Evgeny Sagatov,Samara Mayhoub,Andrei Sukhov,Prasad Calyam

DOI: https://doi.org/10.23919/jcin.2023.10173727

2023-07-08

Journal of Communications and Information Networks

Abstract:Domain name system (DNS) amplification distributed denial of service (DDoS) attacks are one of the popular types of intrusions that involve accessing DNS servers on behalf of the victim. In this case, the size of the response is many times greater than the size of the request, in which the source of the request is substituted for the address of the victim. This paper presents an original method for countering DNS amplification DDoS attacks. The novelty of our approach lies in the analysis of outgoing traffic from the victim's server. DNS servers used for amplification attacks are easily detected in Internet control message protocol (ICMP) packet headers (type 3, code 3) in outgoing traffic. ICMP packets of this type are generated when accessing closed user datagram protocol (UDP) ports of the victim, which are randomly assigned by the Saddam attack tool. To prevent such attacks, we used a Linux utility and a software-defined network (SDN) module that we previously developed to protect against port scanning. The Linux utility showed the highest efficiency of 99.8%, i.e., only two attack packets out of a thousand reached the victim server.

Mohit Kolli -

DOI: https://doi.org/10.36948/ijfmr.2024.v06i05.27130

2024-09-06

International Journal For Multidisciplinary Research

Abstract:DNS Amplification attacks are a specific flavor of cybersecurity attack. These exploit the current implementation of the internet architecture. DNS amplification attacks allow for bad actors to take down the servers of a victim by overloading them with network traffic. My research intends to analyze the DNS amplification attack and see whether they are still something to be actively looked at as a dangerous threat to high profile targets. This will be done by looking into the history of DNS amplification attacks, seeing how the attack works from a network perspective, looking at real world utilizations of the attack, approaches to detection, and possible ways the attack may be modified in the future with improvements in AI.

Marios Anagnostopoulos,Stavros Lagos,Georgios Kambourakis

DOI: https://doi.org/10.1016/j.jisa.2022.103168

IF: 4.96

2022-05-01

Journal of Information Security and Applications

Abstract:Reflection-based volumetric distributed denial-of-service (DDoS) attacks take advantage of the available to all (open) services to flood and possibly overpower a victim's server or network with an amplified amount of traffic. This work concentrates on two key protocols in the assailants' quiver regarding DoS attacks, namely domain name system (DNS) and simple service discovery protocol (SSDP). Our contribution spans three axes: (a) We perform countrywide IP address scans (probes) across three countries in two continents to locate devices that run open DNS or SSDP services, and thus can be effectively exploited in the context of amplification attacks, (b) we fingerprint the discovered devices to derive information about their type and operating system, and (c) we estimate the amplification factor of the discovered reflectors through a dozen of diverse, suitably crafted DNS queries and a couple of SSDP ones depending on the case. The conducted scans span fifteen months, therefore comparative conclusions regarding the evolution of the reflectors population over time, as well as indirect ones regarding the security measures in this field, can be deduced. For instance, for DNS, it was calculated that the third quartile of the amplification factor distribution remains more than 30 for customarily exploited queries across all the examined countries, while in the worst case this figure can reach up to 70. The same figures for SSDP range between roughly 41 and 73 for a specific type of query. To our knowledge, this work offers the first full-fledged mapping and assessment of DNS and SSDP amplifiers, and it is therefore anticipated to serve as a basis for further research in this ever-changing and high-stakes network security field.

computer science, information systems

Xiang Li,Dashuai Wu,Haixin Duan,Qi Li

DOI: https://doi.org/10.1109/sp54263.2024.00264

2024-01-01

Abstract:DNS employs a variety of mechanisms to guarantee availability, protect security, and enhance reliability. In this paper, however, we reveal that these inherent beneficial mechanisms, including timeout, query aggregation, and response fast-returning, can be transformed into malicious attack vectors.We propose a new practical and powerful pulsing DoS attack, dubbed the DNSBomb attack. DNSBomb exploits multiple widely-implemented DNS mechanisms to accumulate DNS queries that are sent at a low rate, amplify queries into large-sized responses, and concentrate all DNS responses into a short, high-volume periodic pulsing burst to simultaneously overwhelm target systems. Through an extensive evaluation on 10 mainstream DNS software, 46 public DNS services, and around 1.8M open DNS resolvers, we demonstrate all DNS resolvers could be exploited to conduct more practical-and-powerful DNSBomb attacks than previous pulsing DoS attacks. Small-scale experiments show the peak pulse magnitude can approach 8.7Gb/s and the bandwidth amplification factor could exceed 20,000x. Our controlled attacks cause complete packet loss or service degradation on both stateless and stateful connections (TCP, UDP, and QUIC). In addition, we present effective mitigation solutions with detailed evaluations. We have responsibly reported our findings to all affected vendors, and received acknowledgement from 24 of them, which are patching their software using our solutions, such as BIND, Unbound, PowerDNS, and Knot. 10 CVE-IDs are assigned.

