Post on 19-Dec-2015
Mitigating DNS DoS Attacks
Hitesh Ballani, Paul Francis(Cornell University)
Presenter: Zhenhua Liu
Date: Mar. 16th, 2009
Background Information
Motivation
Contributions
Implementation
Evaluation
Pros & Cons
Future Work
Overview
Domain Name System (DNS) is a hierarchical
naming system for computers, services, or any
resource participating in the Internet.
Translate Hostnames to IP addresses
( For example:
www.google.com to 74.125.95.147)
What’s DNS ?
How DNS works ?
A? www.sc.edu
198.41.0.5
204.74.113.1
129.252.189.62
“try 2
04.74.113.1”
“try 129.252.189.62”
“it’s at xxx.xx.xx.xxx”
“it’s at xxx.xx.xx.xxx”
Cache
Not Found
Store foundedIP Address
How Cache works ?
A? www.sc.edu
198.41.0.5
204.74.113.1
129.252.189.62
“it’s at xxx.xx.xx.xxx”
Cache
Found StoredIP Address
Flooding attack on DNS server
A? www.sc.edu
198.41.0.5
204.74.113.1
129.252.189.62
“try 2
04.74.113.1”
Cache
Not Found
Traversal fails
To alleviate the impact of flooding
attacks on DNS which prevent clients from
resolving resource records belonging to the
zone under attack.
Motivation
A new, robust Distribution
Infrastructure
Centralized data distribution
Peer-to-peer based data
distribution
Current Works
Modification on caching behavior
Discussion about benefits of Stale Cache
Evaluation on 65-day DNS trace
Trace-based simulation on memory requirement
Analysis on inaccuracy of Stale Cache
No adverse impacts by Changing DNS semantics
Contributions
Store those cached records in DNS
resolver whose TTL value has expired to a
Stale Cache instead of deleting them
directly.
Simple & Basic Idea
Behav. Change on DNS Resolver
A? www.sc.edu
198.41.0.5
204.74.113.1
129.252.189.62
“try 2
04.74.113.1”
Cache
Not Found
Traversal fails
Stale Cache
“it’s at xxx.xx.xx.xxx”
“try 129.252.189.62”
Expired
Cached
Record for
.sc.edu
Foun
d
“it’s at xxx.xx.xx.xxx”
Environment setup
DNS traffic: Cornell Computer Science Dpt.
Date: 11/21/2007 – 1/24/2008(65 days)
Different Factors
Stale cache size: from 1 to 30 days
Attack duration: 3, 6, 12 and 24 hours
Types of Query: NS-queries, A-queries
Attack scenario: root-server, TLD name server, 2nd level
nameserver
Evaluation
Assumption: none of nameservers are operational (unrealistic)
Result: those queries that cannot be answered based on the resolver cache can only rely on the stale cache
Purpose: use an extreme scenario to test limits of stale cache
Measurement Intro
Accurate Records:
responses based on the stale cache that match actual
responses from accessible nameservers
Inaccurate Records:
DNS records have been updated after last access by resolver;
The nameservers for the zone are currently inaccessible
Accurate vs. Inaccurate
Different Kinds of Queries
Figure 5: For(a) NS-queries and (b) A-queries, Fraction of Queries answered and Accurate Records when using a stale cache during an 3-hour attack
Pros Simplicity Incremental Deployment Motivation for Deployment
Cons Change DNS caching semantics Possibility of using inaccurate record Attacker may force the use of inaccurate
information
Pros & Cons
To conclude, Just a very Simple modification
on DNS resolver’s caching behavior is quite
effective in mitigating the impact of DoS attack
on DNS.
In future, if possible, implementing an add-
on to CoDNS resolution service based on this
method to test its efficacy while facing actual
attacks.
Conclusion & Future Work
DNS cache poisoning
Provides data to a DNS that did not
originate from authoritative DNS sources
Other Possible DNS attacks
Fast Flux
e.g. multiple individual nodes within the
network keep registering and de-registering their
constant changing addresses with short TTL
values as part of the DNS A record list for a
single DNS name.
Or, registering and de-registering their
addresses as part of the DNS NS record list for
the DNS zone.
Other Possible DNS attacks