Large-scale empirical evaluation of DNS and SSDP amplification attacks

Reflection-based volumetric distributed denial-of-service (DDoS) attacks take advantage of the available to all(open) services to flood and possibly overpower a victim's server or network with an amplified amount oftraffic. This work concentrates on two key protocols in the assailants' quiver regarding DoS attacks, namelydomain name system (DNS) and simple service discovery protocol (SSDP). Our contribution spans three axes:(a) We perform countrywide IP address scans (probes) across three countries in two continents to locate devicesthat run open DNS or SSDP services, and thus can be effectively exploited in the context of amplificationattacks, (b) we fingerprint the discovered devices to derive information about their type and operating system,and (c) we estimate the amplification factor of the discovered reflectors through a dozen of diverse, suitablycrafted DNS queries and a couple of SSDP ones depending on the case. The conducted scans span fifteenmonths, therefore comparative conclusions regarding the evolution of the reflectors population over time, aswell as indirect ones regarding the security measures in this field, can be deduced. For instance, for DNS, it wascalculated that the third quartile of the amplification factor distribution remains more than 30 for customarilyexploited queries across all the examined countries, while in the worst case this figure can reach up to 70.The same figures for SSDP range between roughly 41 and 73 for a specific type of query. To our knowledge,this work offers the first full-fledged mapping and assessment of DNS and SSDP amplifiers, and it is thereforeanticipated to serve as a basis for further research in this ever-changing and high-stakes network security field