Evgeny Sagatov,Samara Mayhoub,Andrei Sukhov,Prasad Calyam

DOI: https://doi.org/10.23919/jcin.2023.10173727

2023-07-08

Journal of Communications and Information Networks

Abstract:Domain name system (DNS) amplification distributed denial of service (DDoS) attacks are one of the popular types of intrusions that involve accessing DNS servers on behalf of the victim. In this case, the size of the response is many times greater than the size of the request, in which the source of the request is substituted for the address of the victim. This paper presents an original method for countering DNS amplification DDoS attacks. The novelty of our approach lies in the analysis of outgoing traffic from the victim's server. DNS servers used for amplification attacks are easily detected in Internet control message protocol (ICMP) packet headers (type 3, code 3) in outgoing traffic. ICMP packets of this type are generated when accessing closed user datagram protocol (UDP) ports of the victim, which are randomly assigned by the Saddam attack tool. To prevent such attacks, we used a Linux utility and a software-defined network (SDN) module that we previously developed to protect against port scanning. The Linux utility showed the highest efficiency of 99.8%, i.e., only two attack packets out of a thousand reached the victim server.

Douglas C. MacFarland,Craig A. Shue,Andrew J. Kalafut

DOI: https://doi.org/10.1016/j.comnet.2017.02.007

IF: 5.493

2017-04-01

Computer Networks

Abstract:DNS amplification has been instrumental in over 34% of high-volume network DDoS attacks, with some floods exceeding 300 Gbps. Today’s best practices require Internet-wide cooperation and have been unable to prevent these attacks. In this work, we investigate whether these best practices can eliminate DNS amplification attacks and characterize what threats remain. In particular, we study roughly 130 million DNS domains and their associated servers to determine the DNS amplification potential associated with each. We find attackers can easily use these servers to create crippling floods and that few servers employ any protection measures to deter attackers.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Claude Fachkha,Elias Bou-Harb,Mourad Debbabi

DOI: https://doi.org/10.1109/NTMS.2014.6814019

2013-11-06

Abstract:This work proposes a novel approach to infer and characterize Internet-scale DNS amplification DDoS attacks by leveraging the darknet space. Complementary to the pioneer work on inferring Distributed Denial of Service (DDoS) activities using darknet, this work shows that we can extract DDoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to DNS Amplification DDoS activities such as detection period, attack duration, intensity, packet size, rate and geo-location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks. We empirically evaluate the proposed approach using 720 GB of real darknet data collected from a /13 address space during a recent three months period. Our analysis reveals that the approach was successful in inferring significant DNS amplification DDoS activities including the recent prominent attack that targeted one of the largest anti-spam organizations. Moreover, the analysis disclosed the mechanism of such DNS amplification DDoS attacks. Further, the results uncover high-speed and stealthy attempts that were never previously documented. The case study of the largest DDoS attack in history lead to a better understanding of the nature and scale of this threat and can generate inferences that could contribute in detecting, preventing, assessing, mitigating and even attributing of DNS amplification DDoS activities.

Cryptography and Security

Raphael Hiesgen,Marcin Nawrocki,Marinho Barcellos,Daniel Kopp,Oliver Hohlfeld,Echo Chan,Roland Dobbins,Christian Doerr,Christian Rossow,Daniel R. Thomas,Mattijs Jonker,Ricky Mok,Xiapu Luo,John Kristoff,Thomas C. Schmidt,Matthias Wählisch,kc claffy

DOI: https://doi.org/10.1145/3646547.3688451

2024-10-22

Abstract:Motivated by the impressive but diffuse scope of DDoS research and reporting, we undertake a multistakeholder (joint industry-academic) analysis to seek convergence across the best available macroscopic views of the relative trends in two dominant classes of attacks - direct-path attacks and reflection-amplification attacks. We first analyze 24 industry reports to extract trends and (in)consistencies across observations by commercial stakeholders in 2022. We then analyze ten data sets spanning industry and academic sources, across four years (2019-2023), to find and explain discrepancies based on data sources, vantage points, methods, and parameters. Our method includes a new approach: we share an aggregated list of DDoS targets with industry players who return the results of joining this list with their proprietary data sources to reveal gaps in visibility of the academic data sources. We use academic data sources to explore an industry-reported relative drop in spoofed reflection-amplification attacks in 2021-2022. Our study illustrates the value, but also the challenge, in independent validation of security-related properties of Internet infrastructure. Finally, we reflect on opportunities to facilitate greater common understanding of the DDoS landscape. We hope our results inform not only future academic and industry pursuits but also emerging policy efforts to reduce systemic Internet security vulnerabilities.

Cryptography and Security

Yunwei Dai,Tao Huang,Shuo Wang

DOI: https://doi.org/10.1016/j.cose.2024.103718

IF: 5.105

2024-01-24

Computers & Security

Abstract:Domain Name System (DNS) amplification attacks exploit botnets and open recursive DNS servers to launch Distributed Denial of Service (DDoS) attacks. During an attack, the attacker leverages infected computers (bots) to perpetually send small spoofed DNS queries to numerous open recursive DNS servers. The servers, in turn, respond with lots of large DNS responses, which are reflected back to the victim. Such responses are usually several times larger than the original queries, and could exhaust the resources of CPUs, memory, and network bandwidth, rendering them unavailable for benign users. However, most in-network DDoS mitigation systems today inevitably cause normal DNS responses to be discarded while scrubbing traffic, as they do not distinguish between legitimate and malicious responses. To address this issue, some existing solutions employ Bloom filters to filter out unsolicited DNS responses, utilizing the "one-to-one mapping" relationship between DNS queries and responses. In this work, we present a framework called DAmpADF, designed to defend against DNS amplification attacks. The framework employs Bloom filters at the edge or core routers of Internet Service Providers (ISPs) or organizations to filter out malicious DNS responses. To reduce the false positives of the Bloom filters, we propose a novel data structure called the Non-amplifier Keeper (NAmpKeeper), which maintains the most frequently queried DNS servers that are not DNS amplifiers. By excluding queries to non-amplifiers from the Bloom filters, the false positives of Bloom filters are decreased significantly. Experimental results show that DAmpADF outperforms previous methods and achieves a superior filtration ratio of illegitimate DNS responses. Furthermore, the proposed approach incurs small, constant processing and memory overhead, enabling support for high line rates.

computer science, information systems

Soyoung Kim,Sora Lee,Geumhwan Cho,Muhammad Ejaz Ahmed,Jaehoon (Paul) Jeong,Hyoungshick Kim,Jaehoon Jeong

DOI: https://doi.org/10.1007/978-3-319-66399-9_8

2017-01-01

Abstract:Domain Name System (DNS) amplification attack is a sophisticated Distributed Denial of Service (DDoS) attack by sending a huge volume of DNS name lookup requests to open DNS servers with the source address spoofed as a victim host. However, from the point of view of an individual network resource such as DNS server and switch, it is not easy to mitigate such attacks because a distributed attack could be performed with multiple DNS servers and/or switches. To overcome this limitation, we propose a novel security framework using Software-Defined Networking (SDN) to store the history of DNS queries as an evidence to distinguish normal DNS responses from attack packets. Our evaluation results demonstrate that the network traffic for DNS amplification attack can completely be blocked under various network conditions without incurring a significant communication overhead.

Bingshuang Liu,Skyler Berg,Jun Li,Tao Wei,Chao Zhang,Xinhui Han

DOI: https://doi.org/10.1109/ICCCN.2014.6911808

2014-01-01

Abstract:Distributed reflective denial of service (DRDoS) attacks, especially those based on UDP reflection and amplification, can generate hundreds of gigabits per second of attack traffic, and have become a significant threat to Internet security. In this paper we show that an attacker can further make the DRDoS attack more dangerous. In particular, we describe a new DRDoS attack called store-and-flood DRDoS, or SF-DRDoS. By leveraging peer-to-peer (P2P) file-sharing networks, SF-DRDoS becomes more surreptitious and powerful than traditional DRDoS. An attacker can store carefully prepared data on reflector nodes before the flooding phase to greatly increase the amplification factor of an attack. We implemented a prototype of SF-DRDoS on Kad, a popular Kademlia-based P2P file-sharing network. With real-world experiments, this attack achieved an amplification factor of 2400 on average, with the upper bound of attack bandwidth at 670 Gbps in Kad. Finally, we discuss possible defenses to mitigate the threat of SF-DRDoS.

