MADDVIPR: Mapping DNS DDoS Vulnerabilities to Improve Protection and Prevention

In collaboration with researchers from the University of Twente, Netherlands, we will perform comprehensive analysis of the DDoS attacks targeting the DNS and assess vulnerabilities that threaten the resilience of the DNS under such DDoS attacks.

Project Summary

The Domain Name System (DNS) is one of the core Internet services. It provides the vital function of translating human readable domain names into IP addresses and supports most Internet applications, commercial content distribution platforms, and many security services. Distributed Denial of Service (DDoS) attacks against the DNS can therefore have devastating effects.

Rigorous and systematic measurement and analysis are essential for quantifying the risks of DDoS attacks against DNS and the benefits of proposed solutions. In this project we seek to develop and extend tools that generate actionable intelligence to support protecting the DNS against DDoS attacks, including, wherever possible, preventing such attacks before they occur. To attain this objective, we will:

perform a systematic analysis of vulnerabilities in the current DNS using comprehensive active DNS measurement data from the OpenINTEL project that covers 60% of the global DNS name space;
analyze the DNS DDoS ecosystem, identifying attack sources, targets, and characteristics;
synthesize the resulting insights into a coherent unified view that considers both ongoing attacks and current vulnerabilities.

The results of this project will provide recommendations for protective measures that would help to minimize the risk and impact of DDoS attacks as well as yield clear guidance for improving DNS resilience.

Statement of Work

Task	Description	Outcome	Lead	Date	Status
Year 1: Identifying DNS Single-Points-of-Failure Vulnerabilities
1.1	Background research on DNS vulnerabilities	Report	Univ. of Twente	Jan 31, 2019	done
1.2	Identify DNS single-points-of-failure	Report	Univ. of Twente	Oct 31, 2019	done
Year 2: Data, DNS Vulnerabilities and the DNS DDoS Ecosystem
2.1	Develop strategies to make OpenINTEL data available via IMPACT	Report	CAIDA	Apr 30, 2020	done
2.2	Design and prototype DNSAttackStream	Software	CAIDA	Sep 30, 2020	done
2.3	Identify DNS resilience vulnerabilities to DDoS attacks	Report	Univ. of Twente	Apr 30, 2020 Oct 31, 2020	done
Year 3: Designing and Prototyping MADDVIPR
3.1	Describe actionable information to be provided as output	Report	Joint	Jan 31, 2021	done
3.2	Design the MADDVIPR framework	Software	Joint	Apr 30, 2021	done
3.3	Prototype MADDVIPR	Software	Joint	Oct 31, 2021	done
Year 4: Consolidation and Dissemination of Results
4.1	Write Ph. D. Thesis	Report	Univ. of Twente	Oct 31, 2022
4.2	Provide actionable recommendations for DNS operators	Report	Joint	Jan 15, 2022

Publications

When parents and children disagree: Diving into DNS delegation inconsistency
R. Sommese, G. Moura, M. Jonker, R. van Rijswijk-Deij, A. Dainotti, k. claffy, and A. Sperotto. Passive and Active Measurement Conference (PAM), Mar 2020.
The Forgotten Side of DNS: Orphan and Abandoned Records
R. Sommese, M. Jonker, R. van Rijswijk-Deij, A. Dainotti, k. claffy, and A. Sperotto. Workshop on Traffic Measurements for Cybersecurity, Jun 2020.
MAnycast2 - Using Anycast to Measure Anycast
R. Sommese, L. Bertholdo, G. Akiwate, M. Jonker, R. van Rijswijk-Deij, A. Dainotti, k. claffy, and A. Sperotto. ACM Internet Measurement Conference (IMC), Oct 2020.
Unresolved Issues: Prevalence, Persistence, and Perils of Lame Delegations
G. Akiwate, M. Jonker, R. Sommese, I. Foster, G. Voelker, S. Savage, and k. claffy. ACM Internet Measurement Conference (IMC), Oct 2020.

Publications

Investigating the impact of DDoS attacks on DNS infrastructure. R. Sommese, k. claffy, R. Van Rijswijk-Deij, A. Chattopadhyay, A. Dainotti, A. Sperotto, M. Jonker.
ACM Internet Measurement Conference (IMC), Oct 2022.
Observable KINDNS: Validating DNS Hygiene. R. Sommese, M. Jonker, k. claffy.
ACM Internet Measurement Conference (IMC) Poster, Oct 2022.
Retroactive Identification of Targeted DNS Infrastructure Hijacking. G. Akiwate, R. Sommese, M. Jonker, Z. Durumeric, k. claffy, G. Voelker, S. Savage.
ACM Internet Measurement Conference (IMC), Oct 2022.
MAnycast2 - Using Anycast to Measure Anycast. R. Sommese, L. Bertholdo, G. Akiwate, M. Jonker, R. Van Rijswijk-Deij, A. Dainotti, k. claffy, A. Sperotto.
ACM Internet Measurement Conference (IMC), Oct 2020.
Unresolved Issues: Prevalence, Persistence, and Perils of Lame Delegations. G. Akiwate, M. Jonker, R. Sommese, I. Foster, G. Voelker, S. Savage, k. claffy.
ACM Internet Measurement Conference (IMC), Oct 2020.
The Forgotten Side of DNS: Orphan and Abandoned Records. R. Sommese, M. Jonker, R. Van Rijswijk-Deij, A. Dainotti, k. claffy, A. Sperotto.
Workshop on Traffic Measurements for Cybersecurity, Jun 2020.
When parents and children disagree: Diving into DNS delegation inconsistency. R. Sommese, G. Moura, M. Jonker, R. Van Rijswijk-Deij, A. Dainotti, k. claffy, A. Sperotto.
Passive and Active Measurement Conference (PAM), Mar 2020.

Acknowledgment of awarding agency's support

This material is based on research sponsored by the Department of Homeland Security (DHS) S&T cooperative agreement FA8750-19-2-0004. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of DHS or the U.S. Government.

Additional Content

MADDVIPR: Mapping DNS DDoS Vulnerabilities to Improve Protection and Prevention - Proposal

The proposal “Mapping DNS DDoS Vulnerabilities to Improve Protection and Prevention”