1. Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009

2.  Background Information  Motivation  Contributions  Implementation  Evaluation  Pros & Cons  Future Work

3.  Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource participating in the Internet. Translate Hostnames to IP addresses ( For example: www.google.com to 74.125.95.147)

4. A? www.sc.edu 198.41.0.5 204.74.113.1 129.252.189.62 “try 204.74.113.1” “try 129.252.189.62” “it’s at xxx.xx.xx.xxx” Cache Not Found Store founded IP Address

5. A? www.sc.edu 198.41.0.5 204.74.113.1 129.252.189.62 “it’s at xxx.xx.xx.xxx” Cache Found Stored IP Address

6. A? www.sc.edu 198.41.0.5 204.74.113.1 129.252.189.62 “try 204.74.113.1” Cache Not Found Traversal fails

7.  To alleviate the impact of flooding attacks on DNS which prevent clients from resolving resource records belonging to the zone under attack.

8.  A new, robust Distribution Infrastructure  Centralized data distribution  Peer-to-peer based data distribution

9.  Modification on caching behavior  Discussion about benefits of Stale Cache  Evaluation on 65-day DNS trace  Trace-based simulation on memory requirement  Analysis on inaccuracy of Stale Cache  No adverse impacts by Changing DNS semantics

10. Store those cached records in DNS resolver whose TTL value has expired to a Stale Cache instead of deleting them directly.

11. A? www.sc.edu 198.41.0.5 204.74.113.1 129.252.189.62 “try 204.74.113.1” Cache Not Found Traversal fails Stale Cache “it’s at xxx.xx.xx.xxx” “try 129.252.189.62” Expired Cached Record for.sc.edu Found “it’s at xxx.xx.xx.xxx”

12.  Environment setup DNS traffic: Cornell Computer Science Dpt. Date: 11/21/2007 – 1/24/2008(65 days)  Different Factors Stale cache size: from 1 to 30 days Attack duration: 3, 6, 12 and 24 hours Types of Query: NS-queries, A-queries Attack scenario: root-server, TLD name server, 2 nd level nameserver

13.  Assumption: none of nameservers are operational (unrealistic)  Result: those queries that cannot be answered based on the resolver cache can only rely on the stale cache  Purpose: use an extreme scenario to test limits of stale cache

15.  Accurate Records: responses based on the stale cache that match actual responses from accessible nameservers  Inaccurate Records: DNS records have been updated after last access by resolver; The nameservers for the zone are currently inaccessible

17. Figure 5: For(a) NS- queries and (b) A-queries, Fraction of Queries answered and Accurate Records when using a stale cache during an 3- hour attack

21.  Pros  Simplicity  Incremental Deployment  Motivation for Deployment  Cons  Change DNS caching semantics  Possibility of using inaccurate record  Attacker may force the use of inaccurate information

22. To conclude, Just a very Simple modification on DNS resolver’s caching behavior is quite effective in mitigating the impact of DoS attack on DNS. In future, if possible, implementing an add-on to CoDNS resolution service based on this method to test its efficacy while facing actual attacks.

23.  DNS cache poisoning Provides data to a DNS that did not originate from authoritative DNS sources

24.  Fast Flux e.g. multiple individual nodes within the network keep registering and de-registering their constant changing addresses with short TTL values as part of the DNS A record list for a single DNS name. Or, registering and de-registering their addresses as part of the DNS NS record list for the DNS zone.