Estimating the Amplification Factor of Three Common Protocols in DRDoS Attacks
A Quantitative Analysis on the Weaponisation of Hosts Located in Greece
R. TOADER (TU Delft - Electrical Engineering, Mathematics and Computer Science)
G. Smaragdakis – Mentor (TU Delft - Cyber Security)
H.J. Griffioen – Mentor (TU Delft - Cyber Security)
G. Iosifidis – Graduation committee member (TU Delft - Networked Systems)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
Distributed reflection denial-of-service (DRDoS) attacks are a type of cyberattack where a malicious actor sends requests to public and open servers on behalf of the victim by spoofing their IP address. The traffic generated by the corresponding responses is directed towards the victim (whose IP address appeared as the source address of the initial packets), potentially exhausting their bandwidth. These attacks have kept becoming more powerful over the years.
This thesis presents a measurement study of three well-known protocols, where we assess the amplification potential of hosts located in Greece running these protocols. We find that DNS remains the most vulnerable protocol to amplification; the top 250 hosts can cumulatively amplify the traffic by 32,000×. Furthermore, we discover that the “ANY” query type and the improperly configured DNS extension (EDNS0) are two significant causes of DNS amplification. Lastly, we also find hosts vulnerable to looping attacks, a novel threat in the context of DDoS attacks.