DNS DNS DDoS [2] Open Resolver Project [3] DNS 53/UDP DNS ,800 DNS Spamhaus [4] DDoS DNS 120 Gbps Tier Gbps [5], [6] DDoS Prolex

DNS DNS 1,a) 1 1 2013 12 2, 2014 6 17 Domain Name System DNS IP DNS DNS DNS DNS DNS DNS DNS DNS DNS DNS DNS DNS DNS 1 DNS DNS DNS DNS DNS DNS Observing DNS Amplification Attacks with DNS Honeypot Daisuke Makita 1,a) Katsunari Yoshioka 1 Tsutomu Matsumoto 1 Received: December 2, 2013, Accepted: June 17, 2014 Abstract: Domain Name System (DNS) plays an important role to map domain names to their information such as IP addresses on the Internet. DNS is also used for malicious activities. In particular, DNS cache servers which allow recursive queries from anywhere on the Internet can be the root cause of DNS amplification attack, a kind of Distributed Denial-of-Service attack. These days, problems posed by DNS amplification attacks become serious and there is a compelling need for effective countermeasures. However, since the details of these attacks are not well studied or reported, it is important to observe and understand their trends and characteristics. In this paper, we propose a concept of DNS honeypot - a method for observing malicious activities that abuse DNS servers. DNS honeypot is a system based on a dummy DNS server, and observes malicious activities that abuse DNS servers on the Internet. The result of our experiment with DNS honeypots shows that our method is effective for observing and analyzing DNS amplification attacks. As a result of long-term evaluation experiment over one year, we also analyze the trends and characteristics of DNS amplification attacks which our DNS honeypots observed. Keywords: DNS amplification attack, DNS honeypot 1. 1 Yokohama National University, Yokohama, Kanawaga 240 8501, Japan. a) makita-daisuke-jk@ynu.jp Domain Name System DNS [1] IP DNS c 2014 Information Processing Society of Japan 2021

DNS DNS DDoS [2] Open Resolver Project [3] DNS 53/UDP DNS 2013 11 2,800 DNS 2013 3 Spamhaus [4] DDoS DNS 120 Gbps Tier 1 300 Gbps [5], [6] DDoS Prolexic [7] 2013 5 167 Gbps DNS [8] DNS DNS [9], [10] DNS [11], [12] DNS DNS DNS DNS DNS DNS DNS ISP DNS DNS DNS DNS 1 DNS DNS DNS DNS DNS DNS DNS DNS ISP DNS ISP DNS DNS DNS DNS DNS DNS DNS 2 DNS 3 DNS 4 5 DNS DNS 6 2. DNS DNS DNS Amplifier [13] DNS DNS DNS DNS UDP IP IP DNS DNS IP DNS DNS Reflection DNS DNS DDoS DNS UDP DNS DNS DNS DNS [14], [30] IP DNS IP 1 DNS c 2014 Information Processing Society of Japan 2022

Fig. 1 1 DNS Model of DNS amplification attack. 2 Fig. 2 Idea of our proposed method. DNS DNS [31] UDP DNS CHARGEN 19/UDP NTP 123/UDP SNMP 161, 162/UDP [14], [15] UDP DNS 3. DNS DNS DNS [32] DNS DNS DNS 2 3.1 DNS 3.2 DNS 3.3 3.1 DNS 2 DNS 3 DNS Fig. 3 Architecture of DNS honeypot and observation system. DNS DNS 3.2 DNS DNS 3 DNS DNS DNS DNS 3 3 DNS DNS DNS DNS c 2014 Information Processing Society of Japan 2023

4. 4 DNS Fig. 4 Implementation of DNS honeypot. DNS DNS DNS DNS DNS 3 2 DNS DNS DNS DNS 3 DNS 4.1 4.2 4.3 4.4 DNS DNS 4.5 4.1 DNS DNS DNS DNS DNS DNS DNS IP AS Autonomous System DNS DNS IP IP DNS DNS DNS DNS 3.3 4 DNS Linux 1 Ubuntu [16] 1 DNS DNS DNS BIND [17] iptables [18] DNS Linux DNS DNS tcpdump [19] BIND tcpdump pcap DNS 4.2 ISP DNS 1 DNS 1 DNS-HONEY1 DNS ISP DNS 1 2 DNS-HONEY2 2 DNS DNS 1 2 ISP DNS 1 2013 8 3 8 25 9 7 2 5 27 iptables hashlimit IP 1 pps Packet Per Second 1 c 2014 Information Processing Society of Japan 2024