Yunwei Dai,Tao Huang,Shuo Wang

DOI: https://doi.org/10.1016/j.cose.2024.103718

IF: 5.105

2024-01-24

Computers & Security

Abstract:Domain Name System (DNS) amplification attacks exploit botnets and open recursive DNS servers to launch Distributed Denial of Service (DDoS) attacks. During an attack, the attacker leverages infected computers (bots) to perpetually send small spoofed DNS queries to numerous open recursive DNS servers. The servers, in turn, respond with lots of large DNS responses, which are reflected back to the victim. Such responses are usually several times larger than the original queries, and could exhaust the resources of CPUs, memory, and network bandwidth, rendering them unavailable for benign users. However, most in-network DDoS mitigation systems today inevitably cause normal DNS responses to be discarded while scrubbing traffic, as they do not distinguish between legitimate and malicious responses. To address this issue, some existing solutions employ Bloom filters to filter out unsolicited DNS responses, utilizing the "one-to-one mapping" relationship between DNS queries and responses. In this work, we present a framework called DAmpADF, designed to defend against DNS amplification attacks. The framework employs Bloom filters at the edge or core routers of Internet Service Providers (ISPs) or organizations to filter out malicious DNS responses. To reduce the false positives of the Bloom filters, we propose a novel data structure called the Non-amplifier Keeper (NAmpKeeper), which maintains the most frequently queried DNS servers that are not DNS amplifiers. By excluding queries to non-amplifiers from the Bloom filters, the false positives of Bloom filters are decreased significantly. Experimental results show that DAmpADF outperforms previous methods and achieves a superior filtration ratio of illegitimate DNS responses. Furthermore, the proposed approach incurs small, constant processing and memory overhead, enabling support for high line rates.

computer science, information systems

Claude Fachkha,Elias Bou-Harb,Mourad Debbabi

DOI: https://doi.org/10.1109/NTMS.2014.6814019

2013-11-06

Abstract:This work proposes a novel approach to infer and characterize Internet-scale DNS amplification DDoS attacks by leveraging the darknet space. Complementary to the pioneer work on inferring Distributed Denial of Service (DDoS) activities using darknet, this work shows that we can extract DDoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to DNS Amplification DDoS activities such as detection period, attack duration, intensity, packet size, rate and geo-location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks. We empirically evaluate the proposed approach using 720 GB of real darknet data collected from a /13 address space during a recent three months period. Our analysis reveals that the approach was successful in inferring significant DNS amplification DDoS activities including the recent prominent attack that targeted one of the largest anti-spam organizations. Moreover, the analysis disclosed the mechanism of such DNS amplification DDoS attacks. Further, the results uncover high-speed and stealthy attempts that were never previously documented. The case study of the largest DDoS attack in history lead to a better understanding of the nature and scale of this threat and can generate inferences that could contribute in detecting, preventing, assessing, mitigating and even attributing of DNS amplification DDoS activities.

Cryptography and Security

Wei Xu,Xiang Li,Chaoyi Lu,Baojun Liu,Haixin Duan,Jia Zhang,Jianjun Chen,Tao Wan

DOI: https://doi.org/10.1145/3576915.3616668

2023-01-01

Abstract:In this paper, we present a new DNS amplification attack, named TsuKing. Instead of exploiting individual DNS resolvers independently to achieve an amplification effect, TsuKing deftly coordinates numerous vulnerable DNS resolvers and crafted queries together to form potent DoS amplifiers. We demconstrate that with TsuKing, an initial small amplification factor can inrease exponentially through the internal layers of coordinated amplifiers, resulting in an extremely powerful amplification attack. TsuKing has three variants, including DNSRetry, DNSChain, and DNSLoop, all of which exploit a suite of inconsistent DNS implementations to achieve enormous amplification effect. With comprehensive measurements, we found that about 14.5% of 1.3M open DNS resolvers are potentially vulnerable to TsuKing. Real-world controlled evaluations indicated that attackers can achieve a packet amplification factor of at least 3,700X (DNSChain). We have reported vulnerabilities to affected vendors and provided them with mitigation recommendations. We have received positive responses from 6 vendors, including Unbound, MikroTik, and AliDNS, and 3 CVEs were assigned. Some of them are implementing our recommendations.

