Transparent forwarders

Nawrocki, Marcin; Koch, Maynard; Schmidt, Thomas C.; Wählisch, Matthias

doi:10.1145/3485983.3494872

Cited by 8 publications

(6 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…consists of various amplifiers [31], the driving factor for amplification are queries for names with large zones. This means that the attackers can utilize most amplifiers if they select such a name, which makes the honeypots less attractive or at least less likely to be used.…”

Section: Towards Ground Truthmentioning

confidence: 99%

SoK: A Data-driven View on Methods to Detect Reflective Amplification DDoS Attacks Using Honeypots

Nawrocki¹,

Kristoff²,

Hiesgen³

et al. 2023

Preprint

View full text Add to dashboard Cite

In this paper, we revisit the use of honeypots for detecting reflective amplification attacks. These measurement tools require careful design of both data collection and data analysis including cautious threshold inference. We survey common amplification honeypot platforms as well as the underlying methods to infer attack detection thresholds and to extract knowledge from the data. By systematically exploring the threshold space, we find most honeypot platforms produce comparable results despite their different configurations. Moreover, by applying data from a large-scale honeypot deployment, network telescopes, and a real-world baseline obtained from a leading DDoS mitigation provider, we question the fundamental assumption of honeypot research that convergence of observations can imply their completeness. Conclusively we derive guidance on precise, reproducible honeypot research, and present open challenges.

show abstract

Section: Towards Ground Truthmentioning

confidence: 99%

SoK: A Data-driven View on Methods to Detect Reflective Amplification DDoS Attacks Using Honeypots

Nawrocki¹,

Kristoff²,

Hiesgen³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…Such devices were shown to serve different purposes. Transparent forwarders [45] only relay incoming DNS requests to alternative resolvers, such as public or network's internal DNS resolvers. Importantly, they do not inject spoofed responses, but rather let those alternative resolvers respond to end clients directly.…”

Section: Identifying Injectorsmentioning

confidence: 99%

“…More broadly, various types of DNS manipulation have been extensively studied in the literature. Censors [57,50,58,47,48,7,23,27,46], transparent forwarders [45,33], rogue DNS servers [19], and middleboxes [51,38,61,60,16]-all interfere with the normal DNS resolution process. Particular attention has been paid to the GFW of China [3,4,5,11,22,28,39], known to intercept DNS traffic and inject bogus responses.…”

Section: Related Workmentioning

confidence: 99%

Intercept and Inject: DNS Response Manipulation in the Wild

Nosyk

Lone²,

Zhauniarovich

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

DNS is a protocol responsible for translating human-readable domain names into IP addresses. Despite being essential for many Internet services to work properly, it is inherently vulnerable to manipulation. In November 2021, users from Mexico received bogus DNS responses when resolving whatsapp.net. It appeared that a BGP route leak diverged DNS queries to the local instance of the k-root located in China. Those queries, in turn, encountered middleboxes that injected fake DNS responses. In this paper, we analyze that event from the RIPE Atlas point of view and observe that its impact was more significant than initially thought-the Chinese root server instance was reachable from at least 15 countries several months before being reported. We then launch a ninemonth longitudinal measurement campaign using RIPE Atlas probes and locate 11 probes outside China reaching the same instance, although this time over IPv6. More broadly, motivated by the November 2021 event, we study the extent of DNS response injection when contacting root servers. While only less than 1% of queries are impacted, they originate from 7% of RIPE Atlas probes in 66 countries. We conclude by discussing several countermeasures that limit the probability of DNS manipulation.

show abstract

“…In total, we sent more than 3 billion DNS A requests (one to each routable IP address) and received 7.6 million responses on the scanner. From each DNS response packet, we retrieve the following fields: the queried domain name (remember that each domain name is globally unique as it encodes the destination IP address to which we send the request), the source IP address of the response (can be the same as the destination IP address or different, in case the destination is a transparent forwarder [40]) and the DNS response code. We refer to each response as a three-tuple (source IP address, domain name, response code).…”

Section: Internet Scanmentioning

confidence: 99%

“…The number of open DNS resolvers dropped substantially in recent years -from 17.8 million in 2015 [26] to around 2 million in 2021 [4,25,40,52]. Yet, DNS has been heavily involved in reflection and amplification attacks [20,21].…”

Section: Related Workmentioning

confidence: 99%

Routing Loops as Mega Amplifiers for DNS-Based DDoS Attacks

Nosyk

Korczyński

Duda

2022

Passive and Active Measurement

View full text Add to dashboard Cite

DDoS attacks are one of the biggest threats to the modern Internet as their magnitude is constantly increasing. They are highly effective because of the amplification and reflection potential of different Internet protocols. In this paper, we show how a single DNS query triggers a response packet flood to the query source, possibly because of middleboxes located in networks with routing loops. We send DNS A requests to 3 billion routable IPv4 hosts and find 15,909 query destinations from 1,742 autonomous systems that trigger up to 46.7 million repeating responses. We perform traceroute measurements towards destination hosts that resulted in the highest amplification, locate 115 routing loops on the way, and notify corresponding network operators. Finally, we analyze two years of historical scan data and find that such "mega amplifiers" are prevalent. In the worst case, a single DNS A request triggered 655 million responses, all returned to a single host.

show abstract

Transparent forwarders

Cited by 8 publications

References 25 publications

SoK: A Data-driven View on Methods to Detect Reflective Amplification DDoS Attacks Using Honeypots

SoK: A Data-driven View on Methods to Detect Reflective Amplification DDoS Attacks Using Honeypots

Intercept and Inject: DNS Response Manipulation in the Wild

Routing Loops as Mega Amplifiers for DNS-Based DDoS Attacks

Contact Info

Product

Resources

About