Table 1 1 Overview of observation points. 2 DNS Table 2 Overview of DNS queries that DNS honeypots observed. 9 2 5 IP 4.3 DNS DNS DNS DNS IP DNS 1 DNS DNS DNS DNS DNS DNS 2 DNS DNS DNS DNS DNS DNS 5 DNS DNS DNS IP DNS IP AS DNS 4.3.1 DNS 2 DNS 2 DNS 2013 10 31 4,700 DNS DNS 99.9% DNS DNS 99.5% EDNS0 Extension Mechanisms for DNS EDNS0 DNS 512 [28] DNS 2 DNS 5 DNS 1 DNS 2012 10 DNS 2013 2013 4 2013 9 2 1 DNS-HONEY1 1 500 DNS 2013 10 1 DNS 4.3.2 IP AS DNS IP AS AS DNS 6 7 DNS 10 AS DNS AS DNS AS 2013 10 28 MaxMind GeoLite [20] IP AS DNS AS AS Web OVH Systems AS16276 c 2014 Information Processing Society of Japan 2025

5 DNS DNS Fig. 5 Changes in the number of DNS queries that DNS honeypots observed (Daily, axis of ordinate is logarithmic). 6 DNS DNS 10 Fig. 6 Source countries of DNS queries (TOP 10). 7 DNS DNS AS 10 Fig. 7 Source ASes of DNS queries (TOP 10). Web 4.3.3 DNS DNS 10 8 ANY DNS A IP NS ANY ANY 8 DNS 10 Fig. 8 Domain names that DNS honeypot observed (TOP10). c 2014 Information Processing Society of Japan 2026

3 DNS Table 3 Response sizes and amplification factors of domain names that DNS honeypots observed. 9 IP ID ID = 10001 11000 Fig. 9 Distribution of ID field s values in IP header (from 10001 to 11000, axis of ordinate is logarithmic). 4 2013 11 25 Table 4 Response sizes and amplification factors of general domain names. 8 3 4 Alexa [23] 10 DNS DNS 4.4 DNS DNS DNS IP UDP DNS DNS IP IP DNS 4.3 IP ID TTL UDP DNS ID 4.4.1 IP ID IP ID IP 16 bit ID IP ID [24] ID DNS DNS IP ID 9 ID ID DNS-HONEY2 ID 256 9 ID ID DNS ID DNS 4.4.2 IP TTL IP TTL IP 8bit 1 1 TTL TTL 0 c 2014 Information Processing Society of Japan 2027

Fig. 10 10 IP TTL Distribution of TTL values in IP header (axis of ordinate is logarithmic). 11 UDP = 25001 26000 Fig. 11 Distribution of source port numbers in UDP header (from 25001 to 26000, axis of ordinate is logarithmic). IP TTL OS UDP Windows XP Windows OS 128 MacOS X Ubuntu 12.04 64 30 30 2 32 64 128 255 *1 [25] DNS DNS IP TTL 10 DNS DNS 64 128 255 3 DNS-HONEY1 TTL 3 DNS 4.4.3 UDP UDP 16 bit DNS 53 DNS [26], [27] UDP TCP/IP 0 1023 DNS DNS 11 DNS DNS DNS 12 DNS ID ID = 10001 11000 Fig. 12 Distribution of ID field s values in DNS header (from 10001 to 11000, axis of ordinate is logarithmic). 4.4.4 DNS ID DNS ID DNS 16 bit ID DNS ID DNS ID [26], [27] DNS ID DNS DNS ID 12 DNS ID IP ID UDP DNS ID DNS ID DNS DNS *1 8bit 255 256 255 c 2014 Information Processing Society of Japan 2028