Changhua Sun,Bin Liu,Lei Shi

DOI: https://doi.org/10.1109/GLOCOM.2008.ECP.397

2008-01-01

Abstract:DNS amplification attacks utilize IP address spoofing and large numbers of open recursive DNS servers to perform the bandwidth consumption attack. During an attack, it ceaselessly fabricates DNS queries to the exploited open recursive DNS servers, and all the responses, often with larger size than the query messages, are reflected to the single victim due to the source IP address spoofing. While it is difficult to defend against this attack from the root causes by eliminating the open recursive DNS servers and IP spoofing for the whole Internet, in this paper, we take a different methodology to defend against it at the leaf router of victim's ISP or organization. We propose an efficient and low-cost hardware approach to first detect the DNS amplification attack accurately and responsively. Once the attack is confirmed, our approach is then activated to filter out all the illegitimate DNS responses by using a two-Bloom filter solution. We demonstrate that the memory cost of our approach is feasible for the hardware implementation even up to the OC-768 link. Through trace-driven simulations, it is shown that our approach is effective in both the detecting and filtering phases.

Tasnuva Mahjabin,Yang Xiao,Tieshan Li,C. L. Philip Chen

DOI: https://doi.org/10.1109/jiot.2019.2947659

IF: 10.6

2020-01-01

IEEE Internet of Things Journal

Abstract:A domain name system (DNS) is one of the most important infrastructures of the Internet communication. It is also a crucial point which is subjected to attacks. The largest distributed denial-of-service (DDoS) attack on October 21, 2016 has targeted a major DNS infrastructure named dynDNS. It was actually the Internet of Things (IoT) DNS flood attack that made more than half of websites in the United States unreachable for a significant amount of time. As we are using the Internet for everything in our life, especially health care and transportation, an attack of this type may cause a major disruption. Therefore, in this article, we are going to analyze the DNS flood attacks and propose two mitigation methods. We propose a load distributed mitigation process which will work as a quick escape route of the legitimate traffic from the attack field. Our solution mainly involves service level changes which can be implemented with collaboration among service providers. Also, our proposed solution is very cost effective as compared to the cost of downtime of the domain names caused by a DNS flood attack. Furthermore, we propose a benign-bot mitigation method and a business model for the method. In the benign-bot mitigation method, a bot program is installed in customers’ DNS local servers to allow IP addresses of a list of paid businesses’ websites to maintain in the caches so that the websites can be accessed even when the DNS servers are down.

Soyoung Kim,Sora Lee,Geumhwan Cho,Muhammad Ejaz Ahmed,Jaehoon (Paul) Jeong,Hyoungshick Kim,Jaehoon Jeong

DOI: https://doi.org/10.1007/978-3-319-66399-9_8

2017-01-01

Abstract:Domain Name System (DNS) amplification attack is a sophisticated Distributed Denial of Service (DDoS) attack by sending a huge volume of DNS name lookup requests to open DNS servers with the source address spoofed as a victim host. However, from the point of view of an individual network resource such as DNS server and switch, it is not easy to mitigate such attacks because a distributed attack could be performed with multiple DNS servers and/or switches. To overcome this limitation, we propose a novel security framework using Software-Defined Networking (SDN) to store the history of DNS queries as an evidence to distinguish normal DNS responses from attack packets. Our evaluation results demonstrate that the network traffic for DNS amplification attack can completely be blocked under various network conditions without incurring a significant communication overhead.

