In this paper, we shed new light on the DNS amplification ecosystem, by studying complementary data sources, bolstered by orthogonal methodologies. First, we introduce a passive attack detection method for the Internet core, i.e., at Internet eXchange Points (IXPs). Surprisingly, IXPs and honeypots observe mostly disjoint sets of attacks: 96% of IXP-inferred attacks were invisible to a sizable honeypot platform. Second, we assess the effectiveness of observed DNS attacks by studying IXP traces jointly with diverse data from independent measurement infrastructures. We find that attackers efficiently detect new reflectors and purposefully rotate between them. At the same time, we reveal that attackers are a small step away from bringing about significantly higher amplification factors (14x). Third, we identify and fingerprint a major attack entity by studying patterns in attack traces. We show that this entity dominates the DNS amplification ecosystem by carrying out 59% of the attacks, and provide an in-depth analysis of its behavior over time. Finally, our results reveal that operators of various .gov names do not adhere to DNSSEC key rollover best practices, which exacerbates amplification potential. We can verifiably connect this operational behavior to misuses and attacker decision-making.
翻译:在本文中,我们通过研究补充数据来源,在正方方法的支持下,对DNS放大生态系统进行了新的了解。首先,我们为互联网核心,即互联网eXchange Point(IXPs)采用了被动攻击探测方法。令人惊讶的是,IXP和蜂蜜罐观察到了几组大不相连的攻击:96%的IXP所推断的攻击对一个规模庞大的蜂蜜池平台是看不见的。第二,我们通过结合独立测量基础设施的不同数据,对所观察到的DNS攻击的痕迹进行联合研究,评估了观察到的DNS攻击的有效性。我们发现,攻击者有效地探测了新的反射器,并故意在它们之间旋转。与此同时,我们发现攻击者距离实现大幅提高的放大系数因素(14x)还有一小步之遥。第三,我们通过研究攻击痕迹的模式,确定并鉴别一个主要的攻击实体。我们表明,该实体通过实施59%的攻击来控制DNS放大生态系统,并深入分析其长期行为。我们的结果表明,不同.gov名称的操作者没有遵守DNSSE系统的主要滚动行为,从而强化了我们进行最佳的升级。