![Page 1: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/1.jpg)
A Simple Approach to DNS DoS
Mitigation
Hitesh Ballani and Paul FrancisCornell University
HotNets 2006
![Page 2: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/2.jpg)
DoS attacks on DNS
Attack: Flood the nameservers of a DNS zone
Goal: Disrupt the resolution of
I The zone’s resource recordsI And the records for any of the sub-zones
Attacks aplenty (some successful, other not!)
I Microsoft attacked (2001)
I DNS Root Servers attacked (2002)
I SCO attacked (2003)
I Akamai attacked (2004)I Root Servers, TLDs and UltraDNS (2006)
![Page 3: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/3.jpg)
Networking community to the rescue
I Kangasharaju et. al.(g [INFOCOM’00]
I Cox et. al.(g [IPTPS’02]
I Theimer et. al(g [ICDCS’02]
I Ramasubramaniam et. al.(g [SIGCOMM’04]
I Handley et. al.(g [HotNets’05]
I Deegan et. al.(g [SIGCOMM CCR’05]
![Page 4: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/4.jpg)
Networking community to the rescue
I Kangasharaju et. al.(g [INFOCOM’00]
I Cox et. al.(g [IPTPS’02]
I Theimer et. al(g [ICDCS’02]
I Ramasubramaniam et. al.(g [SIGCOMM’04]
I Handley et. al.(g [HotNets’05]
I Deegan et. al.(g [SIGCOMM CCR’05]
Decouple data distribution from authority hierarchy
Ensure availability of data distribution mechanism
![Page 5: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/5.jpg)
Networking community to the rescue
I Kangasharaju et. al.(g [INFOCOM’00]
I Cox et. al.(g [IPTPS’02]
I Theimer et. al(g [ICDCS’02]
I Ramasubramaniam et. al.(g [SIGCOMM’04]
I Handley et. al.(g [HotNets’05]
I Deegan et. al.(g [SIGCOMM CCR’05]
Decouple data distribution from authority hierarchy
Ensure availability of data distribution mechanism
I Centralized approaches(g
I Peer-to-peer approaches(g
![Page 6: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/6.jpg)
Networking community to the rescue
I Kangasharaju et. al.(g [INFOCOM’00]
I Cox et. al.(g [IPTPS’02]
I Theimer et. al(g [ICDCS’02]
I Ramasubramaniam et. al.(g [SIGCOMM’04]
I Handley et. al.(g [HotNets’05]
I Deegan et. al.(g [SIGCOMM CCR’05]
Decouple data distribution from authority hierarchy
Ensure availability of data distribution mechanism
I Centralized approaches(g
I Peer-to-peer approaches(g
![Page 7: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/7.jpg)
A complementary tact to handle DoS attacks
Do away with the need for 100% availability
Clients are able to resolve a zone’s records evenwhen the zone’s nameservers are not available
![Page 8: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/8.jpg)
In this paper
A minor modification in the caching behavior of DNSresolvers
I Reduces the need for nameserver availability inthe existing DNS framework
I Mitigates the impact of DoS attacks on DNS
![Page 9: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/9.jpg)
Talk Outline
I Introductiong(
I DNS Resolvers Todayg(
I Proposed Modificationg(
I The Goodg(
I The Bad and the Uglyg(
![Page 10: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/10.jpg)
DNS Resolvers Today(g
Client
Resolver
Cache
Root-Server
Nameserver(.edu TLD)
Nameserver(.cornell.edu)
A? www.cornell.edu
![Page 11: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/11.jpg)
DNS Resolvers Today(g
Client
Resolver
Cache
Root-Server
Nameserver(.edu TLD)
Nameserver(.cornell.edu)
A? www.cornell.edu
LookupA? www.cornell.edu
Resolution Process1. Lookup the resolver cache
2. Traverse down the DNS hierarchy
3. Traversal fails ⇒ Resolution fails
![Page 12: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/12.jpg)
DNS Resolvers Today(g
Client
Resolver
Cache
Root-Server
Nameserver(.edu TLD)
Nameserver(.cornell.edu)
A? www.cornell.edu
LookupNS? .cornell.eduNS? .edu
Resolution Process1. Lookup the resolver cache
2. Traverse down the DNS hierarchy
3. Traversal fails ⇒ Resolution fails
![Page 13: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/13.jpg)
DNS Resolvers Today(g
Client
Resolver
Cache
Root-Server
Nameserver(.edu TLD)
Nameserver(.cornell.edu)
Resolution Process1. Lookup the resolver cache
2. Traverse down the DNS hierarchy
3. Traversal fails ⇒ Resolution fails
![Page 14: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/14.jpg)
DNS Resolvers Today(g
Client
Resolver
Cache
Root-Server
Nameserver(.edu TLD)
Nameserver(.cornell.edu)
A=128.253.161.221 www.cornell.edu
