Anomaly-based Filtering of Application-Layer DDoS Against DNS AuthoritativesJonas Bushart, Christian Rossow. "Anomaly-based Filtering of Application-Layer DDoS Against DNS Authoritatives". 8th IEEE European Symposium on Security and Privacy.
Authoritative DNS infrastructures are at the core of the Internet ecosystem. But how resilient are typical authoritative DNS name servers against application-layer Denial-of-Service attacks? In this paper, with the help of a large country-code TLD operator, we assess the expected attack load and DoS countermeasures. We find that standard botnets or even single-homed attackers can overload the computational resources of authoritative name servers—even if redundancy such as anycast is in place. To prevent the resulting devastating DNS outages, we assess how effective upstream filters can be as a last resort. We propose an anomaly detection defense that allows both, well-behaving high-volume DNS resolvers as well as low-volume clients to continue name lookups—while blocking most of the attack traffic. Upstream ISPs or IXPs can deploy our scheme and drop attack traffic to reasonable query loads at or below 100k queries per second at a false positive rate of 1.2 % to 5.7 % (median 2.4 %).
The source code and data for this project is available at https://github.com/jonasbb/DNS-Applayer-DDoS-Protection/. PDF BIB
Padding Ain’t Enough: Assessing the Privacy Guarantees of Encrypted DNSJonas Bushart, Christian Rossow. "Padding Ain’t Enough: Assessing the Privacy Guarantees of Encrypted DNS". 10th USENIX Workshop on Free and Open Communications on the Internet.
DNS over TLS (DoT) and DNS over HTTPS (DoH) encrypt DNS to guard user privacy by hiding DNS resolutions from passive adversaries. Yet, past attacks have shown that encrypted DNS is still sensitive to traffic analysis. As a consequence, RFC 8467 proposes to pad messages prior to encryption, which heavily reduces the characteristics of encrypted traffic. In this paper, we show that padding alone is insufficient to counter DNS traffic analysis. We propose a novel traffic analysis method that combines size and timing information to infer the websites a user visits purely based on encrypted and padded DNS traces. To this end, we model DNS Sequences that capture the complexity of websites that usually trigger dozens of DNS resolutions instead of just a single DNS transaction. A closed world evaluation based on the Tranco top-10k websites reveals that attackers can deanonymize test traces for 86.1 % of all websites, and even correctly label all traces for 65.9 % of the websites. Our findings undermine the privacy goals of state-of-the-art message padding strategies in DoT/DoH. We conclude by showing that successful mitigations to such attacks have to remove the entropy of inter-arrival timings between query responses.
The source code and data for this project is available. PDF BIB
DNS Unchained: Amplified Application-Layer DoS Attacks Against DNS AuthoritativesJonas Bushart, Christian Rossow. "DNS Unchained: Amplified Application-Layer DoS Attacks Against DNS Authoritatives". 21st International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2018, Heraklion, Greece.
We present DNS Unchained, a new application-layer DoS attack against core DNS infrastructure that for the first time uses amplification. To achieve an attack amplification of 8.51, we carefully chain CNAME records and force resolvers to perform deep name resolutions—effectively overloading a target authoritative name server with valid requests. We identify 178508 potential amplifiers, of which 74.3% can be abused in such an attack due to the way they cache records with low Time-to-Live values. In essence, this allows a single modern consumer uplink to downgrade availability of large DNS setups. To tackle this new threat, we conclude with an overview of countermeasures and suggestions for DNS servers to limit the impact of DNS chaining attacks.
Optimizing Recurrent Pulsing Attacks using Application-Layer Amplification of Open DNS ResolversJonas Bushart. "Optimizing Recurrent Pulsing Attacks using Application-Layer Amplification of Open DNS Resolvers". 12th USENIX Workshop on Offensive Technologies (WOOT 18), Baltimore, MD, USA.
Shrew attacks or pulsing attacks are low-bandwidth network-level/layer-3 denial-of-service attacks. They target TCP connections by selectively inducing packet loss to affect latency and throughput. We combine the recently presented DNS CNAME-chaining attack  with temporal lensing , a variant of pulsing attacks, to create a new, harder to block attack. For an attack, thousands of DNS resolvers have to be coordinated. We devise an optimization problem to find the perfect attack and solve it by using a genetic algorithm. The results show pulses created with our attack are 14 times higher than the attacker’s average bandwidth. Finally, we present countermeasures applicable to pulsing and CNAME-chaining, which also apply to this attack.
Going Wild: Large-Scale Classification of Open DNS Resolvers Marc Kührer, Thomas Hupperich, Jonas Bushart, Christian Rossow, Thorsten Holz. "Going Wild: Large-Scale Classification of Open DNS Resolvers". 15th ACM Internet Measurement Conference, IMC 2015, Tokyo, Japan.
Since several years, millions of recursive DNS resolvers are-deliberately or not-open to the public. This, however, is counter-intuitive, since the operation of such openly accessible DNS resolvers is necessary in rare cases only. Furthermore, open resolvers enable both amplification DDoS and cache snooping attacks, and can be abused by attackers in multiple other ways. We thus find open recursive DNS resolvers to remain one critical phenomenon on the Internet.
In this paper, we illuminate this phenomenon by analyzing it from two different angles. On the one hand, we study the landscape of DNS resolvers based on empirical data we collected for over a year. We analyze the changes over time and classify the resolvers according to device type and software version. On the other hand, we take the viewpoint of a client and measure the response authenticity of these resolvers. Besides legitimate redirections (e.g., to captive portals or router login pages), we find millions of resolvers to deliberately manipulate DNS resolutions (i.e., return bogus IP address information). To understand this threat in more detail, we systematically analyze non-legitimate DNS responses and reveal open DNS resolvers that manipulate DNS resolutions to censor communication channels, inject advertisements, serve malicious files, perform phishing, or redirect to other kinds of suspicious or malicious activities.