Forward to Hell? On the Potentials of Misusing Transparent DNS Forwarders in Reflective Amplification Attacks

TL;DR

This paper investigates how transparent DNS forwarders, which do not modify request packets, can be exploited to facilitate large-scale reflective amplification attacks, bypassing existing defenses and increasing attack scalability.

Contribution

It uncovers the overlooked threat posed by transparent DNS forwarders in amplifying attacks and empirically demonstrates their potential to scale attack impact significantly.

Findings

Transparent forwarders can be misused to amplify DNS attacks by a factor of up to 14.

They can bypass rate limiting and firewall protections on recursive resolvers.

The threat extends to the DNS anycast infrastructure, increasing attack scalability.

Abstract

The DNS infrastructure is infamous for facilitating reflective amplification attacks. Various countermeasures such as server shielding, access control, rate limiting, and protocol restrictions have been implemented. Still, the threat remains throughout the deployment of DNS servers. In this paper, we report on and evaluate the often unnoticed threat that derives from transparent DNS forwarders, a widely deployed, incompletely functional set of DNS components. Transparent DNS forwarders transfer DNS requests without rebuilding packets with correct source addresses. As such, transparent forwarders feed DNS requests into (mainly powerful and anycasted) open recursive resolvers, which thereby can be misused to participate unwillingly in distributed reflective amplification attacks. We show how transparent forwarders raise severe threats to the Internet infrastructure. They easily circumvent rate limiting and achieve an additional, scalable impact via the DNS anycast infrastructure. We empirically verify this scaling behavior up to a factor of 14. Transparent forwarders can also assist in bypassing firewall rules that protect recursive resolvers, making these shielded infrastructure entities part of the global DNS attack surface.