Category: Tech matters
Hosting open Domain Name Service (DNS) resolvers has long been considered bad practice because it exposes infrastructure to abuse and can lead to service deterioration including in the operating network. I’m not talking about public DNS services that are (in general) carefully operated and taken care of, but devices that typically, due to misconfigurations, are exposed as an open DNS resolver and can potentially be misused in Distributed Denial of Service (DDoS) attacks.
Researchers and operators have made efforts to reduce the number of (unnecessary) open resolvers. However, looking at the dimensions of recent attacks, the residual pool of open resolvers is noticeably more than large enough for attackers.
This prompted my colleagues and me at the University of Twente to think of how to further shrink the surface for abuse of open resolvers during DDoS attacks, specifically the amplification power. We recently experimented with open resolvers to identify amplification power diversities that we intuitively expected among open resolvers in the IPv4 address space. Among our findings, we found that we can reduce the overall potential of such attacks by 80% if we patch around 20% of the most potent amplifiers.