The Far Side of DNS Amplification: Tracing the DDoS Attack Ecosystem from the Internet Core
This research addresses the problem of understanding and mitigating DDoS attacks for network operators and security professionals, with incremental insights into attack detection and ecosystem dynamics.
The study tackled the DNS amplification DDoS attack ecosystem by analyzing data from Internet eXchange Points (IXPs) and other sources, revealing that 96% of attacks were missed by honeypots, a major entity conducted 59% of attacks, and attackers could increase amplification factors by 14x.
In this paper, we shed new light on the DNS amplification ecosystem, by studying complementary data sources, bolstered by orthogonal methodologies. First, we introduce a passive attack detection method for the Internet core, i.e., at Internet eXchange Points (IXPs). Surprisingly, IXPs and honeypots observe mostly disjoint sets of attacks: 96% of IXP-inferred attacks were invisible to a sizable honeypot platform. Second, we assess the effectiveness of observed DNS attacks by studying IXP traces jointly with diverse data from independent measurement infrastructures. We find that attackers efficiently detect new reflectors and purposefully rotate between them. At the same time, we reveal that attackers are a small step away from bringing about significantly higher amplification factors (14x). Third, we identify and fingerprint a major attack entity by studying patterns in attack traces. We show that this entity dominates the DNS amplification ecosystem by carrying out 59% of the attacks, and provide an in-depth analysis of its behavior over time. Finally, our results reveal that operators of various .gov names do not adhere to DNSSEC key rollover best practices, which exacerbates amplification potential. We can verifiably connect this operational behavior to misuses and attacker decision-making.