In this paper, we shed new light on the DNS amplification ecosystem, by studying complementary data sources, bolstered by orthogonal methodologies. First, we introduce a passive attack detection method for the Internet core, i.e., at Internet eXchange Points (IXPs). Surprisingly, IXPs and honeypots observe mostly disjoint sets of attacks: 96% of IXP-inferred attacks were invisible to a sizable honeypot platform. Second, we assess the effectiveness of observed DNS attacks by studying IXP traces jointly with diverse data from independent measurement infrastructures. We find that attackers efficiently detect new reflectors and purposefully rotate between them. At the same time, we reveal that attackers are a small step removed from bringing about significantly higher amplification factors (14x). Third, we identify and fingerprint a major attack entity by studying patterns in attack traces. We show that this entity dominates the DNS amplification ecosystem by carrying out 59% of the attacks, and provide an in-depth analysis of its behavior over time. Finally, our results reveal that operators of various .gov names adhere to a DNSSEC key rollover scheme, which exacerbates amplification potential, and which we can verifiably connect to misuses and attacker decision-making.
翻译:在本文中,我们通过研究补充数据来源,在正方方法的支持下,对DNS放大生态系统进行了新的了解。首先,我们为互联网核心,即互联网eXchange Point(IXPs)采用了被动攻击探测方法。令人惊讶的是,IXP和蜜罐观察到了几组大不相连的攻击:96%的IXP所推断的攻击对一个规模庞大的蜂蜜池平台是看不见的。第二,我们通过结合独立测量基础设施的不同数据共同研究IXP的痕迹,评估观察到的DNS攻击的有效性。我们发现攻击者有效地探测了新的反射器,并故意在它们之间旋转。与此同时,我们发现攻击者距离实现大幅提高的放大系数(14x)还有很小的一步。第三,我们通过研究攻击痕迹的模式,确定和鉴别一个主要攻击实体。我们表明,该实体通过执行59%的攻击来控制DNS放大生态系统,并深入分析其长期行为。我们的结果显示,各种用户的操作者都坚持了新的反射器,并故意在它们之间旋转。与此同时,我们发现,我们发现,攻击者是偏离了DSEC关键滚动计划,从而强化了我们可以连接。