Wei Xu,Xiang Li,Chaoyi Lu,Baojun Liu,Haixin Duan,Jia Zhang,Jianjun Chen,Tao Wan

DOI: https://doi.org/10.1145/3576915.3616668

2023-01-01

Abstract:In this paper, we present a new DNS amplification attack, named TsuKing. Instead of exploiting individual DNS resolvers independently to achieve an amplification effect, TsuKing deftly coordinates numerous vulnerable DNS resolvers and crafted queries together to form potent DoS amplifiers. We demconstrate that with TsuKing, an initial small amplification factor can inrease exponentially through the internal layers of coordinated amplifiers, resulting in an extremely powerful amplification attack. TsuKing has three variants, including DNSRetry, DNSChain, and DNSLoop, all of which exploit a suite of inconsistent DNS implementations to achieve enormous amplification effect. With comprehensive measurements, we found that about 14.5% of 1.3M open DNS resolvers are potentially vulnerable to TsuKing. Real-world controlled evaluations indicated that attackers can achieve a packet amplification factor of at least 3,700X (DNSChain). We have reported vulnerabilities to affected vendors and provided them with mitigation recommendations. We have received positive responses from 6 vendors, including Unbound, MikroTik, and AliDNS, and 3 CVEs were assigned. Some of them are implementing our recommendations.

Xiang Li,Dashuai Wu,Haixin Duan,Qi Li

DOI: https://doi.org/10.1109/sp54263.2024.00264

2024-01-01

Abstract:DNS employs a variety of mechanisms to guarantee availability, protect security, and enhance reliability. In this paper, however, we reveal that these inherent beneficial mechanisms, including timeout, query aggregation, and response fast-returning, can be transformed into malicious attack vectors.We propose a new practical and powerful pulsing DoS attack, dubbed the DNSBomb attack. DNSBomb exploits multiple widely-implemented DNS mechanisms to accumulate DNS queries that are sent at a low rate, amplify queries into large-sized responses, and concentrate all DNS responses into a short, high-volume periodic pulsing burst to simultaneously overwhelm target systems. Through an extensive evaluation on 10 mainstream DNS software, 46 public DNS services, and around 1.8M open DNS resolvers, we demonstrate all DNS resolvers could be exploited to conduct more practical-and-powerful DNSBomb attacks than previous pulsing DoS attacks. Small-scale experiments show the peak pulse magnitude can approach 8.7Gb/s and the bandwidth amplification factor could exceed 20,000x. Our controlled attacks cause complete packet loss or service degradation on both stateless and stateful connections (TCP, UDP, and QUIC). In addition, we present effective mitigation solutions with detailed evaluations. We have responsibly reported our findings to all affected vendors, and received acknowledgement from 24 of them, which are patching their software using our solutions, such as BIND, Unbound, PowerDNS, and Knot. 10 CVE-IDs are assigned.

Rebeen Rebwar Hama Amin,Dana Hassan,Masnida Hussin

DOI: https://doi.org/10.24017/science.2020.2.6

2020-12-06

Kurdistan Journal of Applied Research

Abstract:DNS reflection/amplification attacks are types of Distributed Denial of Service (DDoS) attacks that take advantage of vulnerabilities in the Domain Name System (DNS) and use it as an attacking tool. This type of attack can quickly deplete the resources (i.e. computational and bandwidth) of the targeted system. Many defense mechanisms are proposed to mitigate the impact of this type of attack. However, these defense mechanisms are centralized-based and cannot deal with a distributed-based attack. Also, these defense mechanisms have a single point of deployment which leads to a lack of computational resources to handle an attack with a large magnitude. In this work, we presented a new distributed-based defense mechanism (DDM) to counter reflection/ amplification attacks. While operating, we calculated the CPU counters of the machines that we deployed our defense mechanism with which showed 19.9% computational improvement. On top of that, our defense mechanism showed that it can protect the attack path from exhaustion during reflection/amplification attacks without putting any significant traffic load on the network by eliminating every spoofed request from getting responses.

Mohit Kolli -

DOI: https://doi.org/10.36948/ijfmr.2024.v06i05.27130

2024-09-06

International Journal For Multidisciplinary Research

Abstract:DNS Amplification attacks are a specific flavor of cybersecurity attack. These exploit the current implementation of the internet architecture. DNS amplification attacks allow for bad actors to take down the servers of a victim by overloading them with network traffic. My research intends to analyze the DNS amplification attack and see whether they are still something to be actively looked at as a dangerous threat to high profile targets. This will be done by looking into the history of DNS amplification attacks, seeing how the attack works from a network perspective, looking at real world utilizations of the attack, approaches to detection, and possible ways the attack may be modified in the future with improvements in AI.

