No Time for Downtime: Understanding Post-Attack Behaviors by Customers of Managed DNS Providers

TL;DR

This study analyzes how domain owners respond to DDoS attacks by examining DNS data and industry factors, revealing that popular domains and certain sectors tend to diversify their DNS services after attacks.

Contribution

It provides the first large-scale analysis linking industry sector and domain popularity to post-attack DNS resilience strategies.

Findings

Popular domains are more likely to diversify DNS services after attacks.

Certain industry sectors, like General News, are more proactive in response.

Domains in some sectors are nearly 6 times more likely to diversify DNS.

Abstract

We leverage large-scale DNS measurement data on authoritative name servers to study the reactions of domain owners affected by the 2016 DDoS attack on Dyn. We use industry sources of information about domain names to study the influence of factors such as industry sector and website popularity on the willingness of domain managers to invest in high availability of online services. Specifically, we correlate business characteristics of domain owners with their resilience strategies in the wake of DoS attacks affecting their domains. Our analysis revealed correlations between two properties of domains -- industry sector and popularity -- and post-attack strategies. Specifically, owners of more popular domains were more likely to re-act to increase the diversity of their authoritative DNS service for their domains. Similarly, domains in certain industry sectors were more likely to seek out such diversity in their DNS service. For example, domains categorized as General News were nearly 6 times more likely to re-act than domains categorized as Internet Services. Our results can inform managed DNS and other network service providers regarding the potential impact of downtime on their customer portfolio.