Olivier van der Toorn

DDoS attacks threaten Internet security and stability, with attacks reaching
the Tbps range. A popular approach involves DNS-based reflection and
amplification, a type of attack in which a domain name, known to return a large
answer, is queried using spoofed requests. Do the chosen names offer the
largest amplification, however, or have we yet to see the full amplification
potential? And while operational countermeasures are proposed, chiefly limiting
responses to ‘ANY’ queries, up to what point will these countermeasures be
effective? In this paper we make three main contributions. First, we propose
and validate a scalable method to estimate the amplification potential of a
domain name, based on the expected ANY response size. Second, we create
estimates for hundreds of millions of domain names and rank them by their
amplification potential. By comparing the overall ranking to the set of
domains observed in actual attacks in honeypot data, we show whether attackers
are using the most-potent domains for their attacks, or if we may expect larger
attacks in the future. Finally, we evaluate the effectiveness of blocking ANY
queries, as proposed by the IETF, to limit DNS-based DDoS attacks, by
estimating the decrease in attack volume when switching from ANY to other query
types. Our results show that by blocking ANY, the response size of domains
observed in attacks can be reduced by 57%, and the size of most-potent domains
decreases by 69%. However, we also show that dropping ANY is not an absolute
solution to DNS-based DDoS, as a small but potent portion of domains remain
leading to an expected response size of over 2,048 bytes to queries other than

Title ANYway: Measuring the Amplification DDoS Potential of Domains
Authors Olivier van der Toorn, Johannes Krupp, Mattijs Jonker, Roland van Rijswijk-Deij, Christian Rossow, and Anna Sperotto
Publication date October 2021
Journal 17th International Conference on Network and Service Management (CNSM 2021)