Never say never: Authoritative TLD nameserver-powered DNS amplification

Abstract

DNS amplification attack is a significant and persistent threat to the Internet. Authoritative name servers (ANSes) of popular domains, especially the DNSSEC-enabled ones, give attractive leverage for attackers in distributed denial-of-service (DDoS) attacks. Particularly, the ANS list of top-level domains (TLD) is publicly accessible, including by would-be attackers, in the form of a root.zone file. In this work, we examine the potential of TLD ANSes to be exploited as unknowing agents in DNS amplification attacks. Specifically, over a period of 12 months that covers two different versions of the root.zone file, we assess the amplification factor (AF) that these servers may provide to attackers when replying to both individual and multiple queries. Also, we measure the degree of actual adoption of the recommended response rate limiting (RRL) countermeasure for the ANSes. Our major findings are that (i) 70% of the distinct ANSes and 47% of the possible DNS queries for the TLDs produce a large AF that exceeds 60, (ii) 10% of the distinct ANSes reflect inbound network traffic and magnify it by a factor that exceeds 50, (iii) the number of most useful ANSes for the attacker, in terms of their role as amplifiers, appears increasing during the monitoring period, and (iv) there still exists a significant number of ANSes that do not implement the RRL or leave it inactive.