Mirrors in the Sky: On the Potential of Clouds in DNS Reflection-based Denial-of-Service Attacks


Clouds are likely to be well-provisioned in terms of network capacity by design. The rapid growth of cloud-based services means an increased availability of network infrastructure for all types of customers. However, it could also provide attackers opportunity to misuse cloud infrastructure to bring about attacks, or to target the cloud infrastructure itself. In this paper we study, focusing on DNS-based reflection DDoS attacks, how cloud networks can be misused to carry out attacks, with possible consequences for the internal cloud infrastructure itself. A straightforward way to misuse cloud infrastructure would be to host open DNS resolvers in the cloud – a phenomenon that we quantify in the paper. More importantly, we structurally analyze how the internal DNS infrastructure of a cloud can be misused. The novelty of this paper lies in identifying and formalizing six attack models for how DNS cloud infrastructure can be abused to bring about reflection attacks, and testing these increasingly complex and progressively specific models against real cloud providers. Our findings reveal that a steady average of 12% of open DNS resolvers are hosted in cloud or datacenter networks, which gives them well-provisioned network access. Much more worryingly, our results reveal that a number of providers, several of which among market leaders, expose parts of their DNS infrastructure to outsiders, allowing abuse against a provider’s infrastructure, its customers, as well as hosts in external networks. In the course of our study, we responsibly disclosed our findings to these providers.

25th International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2022)