Paper Info
Title
The far side of DNS amplification: tracing the DDoS attack ecosystem from the internet core
Abstract
ABSTRACTIn this paper, we shed new light on the DNS amplification ecosystem, by studying complementary data sources, bolstered by orthogonal methodologies. First, we introduce a passive attack detection method for the Internet core, i.e., at Internet eXchange Points (IXPs). Surprisingly, IXPs and honeypots observe mostly disjoint sets of attacks: 96% of IXP-inferred attacks were invisible to a sizable honeypot platform. Second, we assess the effectiveness of observed DNS attacks by studying IXP traces jointly with diverse data from independent measurement infrastructures. We find that attackers efficiently detect new reflectors and purposefully rotate between them. At the same time, we reveal that attackers are a small step away from bringing about significantly higher amplification factors (14×). Third, we identify and fingerprint a major attack entity by studying patterns in attack traces. We show that this entity dominates the DNS amplification ecosystem by carrying out 59% of the attacks, and provide an in-depth analysis of its behavior over time. Finally, our results reveal that operators of various .gov names do not adhere to DNSSEC key rollover best practices, which exacerbates amplification potential. We can verifiably connect this operational behavior to misuses and attacker decision-making.
Year
DOI
Venue
2021
10.1145/3487552.3487835
Internet Measurement Conference
DocType
Citations 
PageRank 
Conference
1
0.35
References 
Authors
0
4
Name
Order
Citations
PageRank
Marcin Nawrocki173.54
Mattijs Jonker2425.76
Thomas C. Schmidt3696120.55
Matthias Wählisch45417.86