4.5 4.5.1 DNS DNS DNS 2012 10 1 189 2013 10 1 34 1 1 1,800 DNS DNS DNS DNS 1 DNS AS AS DNS OVH Systems 2013 DNS 3 4 DNS isc.org ripe.net doc.gov DNS 200 IP TXT Web DNS 4.5.2 4.4 DNS DNS IP ID UDP DNS ID DNS DNS IP TTL OS DNS DNS 5 DNS DNS 2013 10 Table 5 Comparison of the number of DNS queries between darknet and DNS honeypot (October, 2013). 4.5.3 DNS DNS DNS DNS ISP ISP IP DNS DNS DNS DNS nicter [21] NONSTOP [22] /16 DNS 2013 10 2013 10 31 DNS DNS DNS 5 31 53/UDP 2,500 DNS IP 1 IP 1 DNS 380 1 12 DNS 2013 10 1 34 DNS DNS DNS ISP DNS DNS DNS 4.5.4 IP IP 1 pps c 2014 Information Processing Society of Japan 2029

DNS DNS 4.2 1 9 2 5 IP IP DNS IP DNS IP DNS 1 0 DNS 2013 4 IP DNS 13 I CloudFlare DNS Fig. 13 Case I: Changes in the number of queries that were observed in a DNS amplification attack against Cloud- Flare. 5. DNS DNS DNS 2 5.1 I CloudFlare DNS CloudFlare Prolexic 1 DDoS 2013 5 CloudFlare DNS 2013 5 22 5 34 JST DNS-HONEY2 CloudFlare 5 IP www.58wgw.com ANY ripe.net ANY 2 ripe.net ANY www.58wgw.com ANY www.58wgw.com IP IP 2 5 IP DNS DNS *2 13 1 DNS IP TTL 14 I CloudFlare DNS DNS TTL Fig. 14 Case I: Distribution of TTL field s values in DNS queries that were observed in a DNS amplification attacks against CloudFlare. 14 101 110 DNS DNS 10 10 DNS ID *2 DNS 1 1 DNS 60 1 pps II 15 c 2014 Information Processing Society of Japan 2030

15 II DNS Fig. 15 Case II: Changes in the number of queries that were observed in a DNS ampification attack to distributed network. 16 II DNS DNS IP Fig. 16 Case II: Changes in source IP addresses of DNS queries that were observed in a DNS ampification attack to distributed network. 5.2 II DNS DNS DNS IP 1 2013 5 29 IP 100 2013 5 29 11 14 JST DNS-HONEY1 DNS-HONEY2 ripe.net ANY DNS IP 1 3 4 1 100 IP DNS DNS 15 DNS-HONEY1 DNS-HONEY2 DNS IP TTL DNS-HONEY1 107 116 DNS-HONEY2 101 110 DNS IP 16 DNS IP t IP a DNS t, a 16 DNS IP IP II I DNS 6. DNS DNS DNS DNS 1 DNS DNS 2012 10 DNS DNS DNS DNS DNS DNS DNS DNS DNS DNS DNS ISP DNS DNS DNS / / / nicter NONSTOP c 2014 Information Processing Society of Japan 2031