Changhua Sun,Bin Liu,Lei Shi

DOI: https://doi.org/10.1109/GLOCOM.2008.ECP.397

2008-01-01

Abstract:DNS amplification attacks utilize IP address spoofing and large numbers of open recursive DNS servers to perform the bandwidth consumption attack. During an attack, it ceaselessly fabricates DNS queries to the exploited open recursive DNS servers, and all the responses, often with larger size than the query messages, are reflected to the single victim due to the source IP address spoofing. While it is difficult to defend against this attack from the root causes by eliminating the open recursive DNS servers and IP spoofing for the whole Internet, in this paper, we take a different methodology to defend against it at the leaf router of victim's ISP or organization. We propose an efficient and low-cost hardware approach to first detect the DNS amplification attack accurately and responsively. Once the attack is confirmed, our approach is then activated to filter out all the illegitimate DNS responses by using a two-Bloom filter solution. We demonstrate that the memory cost of our approach is feasible for the hardware implementation even up to the OC-768 link. Through trace-driven simulations, it is shown that our approach is effective in both the detecting and filtering phases.

Bingshuang Liu,Jun Li,Tao Wei,Skyler Berg,Jiayi Ye,Chen Li,Chao Zhang,Jianyu Zhang,Xinhui Han

DOI: https://doi.org/10.1016/j.comcom.2015.06.008

IF: 5.047

2015-01-01

Computer Communications

Abstract:Distributed reflective denial of service (DRDoS) attacks, especially those based on UDP reflection and amplification, can generate hundreds of gigabits per second of attack traffic, and have become a significant threat to Internet security. In this paper we show that an attacker can further make the DRDoS attack more dangerous. In particular, we describe a new DRDoS attack called store-and-flood DRDoS, or SF-DRDoS, which leverages peer-to-peer (P2P) file-sharing networks. An attacker can store carefully prepared data on reflector nodes before the flooding phase, to greatly increase the amplification factor of an attack. In this way, SF-DRDoS is more surreptitious and powerful than traditional DRDoS. We present two prototype SF-DRDoS attacks on two popular Kademlia-based P2P file-sharing networks, Mad and BT-DHT. Experiments in real-world environments showed that, this attack can achieve an amplification factor of 2400 on average in Mad, and reach an upper bound of attack bandwidth at 670 Gbps and 10 Tbps for Kad and BT-DHT, respectively. We also propose some candidate defenses to mitigate the SF-DRDoS threat. (C) 2015 Elsevier B.V. All rights reserved.

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Jawad Ahmed

DOI: https://doi.org/10.48550/arXiv.2205.08968

2022-05-18

Cryptography and Security

Abstract:Enterprise Networks are growing in scale and complexity, with heterogeneous connected assets needing to be secured in different ways. Nevertheless, virtually all connected assets use the Domain Name System (DNS) for address resolution, and DNS has thus become a convenient vehicle for attackers to covertly perform Command and Control (C&C) communication, data theft, and service disruption across a wide range of assets. Enterprise security appliances that monitor network traffic typically allow all DNS traffic through as it is vital for accessing any web service; they may at best match against a database of known malicious patterns, and are therefore ineffective against zero-day attacks. This thesis focuses on three high-impact cyber-attacks that leverage DNS, specifically data exfiltration, malware C&C communication, and service disruption. Using big data (over 10B packets) of DNS network traffic collected from a University campus and a Government research organization over a 6-month period, we illustrate the anatomy of these attacks, train machines for automatically detecting such attacks, and evaluate their efficacy in the field.

Xin Liu,Liang Zheng,Sumi Helal,Weishan Zhang,Chunfu Jia,Jiehan Zhou

DOI: https://doi.org/10.1016/j.dcan.2022.02.008

IF: 6.348

2022-01-01

Digital Communications and Networks

Abstract:The proliferation of Internet of Things (IoT) rapidly increases the possiblities of Simple Service Discovery Protocol (SSDP) reflection attacks. Most DDoS attack defence strategies deploy only to a certain type of devices in the attack chain,and need to detect attacks in advance, and the detection of DDoS attacks often uses heavy algorithms consuming lots of computing resources. This paper proposes a comprehensive DDoS attack defence approach which combines broad learning and a set of defence strategies against SSDP attacks, called Broad Learning based Comprehensive Defence (BLCD). The defence strategies work along the attack chain, starting from attack sources to victims. It defends against attacks without detecting attacks or identifying the roles of IoT devices in SSDP reflection attacks. BLCD also detects suspicious traffic at bots, service providers and victims by using broad learning, and the detection results are used as the basis for automatically deploying defence strategies which can significantly reduce DDoS packets. For evaluations, we thoroughly analyze attack traffic when deploying BLCD to different defence locations. Experiments show that BLCD can reduce the number of packets received at the victim to 39 without affecting the standard SSDP service, and detect malicious packets with an accuracy of 99.99%.

