The Closed Resolver Project: Measuring the Deployment of Inbound Source Address Validation

Abstract

Ingress filtering, commonly referred to as Source Address Validation (SAV), is a practice aimed at discarding packets with spoofed source IP addresses at the network periphery. <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Outbound</i> SAV, i.e., dropping traffic with spoofed source IP addresses as it leaves its source network, has received widespread attention in operational and research communities. It is one of the most effective ways to prevent Reflection-based Distributed Denial-of-Service (DDoS) attacks. Contrariwise, <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">inbound</i> SAV, i.e., dropping incoming spoofed traffic at the destination network edge, has received less attention, even though it provides protection for the deploying network. In this paper, we present the results of the Closed Resolver Project, our initiative aimed at finding networks without inbound SAV and raising awareness of the issue. We perform the first Internet-wide active measurement study to enumerate networks that enforce (or not) inbound SAV. We reach open and closed Domain Name System (DNS) resolvers in tested networks and determine whether they resolve requests with spoofed source IP addresses. Our method provides unprecedented insight into <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">inbound</i> SAV deployment by network operators, revealing 49% IPv4 and 26% IPv6 Autonomous Systems (AS) that suffer from a consistent or partial absence of inbound filtering. By identifying dual-stack DNS resolvers and ASes, we further show that inbound filtering is generally deployed consistently across IPv4 and IPv6. Finally, the lack of inbound SAV exposes 2.5M IPv4 and 100K IPv6 purportedly closed DNS resolvers to many types of external attacks, including NXNSAttack, zone poisoning, or zero-day vulnerabilities in DNS software.