Assistant professor Andrew Kalafut recently presented his work on DNS amplification attacks at the 2015 Passive and Active Measurement conference. Along with co-authors Craig Shue and Douglas MacFarland (from Worcester Polytechnic Institute), in this work Kalafut measured the potential of DNS amplification attacks, characterized the adoption of currently known defenses, and proposed a new defensive measure to mitigate the effects of these attacks.
DNS amplification attacks take advantage of the Domain Name System, an Internet-wide system of servers that translate domain names such as www.cis.gvsu.edu, readable and easy to remember by humans, to IP addresses necessary to direct traffic to the correct server. In a DNS amplification attack, the attacker takes advantage of the fact that DNS responses are typically significantly larger than DNS questions, in order to direct an overwhelming amount of network traffic to a target while sending very little himself. Kalafut and his co-authors found that an attacker could easily use DNS amplification to direct 1.4 GB of traffic towards a target while only sending 44MB of traffic from computers the attacker controls.
This work found existing mitigation measures for DNS amplification attacks to be only rarely used, and further, that one of the most widely suggested mitigation measures would be ineffective even if widely used. The new mitigation measure proposed by this work, unlike the previously known mitigations, can by used by an organization under attack to protect its own network without requiring the cooperation of unrelated organizations, and with very little performance impact (median 16 ms additional latency).
The full text of this work is available on Dr. Kalafut’s faculty web page.