The Far Side of DNS Amplification: Tracing the DDoS Attack Ecosystem from the Internet Core

TL;DR

This study uncovers the dynamics of the DNS amplification DDoS attack ecosystem by analyzing attack detection methods, attacker behaviors, and operational practices, revealing significant insights into attack patterns and potential mitigation points.

Contribution

It introduces a passive detection method at Internet exchange points, compares attack visibility across data sources, and identifies a dominant attack entity in the DNS amplification ecosystem.

Findings

IXPs and honeypots observe mostly disjoint attack sets.

Attackers efficiently detect new reflectors and rotate between them.

Operators of .gov domains often do not follow DNSSEC key rollover best practices.

Abstract

In this paper, we shed new light on the DNS amplification ecosystem, by studying complementary data sources, bolstered by orthogonal methodologies. First, we introduce a passive attack detection method for the Internet core, i.e., at Internet eXchange Points (IXPs). Surprisingly, IXPs and honeypots observe mostly disjoint sets of attacks: 96% of IXP-inferred attacks were invisible to a sizable honeypot platform. Second, we assess the effectiveness of observed DNS attacks by studying IXP traces jointly with diverse data from independent measurement infrastructures. We find that attackers efficiently detect new reflectors and purposefully rotate between them. At the same time, we reveal that attackers are a small step away from bringing about significantly higher amplification factors (14x). Third, we identify and fingerprint a major attack entity by studying patterns in attack traces. We show that this entity dominates the DNS amplification ecosystem by carrying out 59% of the attacks, and provide an in-depth analysis of its behavior over time. Finally, our results reveal that operators of various .gov names do not adhere to DNSSEC key rollover best practices, which exacerbates amplification potential. We can verifiably connect this operational behavior to misuses and attacker decision-making.