UTFacultiesEEMCSEventsPhD Defence Ramin Yazdani | Proactively defending against DDoS attacks - Focusing on DNS reflection and amplification

PhD Defence Ramin Yazdani | Proactively defending against DDoS attacks - Focusing on DNS reflection and amplification

Proactively defending against DDOS attacks - Focusing on DNS reflection and amplification

The PhD defence of Ramin Yazdani will take place in the Waaier Building of the University of Twente and can be followed by a live stream.
Live Stream

Ramin Yazdani is a PhD student in the Department of Design and Analysis of Communication Systems. (Co)Promotors are dr. A. Sperotto, prof.dr.ir. A. Pras and dr.ir. M. Jonker from the Faculty of Electrical Engineering, Mathematics and Computer Science.

The role of the Internet in our everyday life has transitioned over time, from being a tool for easier communications in the early stages, to becoming a critical infrastructure to our societies. This has turned the Internet into an appealing target for cybercriminals, with one of their popular weapons being Distributed Denial of Service (DDoS) attacks. These attacks target the availability component of digital information security. The impact of DDoS attacks can be as simple as short outages of a non-critical online service to a more severe one such as malfunctions in critical infrastructure such as power grids and water management systems.

Due to the heterogeneity and complexity of the Internet ecosystem, dreaming of an attack-free Internet is too optimistic in the short term. Thus, we need to come up with solutions that make it easier for us to tackle attacks and lower their potential impact. To do so, we advocate for collaborative efforts that can proactively prepare us against DDoS.

One way of doing this is to work as a community to patch vulnerable hosts that are misused in DDoS attacks. Considering the heterogeneity of networks and hosts that need to be secured, we propose to handle hosts with a higher attack impact first. In this thesis, we conduct a study on DNS Reflection & Amplification (R&A) which is one of the most commonly seen DDoS attack vectors in the wild. In the context of DNS R&A attacks, our proposal to prioritize the mitigation of vulnerable hosts translates to the mitigation of reflectors that could amplify attack traffic more than others. A prerequisite for such a prioritized mitigation is intelligence about the diversities among reflectors that contribute to their potential amplification power. Thus, in this thesis, we study different aspects (such as network connectivity, bandwidth amplification and packet amplification) that could diversify the attack power of open DNS resolvers.

A natural question that follows our reflector characterization is whether attackers already leverage such intelligence in practice. Our study shows that despite industry reports of record-breaking DDoS events, attackers do not use the full DNS R&A potential yet. This means that prioritizing efforts in reducing the exposed attack potential can prevent a greater impact of attacks. On the other hand, if we do not take any action, we should expect yet stronger DDoS attacks to emerge.

Finally, DDoS prevention and mitigation need to go hand in hand. While need to collaborate with external networks to increase the ultimate hygiene of the Internet, we should also prepare our networks for potential attacks. To increase the digital sovereignty of our societies, we advocate for a collaborative DDoS mitigation in the form of an Anti-DDoS Coalition (ADC), a group of network operators collaborating to proactively increase the resilience of their infrastructure against DDoS attacks. This can reduce our dependency on a handful of hypergiant DDoS Protection Service (DPS) providers by sharing knowledge among network operators that might be a victim of DDoS attacks in the future.