Rebeen Rebwar Hama Amin,Dana Hassan,Masnida Hussin

DOI: https://doi.org/10.24017/science.2020.2.6

2020-12-06

Kurdistan Journal of Applied Research

Abstract:DNS reflection/amplification attacks are types of Distributed Denial of Service (DDoS) attacks that take advantage of vulnerabilities in the Domain Name System (DNS) and use it as an attacking tool. This type of attack can quickly deplete the resources (i.e. computational and bandwidth) of the targeted system. Many defense mechanisms are proposed to mitigate the impact of this type of attack. However, these defense mechanisms are centralized-based and cannot deal with a distributed-based attack. Also, these defense mechanisms have a single point of deployment which leads to a lack of computational resources to handle an attack with a large magnitude. In this work, we presented a new distributed-based defense mechanism (DDM) to counter reflection/ amplification attacks. While operating, we calculated the CPU counters of the machines that we deployed our defense mechanism with which showed 19.9% computational improvement. On top of that, our defense mechanism showed that it can protect the attack path from exhaustion during reflection/amplification attacks without putting any significant traffic load on the network by eliminating every spoofed request from getting responses.

Christian Bassey,Francis Jeremiah,Rustem Iuzlibaev,Opeyemi Oloruntola,Success Imakuh

DOI: https://doi.org/10.30574/wjarr.2024.22.3.1716

2024-06-30

World Journal of Advanced Research and Reviews

Abstract:These days, quite a large number of application servers are being considered to be easily spoofed. Even though technologies like DNSSec, DNS over HTTPS/TLS, and DNSCurve have always been suitable for this type of problem, many developers need help to exercise the complete chain of trust. Implementing the mentioned protocols might be a matter of time, inexperience, or impossibility. In this paper, some workarounds that rely on BGP Autonomous System numbers (AS) are shown, and protocols therein are described by way of Unicast Reverse Path Forwarding (uRPF), its benefits and drawbacks from an analytical standpoint, as well as the primary flow to defend end systems, are presented. Our approach focuses on filtering malicious traffic closer to the source by identifying anomalies in BGP AS path information. The methodology is implemented and tested using Snort as an Intrusion Detection System (IDS) to capture and analyze DNS request patterns, then MikroTik router configurations are used for strict uRPF and ingress filtering, demonstrating the practical application of this solution proposed solution in real-world network environments.

Jawad Ahmed

DOI: https://doi.org/10.48550/arXiv.2205.08968

2022-05-18

Cryptography and Security

Abstract:Enterprise Networks are growing in scale and complexity, with heterogeneous connected assets needing to be secured in different ways. Nevertheless, virtually all connected assets use the Domain Name System (DNS) for address resolution, and DNS has thus become a convenient vehicle for attackers to covertly perform Command and Control (C&C) communication, data theft, and service disruption across a wide range of assets. Enterprise security appliances that monitor network traffic typically allow all DNS traffic through as it is vital for accessing any web service; they may at best match against a database of known malicious patterns, and are therefore ineffective against zero-day attacks. This thesis focuses on three high-impact cyber-attacks that leverage DNS, specifically data exfiltration, malware C&C communication, and service disruption. Using big data (over 10B packets) of DNS network traffic collected from a University campus and a Government research organization over a 6-month period, we illustrate the anatomy of these attacks, train machines for automatically detecting such attacks, and evaluate their efficacy in the field.

Ishmael Dube,George Wells

DOI: https://doi.org/10.1109/imitec50163.2020.9334104

2020-11-25

Abstract:The Domain Name System (DNS) protocol is a fundamental part of Internet activities that can be abused by cybercriminals to conduct malicious activities. Previous research has shown that cybercriminals use different methods, including the DNS protocol, to distribute malicious content, remain hidden and avoid detection from various technologies that are put in place to detect anomalies. This allows botnets and certain malware families to establish covert communication channels that can be used to send or receive data and also distribute malicious payloads using the DNS queries and responses. Cybercriminals use the DNS to breach highly protected networks, distribute malicious content, and exfiltrate sensitive information without being detected by security controls put in place by embedding certain strings in DNS packets. This research undertaking analysed the use of the DNS in detecting domains and channels that are used for distributing malicious payloads. Passive DNS data which replicate DNS queries on name servers to detect anomalies in DNS queries was evaluated and analysed in order to detect malicious payloads. The research characterised the malicious payload distribution channels by analysing passive DNS traffic and modelled the DNS query and response patterns used during malicious payload distribution. The research found that it is possible to detect malicious payload distribution channels through the analysis of DNS TXT resource records.