Resolution Process1. Lookup the resolver cache
2. Traverse down the DNS hierarchy
3. Traversal fails ⇒ Resolution fails
![Page 15: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/15.jpg)
DNS Resolvers Today(g
Client
Resolver
Cache
Root-Server
Nameserver(.edu TLD)
Nameserver(.cornell.edu)
Traversal fails
Resolution Process1. Lookup the resolver cache
2. Traverse down the DNS hierarchy
3. Traversal fails ⇒ Resolution fails
![Page 16: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/16.jpg)
DNS Resolvers Today(g
Client
Resolver
Cache
Root-Server
Nameserver(.edu TLD)
Nameserver(.cornell.edu)
Cache responsesfor TTL period
Resolver caching behavior
Cached records expunged after their TTL expires
![Page 17: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/17.jpg)
Proposed Modification(g
Client
Resolver
Cache
Root-Server
Nameserver(.edu TLD)
Nameserver(.cornell.edu)
Stale Cache
StaleRecords
Cached records expunged to a Stale Cache
![Page 18: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/18.jpg)
Proposed Modification(g
Client
Resolver
Cache
Root-Server
Nameserver(.edu TLD)
Nameserver(.cornell.edu)
Stale Cache
Lookup.edu NS
Modified Resolution Process1. Lookup the resolver cache
2. Traverse down the DNS hierarchy
3. Traversal fails ⇒ Resolution can continue
![Page 19: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/19.jpg)
Proposed Modification(g
Client
Resolver
Cache
Root-Server
Nameserver(.edu TLD)
Nameserver(.cornell.edu)
Stale Cache
Lookupsuccessful
Modified Resolution Process1. Lookup the resolver cache
2. Traverse down the DNS hierarchy
3. Traversal fails ⇒ Resolution can continue
![Page 20: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/20.jpg)
Proposed Modification(g
Client
Resolver
Cache
Root-Server
Nameserver(.edu TLD)
Nameserver(.cornell.edu)
Stale Cache
Lookupsuccessful
Stale records for a zone used only when thenameservers for the zone are unavailable
![Page 21: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/21.jpg)
Stale Cache Details(g
Expunging records from the Stale Cache
Responses from nameservers used to clean up thestale cache
Disk-based Stale Cache
Stale Cache lookups can be done while querying thenameservers
![Page 22: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/22.jpg)
Proposed Modification: Pros
Increased DNS Robustness
I Nameserver availability less crucialI Mitigates the impact of DoS attacks
Simplicity
I Does not change the basic protocol operation
I Does not impose any load on DNSI Does not impact the query resolution latency
Incremental Deployment
I Motivation for deployment
![Page 23: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/23.jpg)
Talk Outline
I Introductiong(
I DNS Resolvers Todayg(
I Proposed Modificationg(
I The Goodg(
I The Bad and the Uglyg(
![Page 24: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/24.jpg)
Autonomy Obsolete Attack Latency Too specific
Ballani
Vixie
![Page 25: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/25.jpg)
Autonomy Obsolete Attack Latency Too specific
Ballani
Vixie
Greg Minshall’s former CEO: “. . . he would sign(almost) any contract, as long as he could get outof it in a finite period of time”
![Page 26: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/26.jpg)
Autonomy Obsolete Attack Latency Too specific
Ballani
Vixie
Greg Minshall’s former CEO: “. . . he would sign(almost) any contract, as long as he could get outof it in a finite period of time”
Zone AutonomyDoes the .com zone operator control access to the
.xxx.com sub-zone?
Today
.xxx.com NS recordsexpire after a TTL period
Proposed
?
![Page 27: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/27.jpg)
Autonomy Obsolete Attack Latency Too specific
Ballani
Vixie
Greg Minshall’s former CEO: “. . . he would sign(almost) any contract, as long as he could get outof it in a finite period of time”
Zone AutonomyDoes the .com zone operator control access to the
.xxx.com sub-zone?
Today
.xxx.com NS recordsexpire after a TTL period
Proposed
Can respond with a NXDOMAINfor queries for .xxx.com
![Page 28: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/28.jpg)
Autonomy Obsolete Attack Latency Too specific
Ballani ✓
Vixie ✗
Greg Minshall’s former CEO: “. . . he would sign(almost) any contract, as long as he could get outof it in a finite period of time”
Zone AutonomyDoes the .com zone operator control access to the
.xxx.com sub-zone?