Marcin Nawrocki,John Kristoff,Raphael Hiesgen,Chris Kanich,Thomas C. Schmidt,Matthias Wählisch

DOI: https://doi.org/10.1109/EuroSP57164.2023.00041

2023-04-24

Abstract:In this paper, we revisit the use of honeypots for detecting reflective amplification attacks. These measurement tools require careful design of both data collection and data analysis including cautious threshold inference. We survey common amplification honeypot platforms as well as the underlying methods to infer attack detection thresholds and to extract knowledge from the data. By systematically exploring the threshold space, we find most honeypot platforms produce comparable results despite their different configurations. Moreover, by applying data from a large-scale honeypot deployment, network telescopes, and a real-world baseline obtained from a leading DDoS mitigation provider, we question the fundamental assumption of honeypot research that convergence of observations can imply their completeness. Conclusively we derive guidance on precise, reproducible honeypot research, and present open challenges.

Cryptography and Security,Networking and Internet Architecture

Zheng Liu,Mingwei Xu,Jiahao Cao,Qi Li

DOI: https://doi.org/10.1007/978-981-10-8890-2_37

2018-01-01

Abstract:Amplification attack, as a new kind of DDoS attack, is more destructive than traditional DDoS attack. Under the existing Internet architecture, it is difficult to find effective measures to deal with amplification attack. In this paper, we propose a two-phase reference detecting scheme by utilizing Software Defined Infrastructure capabilities: switch side is volume-based and controller side is feature-based. The proposed scheme is protocol-independent and lightweight, unlike most of the existing strategies. It can also detect amplification attack in the request phase for a small price, before these attacks cause actual harm. Upon the architecture, we design detection algorithms and a prototype system. Experimental results with both online and offline data sets show that the detection scheme is effective and efficient.

Eric Osterweil,Angelos Stavrou,Lixia Zhang

DOI: https://doi.org/10.48550/arXiv.1904.02739

2019-04-04

Networking and Internet Architecture

Abstract:Botnet Distributed Denial of Service (DDoS) attacks are now 20 years old; what has changed in that time? Their disruptive presence, their volume, distribution across the globe, and the relative ease of launching them have all been trending in favor of attackers. Our increases in network capacity and our architectural design principles are making our online world richer, but are favoring attackers at least as much as Internet services. The DDoS mitigation techniques have been evolving but they are losing ground to the increasing sophistication and diversification of the attacks that have moved from the network to the application level, and we are operationally falling behind attackers. It is time to ask fundamental questions: are there core design issues in our network architecture that fundamentally enable DDoS attacks? How can our network infrastructure be enhanced to address the principles that enable the DDoS problem? How can we incentivize the development and deployment of the necessary changes? In this article, we want to sound an alarm and issue a call to action to the research community. We propose that basic research and principled analyses are badly needed, because the status quo does not paint a pretty picture for the future.

Roberto Alonso,Raúl Monroy,Luis A Trejo

DOI: https://doi.org/10.3390/s16081311

2016-08-17

Abstract:The Domain Name System (DNS) is a critical infrastructure of any network, and, not surprisingly a common target of cybercrime. There are numerous works that analyse higher level DNS traffic to detect anomalies in the DNS or any other network service. By contrast, few efforts have been made to study and protect the recursive DNS level. In this paper, we introduce a novel abstraction of the recursive DNS traffic to detect a flooding attack, a kind of Distributed Denial of Service (DDoS). The crux of our abstraction lies on a simple observation: Recursive DNS queries, from IP addresses to domain names, form social groups; hence, a DDoS attack should result in drastic changes on DNS social structure. We have built an anomaly-based detection mechanism, which, given a time window of DNS usage, makes use of features that attempt to capture the DNS social structure, including a heuristic that estimates group composition. Our detection mechanism has been successfully validated (in a simulated and controlled setting) and with it the suitability of our abstraction to detect flooding attacks. To the best of our knowledge, this is the first time that work is successful in using this abstraction to detect these kinds of attacks at the recursive level. Before concluding the paper, we motivate further research directions considering this new abstraction, so we have designed and tested two additional experiments which exhibit promising results to detect other types of anomalies in recursive DNS servers.