Mitigating DNS DoS Attacks

Hitesh Ballani, Paul Francis(Cornell University)

Presenter: Zhenhua Liu

Date: Mar. 16th, 2009

Background Information

Motivation

Contributions

Implementation

Evaluation

Pros & Cons

Future Work

Overview

Domain Name System (DNS) is a hierarchical

naming system for computers, services, or any

resource participating in the Internet.

Translate Hostnames to IP addresses

( For example:

www.google.com to 74.125.95.147)

What’s DNS ?

How DNS works ?

A? www.sc.edu

198.41.0.5

204.74.113.1

129.252.189.62

“try 2

04.74.113.1”

“try 129.252.189.62”

“it’s at xxx.xx.xx.xxx”

“it’s at xxx.xx.xx.xxx”

Cache

Not Found

Store foundedIP Address

How Cache works ?

A? www.sc.edu

198.41.0.5

204.74.113.1

129.252.189.62

“it’s at xxx.xx.xx.xxx”

Cache

Found StoredIP Address

Flooding attack on DNS server

A? www.sc.edu

198.41.0.5

204.74.113.1

129.252.189.62

“try 2

04.74.113.1”

Cache

Not Found

Traversal fails

To alleviate the impact of flooding

attacks on DNS which prevent clients from

resolving resource records belonging to the

zone under attack.

Motivation

A new, robust Distribution

Infrastructure

Centralized data distribution

Peer-to-peer based data

distribution

Current Works

Modification on caching behavior

Discussion about benefits of Stale Cache

Evaluation on 65-day DNS trace

Trace-based simulation on memory requirement

Analysis on inaccuracy of Stale Cache

No adverse impacts by Changing DNS semantics

Contributions

Store those cached records in DNS

resolver whose TTL value has expired to a

Stale Cache instead of deleting them

directly.

Simple & Basic Idea

Behav. Change on DNS Resolver

A? www.sc.edu

198.41.0.5

204.74.113.1

129.252.189.62

“try 2

04.74.113.1”

Cache

Not Found

Traversal fails

Stale Cache

“it’s at xxx.xx.xx.xxx”

“try 129.252.189.62”

Expired

Cached

Record for

.sc.edu

Foun

d

“it’s at xxx.xx.xx.xxx”

Environment setup

DNS traffic: Cornell Computer Science Dpt.

Date: 11/21/2007 – 1/24/2008(65 days)

Different Factors

Stale cache size: from 1 to 30 days

Attack duration: 3, 6, 12 and 24 hours

Types of Query: NS-queries, A-queries

Attack scenario: root-server, TLD name server, 2nd level

nameserver

Evaluation

Assumption: none of nameservers are operational (unrealistic)

Result: those queries that cannot be answered based on the resolver cache can only rely on the stale cache

Purpose: use an extreme scenario to test limits of stale cache

Measurement Intro

Varying Stale cache size-1

Accurate Records:

responses based on the stale cache that match actual

responses from accessible nameservers

Inaccurate Records:

DNS records have been updated after last access by resolver;

The nameservers for the zone are currently inaccessible

Accurate vs. Inaccurate

Varying Stale cache size-2

Different Kinds of Queries

Figure 5: For(a) NS-queries and (b) A-queries, Fraction of Queries answered and Accurate Records when using a stale cache during an 3-hour attack

Attacking TLD nameserver

Attacking 2nd-level nameserver

Memory Requirement

Pros Simplicity Incremental Deployment Motivation for Deployment

Cons Change DNS caching semantics Possibility of using inaccurate record Attacker may force the use of inaccurate

information

Pros & Cons

To conclude, Just a very Simple modification

on DNS resolver’s caching behavior is quite

effective in mitigating the impact of DoS attack

on DNS.

In future, if possible, implementing an add-

on to CoDNS resolution service based on this

method to test its efficacy while facing actual

attacks.

Conclusion & Future Work

DNS cache poisoning

Provides data to a DNS that did not

originate from authoritative DNS sources

Other Possible DNS attacks

Fast Flux

e.g. multiple individual nodes within the

network keep registering and de-registering their

constant changing addresses with short TTL

values as part of the DNS A record list for a

single DNS name.

Or, registering and de-registering their

addresses as part of the DNS NS record list for

the DNS zone.

Other Possible DNS attacks