Today
.xxx.com NS recordsexpire after a TTL period
Proposed
Can respond with a NXDOMAINfor queries for .xxx.com
Zone operators still control access to their sub-zones
![Page 29: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/29.jpg)
Autonomy Obsolete Attack Latency Too specific
Ballani ✓
Vixie ✗
Possibility of obsolete information being used
Obselete zone records used by a resolver only if
I Zone’s records have been updated since the lastaccess by the resolver
I Zone’s nameservers are inaccessible
![Page 30: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/30.jpg)
Autonomy Obsolete Attack Latency Too specific
Ballani ✓
Vixie ✗
Possibility of obsolete information being used
Obselete zone records used by a resolver only if
I Zone’s records have been updated since the lastaccess by the resolver
I Zone’s nameservers are inaccessible
![Page 31: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/31.jpg)
Autonomy Obsolete Attack Latency Too specific
Ballani ✓ ✗
Vixie ✗ ✓
Possibility of obsolete information being used
Obselete zone records used by a resolver only if
I Zone’s records have been updated since the lastaccess by the resolver
I Zone’s nameservers are inaccessible
Trade-off between the possibility of obsoleteinformation being used and the inability to resolvequeries
![Page 32: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/32.jpg)
Autonomy Obsolete Attack Latency Too specific
Ballani ✓ ✗
Vixie ✗ ✓
Possibility of obsolete information being used
Obselete zone records used by a resolver only if
I Zone’s records have been updated since the lastaccess by the resolver
I Zone’s nameservers are inaccessible
Trade-off between the possibility of obsoleteinformation being used and the inability to resolvequeries
Use of stale cache could be restricted toInfrastructure Records
![Page 33: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/33.jpg)
Autonomy Obsolete Attack Latency Too specific
Ballani ✓ ✗
Vixie ✗ ✓
Attackers forcing the use of obsolete records for azone by
I Waiting for the zone’s records to be updatedI And then flooding the zone’s nameservers
![Page 34: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/34.jpg)
Autonomy Obsolete Attack Latency Too specific
Ballani ✓ ✗ –
Vixie ✗ ✓ –
Attackers forcing the use of obsolete records for azone by
I Waiting for the zone’s records to be updatedI And then flooding the zone’s nameservers
![Page 35: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/35.jpg)
Autonomy Obsolete Attack Latency Too specific
Ballani ✓ ✗ –
Vixie ✗ ✓ –
Resolution latency in the face of attacks
I Resolver must query each nameserver of a zonebefore using the zone’s records from the stalecache
I Given default resolver timeout configurations,this can lead to high resolution latencies
![Page 36: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/36.jpg)
Autonomy Obsolete Attack Latency Too specific
Ballani ✓ ✗ – ✓
Vixie ✗ ✓ – ✗
Resolution latency in the face of attacks
I Resolver must query each nameserver of a zonebefore using the zone’s records from the stalecache
I Given default resolver timeout configurations,this can lead to high resolution latencies
Alleviative: Resolvers configured with aggressiveretry and timeout values
![Page 37: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/37.jpg)
Autonomy Obsolete Attack Latency Too specific
Ballani ✓ ✗ – ✓
Vixie ✗ ✓ – ✗
DNS servers can still be overwhelmed
I Unable to update the zone’s records
Application servers can still be DoS’ed
![Page 38: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/38.jpg)
Autonomy Obsolete Attack Latency Too specific
Ballani ✓ ✗ – ✓ –
Vixie ✗ ✓ – ✗ –
DNS servers can still be overwhelmed
I Unable to update the zone’s records
Application servers can still be DoS’ed
I Do DNS servers and Application servers sharethe network bottleneck?
![Page 39: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/39.jpg)
Future Work
Quantifying the benefits of the stale cache
I Currently collecting DNS traces at CornellI Simulate stale cache usage under different
attack scenarios
Implementation
I As an add-on to the CoDNS service onPlanetLab
I Quantify benefits under real-world attacks
![Page 40: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/40.jpg)
Summary
A minor modification in the caching behavior ofDNS resolvers
I Resolvers evict expired records to a stale cache
I Stale records can only be used whennameservers are unavailable
I Reduces the need for nameserver availability inthe existing DNS framework
Mitigates the impact of DoS attacks on DNS
I Modifies the DNS caching semanticsI Does not impact fundamental DNS
characteristics
![Page 41: A Simple Approach to DNS DoS Mitigationballani.azurewebsites.net/talks/talk-hotnets06-simple.pdf · DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the](https://reader034.vdocument.in/reader034/viewer/2022050420/5f8fbafca5325b08ec59ec74/html5/thumbnails/41.jpg)
Thank You!