification

The far side of DNS amplification

Unveiling the Weak Links: Exploring DNS Infrastructure Vulnerabilities and Fortifying Defenses

Routing Loops as Mega Amplifiers for DNS-Based DDoS Attacks

Contact Info

Product

Resources

About