Hazardous Echoes: The DNS Resolvers that Should Be Put on Mute.

Connectionless networking protocols such as DNS continue to be widely misused for Reflection & Amplification (R&A) DDoS attacks. Early efforts to address the main cause of DNS-based R&A were focused on identifying and attempting to eradicate open DNS resolvers. One characteristic of open resolvers that has not received much attention so far is that – as a result of unexpected behavior – resolvers can react to a single query with multiple DNS responses. We refer to these as Echoing Resolvers. In this paper, we quantify the problem of echoing resolvers in the wild. We identify thousands of such resolvers on the Internet and show how some reply on the order of tens of thousands of times to a single query, further escalating the potential of R&A DDoS attacks. We analyze the cause of response repetition, study behavioral differences among echoing resolvers, and categorize resolvers on the basis of the underlying causes of the observed behavior. We show how the interplay between DNS traffic and the traversed networks is responsible for echoing resolvers. In particular, we identify IP broadcasting as a cause of echoing resolvers, on top of phenomena already described in the literature (e.g., routing loops). Furthermore, we show that using sensitive labels in queries can lead to a more powerful echoing effect while using different query types does not significantly affect echoing behavior. Finally, seeing how some underlying causes of response repetition also affect or can be turned against authoritative nameservers, we quantify the potential impact of echoing resolvers on these as well.