Keyu Man,Zhiyun Qian,Zhongjie Wang,Xiaofeng Zheng,Youjun Huang,Haixin Duan

DOI: https://doi.org/10.1145/3372297.3417280

2020-01-01

Abstract:In this paper, we report a series of flaws in the software stack that leads to a strong revival of DNS cache poisoning --- a classic attack which is mitigated in practice with simple and effective randomization-based defenses such as randomized source port. To successfully poison a DNS cache on a typical server, an off-path adversary would need to send an impractical number of $2^32 $ spoofed responses simultaneously guessing the correct source port (16-bit) and transaction ID (16-bit). Surprisingly, we discover weaknesses that allow an adversary to "divide and conquer'' the space by guessing the source port first and then the transaction ID (leading to only $2^16 +2^16 $ spoofed responses). Even worse, we demonstrate a number of ways an adversary can extend the attack window which drastically improves the odds of success. The attack affects all layers of caches in the DNS infrastructure, such as DNS forwarder and resolver caches, and a wide range of DNS software stacks, including the most popular BIND, Unbound, and dnsmasq, running on top of Linux and potentially other operating systems. The major condition for a victim being vulnerable is that an OS and its network is configured to allow ICMP error replies. From our measurement, we find over 34% of the open resolver population on the Internet are vulnerable (and in particular 85% of the popular DNS services including Google's 8.8.8.8). Furthermore, we comprehensively validate the proposed attack with positive results against a variety of server configurations and network conditions that can affect the success of the attack, in both controlled experiments and a production DNS resolver (with authorization).

Xiang Li,Chaoyi Lu,Baojun Liu Fi,Qifan Zhang,Zhou Li,Haixin Duan,Qi Li

2023-01-01

Abstract:In this paper, we report MAGINOTDNS, a powerful cache poisoning attack against DNS servers that simultaneously act as recursive resolvers and forwarders (termed as CDNS). The attack is made possible through exploiting vulnerabilities in the bailiwick checking algorithms, one of the cornerstones of DNS security since the 1990s, and affects multiple versions of popular DNS software, including BIND and Microsoft DNS. Through field tests, we find that the attack is potent, allowing attackers to take over entire DNS zones, even including Top-Level Domains (e.g.,.com and.net). Through a large-scale measurement study, we also confirm the extensive usage of CDNSes in real-world networks (up to 41.8% of our probed open DNS servers) and find that at least 35.5% of all CDNSes are vulnerable to MAGINOTDNS. After interviews with ISPs, we show a wide range of CDNS use cases and real-world attacks. We have reported all the discovered vulnerabilities to DNS software vendors and received acknowledgments from all of them. 3 CVE-ids have been published, and 2 vendors have fixed their software. Our study brings attention to the implementation inconsistency of security checking logic in different DNS software and server modes (i.e., recursive resolvers and forwarders), and we call for standardization and agreements among software vendors.

Fenglu Zhang,Baojun Liu,Eihal Alowaisheq,Jianjun Chen,Chaoyi Lu,Linjian Song,Yong Ma,Ying Liu,Haixin Duan,Min Yang

DOI: https://doi.org/10.1145/3576915.3616647

2023-01-01

Abstract:Authoritative nameservers are delegated to provide the final resource record. Since the security and robustness of DNS are critical to the general operation of the Internet, domain owners are required to deploy multiple candidate nameservers for load balancing. Once the load balancing mechanism is compromised, an adversary can manipulate a large number of legitimate DNS requests to a specified candidate nameserver. As a result, it may bypass the defense mechanisms used to filter malicious traffic that can overload the victim nameserver, or lower the bar for DNS traffic hijacking and cache poisoning attacks. In this study, we report on a class of DNS vulnerabilities and present a novel attack, named Disablance, that targets the domains with different NS records severing to multiple sites of authoritative servers. The attack is made possible by a misconfiguration of nameservers that ignores domains outside their authority, combined with recursive resolvers that use a globally shared status for nameserver selection. By targeting authoritative nameservers configured by a large number of domains, Disablance allows adversaries to stealthily sabotage the DNS load balancing for authoritative nameservers at a low cost. Through simply configuring the DNS records for a domain under their control to point to the targeted nameservers and performing a handful of requests, adversaries can temporarily manipulate a given DNS resolver to overload a specific authoritative server. Therefore, Disablance can redirect benign DNS requests for all hosted domains to the specific nameserver and disrupts the load balancing mechanism. Our extensive study proves the security threat of Disablance is realistic and prevalent. First, we demonstrated that mainstream DNS implementations, including BIND9, PowerDNS, and Microsoft DNS, are vulnerable to Disablance. Second, we developed a measurement framework to measure vulnerable authoritative servers in the wild. 22.24% of top 1M FQDNs and 3.94% of top 1M SLDs were proven can be the victims of Disablance. Our measurement results also show that 37.88% of stable open resolvers and 10 of 14 popular public DNS services can be exploited to conduct Disablance, including Cloudflare and Quad9. Furthermore, the critical security threats of Disablance were observed and acknowledged through in-depth discussion with a world-leading DNS service provider. We have reported discovered vulnerabilities and provided recommendations to the affected vendors. Until now, Tencent Cloud (DNSPod) and Amazon have taken action to fix this issue according to our suggestions.

