Characterizing Optimal DNS Amplification Attacks and Effective Mitigation

MacFarland, Douglas C.; Shue, Craig A.; Kalafut, Andrew J.

doi:10.1007/978-3-319-15509-8_2

Douglas C. MacFarland¹⁵,
Craig A. Shue¹⁵ &
Andrew J. Kalafut¹⁶

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 8995))

Included in the following conference series:

International Conference on Passive and Active Network Measurement

2459 Accesses
20 Citations

Abstract

Attackers have used DNS amplification in over 34 % of high-volume DDoS attacks, with some floods exceeding 300 Gbps. The best current practices do not help victims during an attack; they are preventative measures that third-party organizations must employ in advance. Unfortunately, there are no incentives for these third parties to follow the recommendations. While practitioners have focused on reducing the number of open DNS resolvers, these efforts do not address the threat posed by authoritative DNS servers.

In this work, we measure and characterize the attack potential associated with DNS amplification, along with the adoption of countermeasures. We then propose and measure a mitigation strategy that organizations can employ. With the help of an upstream ISP, our strategy will allow even poorly provisioned organizations to mitigate massive DNS amplification attacks with only minor performance overheads.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Bright, P.: Spamhaus DDoS grows to Internet-threatening size, March 2013. http://arstechnica.com/security/2013/03/spamhaus-ddos-grows-to-internet-threatening-size/
Center for Measurement and Analysis of Network Data, Naval Postgraduate School: Spoofer project: State of IP spoofing, February 2014. http://spoofer.cmand.org/summary.php
CloudFlare: Cloudflare advanced ddos protection. https://www.cloudflare.com/ddos
Conrad, D.: Indicating resolver support of DNSSEC. IETF RFC 3225, December 2001
Google Scholar
Damas, J., Neves, F.: Preventing use of recursive nameservers in reflector attacks. IETF RFC 5358, October 2008
Google Scholar
Damas, J., Vixie, P.: Extension mechanisms for DNS (EDNS(0)). IETF RFC 6891, April 2013
Google Scholar
Elz, R., Bush, R., Bradner, S., Patton, M.: Selection and operation of secondary dns servers. IETF RFC 2182, July 1997
Google Scholar
Incapsula Inc: 2013–2014 ddos threat landscape report, April 2014. http://www.imperva.com/docs/RPT_2013-2014_ddos_threat_landscape.pdf
Kalafut, A.J., Shue, C.A., Gupta, M.: Touring DNS open houses for trends and configurations. IEEE/ACM Trans. Netw. PP(99), 1 (2011)
Google Scholar
Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Exit from hell? reducing the impact of amplification ddos attacks. In: USENIX Security Symposium (2014)
Google Scholar
Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. ACM SIGCOMM Comput. Commun. Rev. 31(3), 38–47 (2001)
Article Google Scholar
Prince, M.: Technical details behind a 400gbps NTP amplification DDoS attack, February 2014. http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack
Rossow, C.: Amplification hell: Revisiting network protocols for DDoS abuse. In: Network and Distributed System Security (NDSS) Symposium (2014)
Google Scholar
Shue, C., Kalafut, A.: Resolvers revealed: Characterizing DNS resolvers and their clients. ACM Trans. Internet Technol. (TOIT) 12(4), July 2013
Google Scholar
US-CERT: Smurf ip denial-of-service attacks. Advisory (CA-1998-01), January 1998. http://www.cert.org/historical/advisories/CA-1998-01.cfm
US-CERT: Dns amplification attacks. Alert (TA13-088A), July 2013. https://www.us-cert.gov/ncas/alerts/TA13-088A
US-CERT: NTP amplification attacks using CVE-2013-5211. Alert (TA14-013A), January 2014
Google Scholar
Vixie, P., Schryver, V.: Dns response rate limiting (DNS RRL), April 2012. http://ss.vix.su/~vixie/isc-tn-2012-1.txt

Download references

Author information

Authors and Affiliations

Worcester Polytechnic Institute, Worcester, MA, USA
Douglas C. MacFarland & Craig A. Shue
Grand Valley State University, Allendale, MI, USA
Andrew J. Kalafut

Authors

Douglas C. MacFarland
View author publications
You can also search for this author in PubMed Google Scholar
Craig A. Shue
View author publications
You can also search for this author in PubMed Google Scholar
Andrew J. Kalafut
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Craig A. Shue .

Editor information

Editors and Affiliations

University of Southern California, Marina Del Rey, California, USA
Jelena Mirkovic
New York University, New York, New York, USA
Yong Liu

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

MacFarland, D.C., Shue, C.A., Kalafut, A.J. (2015). Characterizing Optimal DNS Amplification Attacks and Effective Mitigation. In: Mirkovic, J., Liu, Y. (eds) Passive and Active Measurement. PAM 2015. Lecture Notes in Computer Science(), vol 8995. Springer, Cham. https://doi.org/10.1007/978-3-319-15509-8_2

Download citation

DOI: https://doi.org/10.1007/978-3-319-15509-8_2
Published: 04 March 2015
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-15508-1
Online ISBN: 978-3-319-15509-8
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics