News

Abstract:

Networks not employing destination-side source address validation (DSAV) expose themselves

to a class of pernicious attacks which could be prevented by filtering inbound traffic purporting to

originate from within the network. In this work, we survey the pervasiveness of networks

vulnerable to infiltration using spoofed addresses internal to the network. We issue recursive

Domain Name System (DNS) queries to a large set of known DNS servers world-wide using

various spoofed-source addresses. In late 2019, we found that 49% of the autonomous systems

we tested lacked DSAV. After a large-scale notification campaign run in late 2020, we repeated

our measurements in early 2021 and found that 44% of ASes lacked DSAV—though

importantly, as this is an observational study, we cannot conclude causality. As case studies

illustrating the dangers of a lack of DSAV, we measure susceptibility of DNS resolvers to cache

poisoning attacks and the NXNS attack, two attacks whose attack surface is significantly

reduced when DSAV in place. We discover 309K resolvers vulnerable to the NXNS attack and

4K resolvers vulnerable to cache poisoning attacks, 70% and 59% of which would have been

protected had DSAV been in place.