Roberto Alonso,Raúl Monroy,Luis A Trejo

DOI: https://doi.org/10.3390/s16081311

2016-08-17

Abstract:The Domain Name System (DNS) is a critical infrastructure of any network, and, not surprisingly a common target of cybercrime. There are numerous works that analyse higher level DNS traffic to detect anomalies in the DNS or any other network service. By contrast, few efforts have been made to study and protect the recursive DNS level. In this paper, we introduce a novel abstraction of the recursive DNS traffic to detect a flooding attack, a kind of Distributed Denial of Service (DDoS). The crux of our abstraction lies on a simple observation: Recursive DNS queries, from IP addresses to domain names, form social groups; hence, a DDoS attack should result in drastic changes on DNS social structure. We have built an anomaly-based detection mechanism, which, given a time window of DNS usage, makes use of features that attempt to capture the DNS social structure, including a heuristic that estimates group composition. Our detection mechanism has been successfully validated (in a simulated and controlled setting) and with it the suitability of our abstraction to detect flooding attacks. To the best of our knowledge, this is the first time that work is successful in using this abstraction to detect these kinds of attacks at the recursive level. Before concluding the paper, we motivate further research directions considering this new abstraction, so we have designed and tested two additional experiments which exhibit promising results to detect other types of anomalies in recursive DNS servers.

Weizhong Li,Kaiwen Shen,Run Guo,Baojun Liu,Jia Zhang,Haixin Duan,Shuang Hao,Xiarun Chen,Yao Wang

DOI: https://doi.org/10.1109/dsn48063.2020.00022

2020-01-01

Abstract:Content Delivery Networks (CDNs) aim to improve network performance and protect against web attack traffic for their hosting websites. And the HTTP range request mechanism is majorly designed to reduce unnecessary network transmission. However, we find the specifications failed to consider the security risks introduced when CDNs meet range requests. In this study, we present a novel class of HTTP amplification attack, Range-based Amplification (RangeAmp) Attacks. It allows attackers to massively exhaust not only the outgoing bandwidth of the origin servers deployed behind CDNs but also the bandwidth of CDN surrogate nodes. We examined the RangeAmp attacks on 13 popular CDNs to evaluate the feasibility and real-world impacts. Our experiment results show that all these CDNs are affected by the RangeAmp attacks. We also disclosed all security issues to affected CDN vendors and already received positive feedback from 12 vendors.

Muhammad Yasir Muzayan Haq,Mattijs Jonker,Roland van Rijswijk-Deij,KC Claffy,Lambert J. M. Nieuwenhuis,Abhishta Abhishta,Lambert J.M. Nieuwenhuis

DOI: https://doi.org/10.48550/arXiv.2205.12765

2022-05-25

Networking and Internet Architecture

Abstract:We leverage large-scale DNS measurement data on authoritative name servers to study the reactions of domain owners affected by the 2016 DDoS attack on Dyn. We use industry sources of information about domain names to study the influence of factors such as industry sector and website popularity on the willingness of domain managers to invest in high availability of online services. Specifically, we correlate business characteristics of domain owners with their resilience strategies in the wake of DoS attacks affecting their domains. Our analysis revealed correlations between two properties of domains -- industry sector and popularity -- and post-attack strategies. Specifically, owners of more popular domains were more likely to re-act to increase the diversity of their authoritative DNS service for their domains. Similarly, domains in certain industry sectors were more likely to seek out such diversity in their DNS service. For example, domains categorized as General News were nearly 6 times more likely to re-act than domains categorized as Internet Services. Our results can inform managed DNS and other network service providers regarding the potential impact of downtime on their customer portfolio.