nicter [1] Mockapetris, P.: DOMAIN NAMES - IMPLEMENTA- TION AND SPECIFICATION (RFC1035), IETF (online), available from http://www.ietf.org/rfc/ rfc1035.txt (accessed 2013-11-24). [2] JPCERT CC DNS DDoS http://www.jpcert.or.jp/ at/2013/at130022.html 2013-11-24. [3] Open Resolver Project, available from http://openresolverproject.org/ (accessed 2013-11-24). [4] The Spamhaus Project, available from http://www.spamhaus.org/ (accessed 2013-11-24). [5] CloudFlare: The DDoS That Almost Broke the Internet, available from http://blog.cloudflare.com/ the-ddos-that-almost-broke-the-internet (accessed 2013-11-24). [6] TrendLabs SECURITY BLOG DNS Amp DDoS Spamhaus http://blog.trendmicro.co.jp/ archives/7012 2013-11-24. [7] Prolexic Technologies, available from http://www.prolexic.com/ (accessed 2013-11-24). [8] Prolexic Technologies: Prolexic Stops Largest-Ever DNS Reflection DDoS Attack, available from http://www. prolexic.com/news-events-pr-prolexic-stops-largest-everdns-reflection-ddos-attack-167-gbps.html (accessed 2013-11-24). [9] Kambourakis, G., Moschos, T., Geneiatakis, D. and Gritzalis, S.: Detecting DNS Amplification Attacks, CRITIS 2007, LNCS 5141, pp.185 196 (2008). [10] Sun, C., Liu, B. and Shi, L.: Efficient and Low- Cost Hardware Defense Against DNS Amplification Attacks, Proc. IEEE Global Telecommunications Conference (GLOBECOM ), pp.1 5 (2008). [11] Oberheide, J., Karir, M. and Z. Mao, M.-L.: Characterizing Dark DNS Behavior, DIMVA 2007, LNCS 4579, pp.140 156 (2007). [12] DNS 2013 CSS2013pp.971 977 (2013). [13] DoS/DDoS Vol.54, No.5, pp.428 435 (2012). [14] Internet Initiative Japan (IIJ): Internet Infrastructure Review (IIR), Vol.21, pp.28 31, available from http:// www.iij.ad.jp/company/development/report/iir/021. html (accessed 2013-11-25). [15] Prolexic Technologies: Second white paper in the DrDoS Attacks series: SNMP, NTP and CHARGEN attacks, available from http://www.prolexic.com/knowledgecenter-white-paper-series-snmp-ntp-chargen-reflectionattacks-drdos-ddos.html (accessed 2013-11-24). [16] Ubuntu, available from http://www.ubuntu.com/ (accessed 2013-11-24). [17] BIND, available from http://www.isc.org/ (accessed 2013-11-24). [18] iptables, available from http://www.netfilter.org/ projects/iptables/ (accessed 2013-11-24). [19] tcpdump, available from http://www.tcpdump.org/ (accessed 2013-11-24). [20] MaxMind: GeoLite Free Downloadable Databases, available from http://dev.maxmind.com/geoip/legacy/ geolite/ (accessed 2014-04-06). [21] nicter, available from http://www.nicter.jp/ (accessed 2013-11-24). [22] NONSTOP Vol.113, No.95, ICSS2013-15, pp.85 90 (2013). [23] Alexa, available from http://www.alexa.com/ (accessed 2013-11-25). [24] West, M. and McCann, S.: TCP/IP Field Behavior (RFC4413), IETF (online), available from http://www. ietf.org/rfc/rfc4413.txt (accessed 2013-11-25). [25] Sebastian, A.: Default time to live (TTL) values, available from http://www.binbert.com/blog/2009/12/ default-time-to-live-ttl-values/ (accessed 2013-11-25). [26] Atkins, D. and Austein, R.: Threat Analysis of the Domain Name System (DNS) (RFC3833), IETF (online), available from http://www.ietf.org/rfc/rfc3833.txt (accessed 2013-11-25). [27] Hubert, B. and van Mook, R.: Measures for Making DNS More Resilient against Forged Answers (RFC5452), IETF (online), available from http://www.ietf.org/rfc/ rfc5452.txt (accessed 2013-11-25). [28] Vixie, P.: Extension Mechanisms for DNS (EDNS0) (RFC2671), IETF (online), available from http://www. ietf.org/rfc/rfc2671.txt (accessed 2013-11-25). [29] CloudFlare, Inc., available from http://www.cloudflare. com/ (accessed 2013-11-27). [30] JPRS DDoS DNS DNS Amp http://jprs.jp/related-info/guide/ 003.pdf 2013-11-29. [31] JVN JVN#62507275 http://jvn.jp/jp/jvn62507275/ 2013-11-29. [32] Spitzner, L.: Honeypots Definitions and Value of Honeypots, available from http://www.tracking-hackers. com/papers/honeypots.html (accessed 2013-11-26). 2014 3 4 4 c 2014 Information Processing Society of Japan 2032

2005 3 4 2007 12 2011 4 2009 1986 3 4 2001 4 2007 4 2011 3 2011 4 2013 3 1981 1982 4 2005 2010 IACR 1994 32 2006 5 2008 4 2010 c 2014 Information Processing Society of Japan 2033