Forward to hell? On the potentials of misusing transparent DNS forwarders in reflective amplification attacks

Abstract

The DNS service infrastructure is infamous for facilitating reflective amplification attacks. Various countermeasures including server shielding, access control, rate limiting, and protocol restrictions have been implemented. Still, the threat remains throughout the deployment of DNS servers. In this paper, we report on and evaluate the widely unnoticed threat that derives from transparent DNS forwarders, a widely deployed incompletely functional set of DNS components. DNS transparent forwarders guide DNS requests non-recursively, i.e., without rebuilding packets with correct source addresses. As such, transparent forwarders feed arbitrary DNS requests into (mainly powerful and anycasted) open recursive resolvers, which in the case of misuse participate unwillingly in distributed reflective amplification attacks. We show that transparent forwarders raise severe threats to the Internet infrastructure. They easily circumvent rate limiting, and achieve an additional, scalable impact via the DNS anycast infrastructure, which we empirically verified up to a factor of 14. Transparent forwarders can also bridge access to shielded recursive resolvers, making these protected infrastructure entities part of the global DNS attack infrastructure.