Presentation is loading. Please wait.

Presentation is loading. Please wait.

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Mitigating DNS DoS Attack Presented by Fei Hu.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Mitigating DNS DoS Attack Presented by Fei Hu."— Presentation transcript:

1 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Mitigating DNS DoS Attack Presented by Fei Hu

2 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Outline Domain Name Service(DNS) DDoS attacks on DNS Mitigate the DNS DDoS attack Method Evaluation Discussion Objections Conclusion Other types of DNS related attacks

3 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Domain name Service Three different kinds of addresses –Host names (e.g., www.cnn.com) –IP addresses (e.g., 64.236.16.20) –MAC addresses (e.g., 00-15-C5-49-04-A9) Domain Name Service(DNS) –Given a host name, provide the IP address –Given an IP address, provide the host name

4 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Domain Name System Computer science concepts underlying DNS –Indirection: names in place of addresses –Hierarchy: in names, addresses, and servers –Caching: of mappings from names to/from addresses DNS software components –DNS resolvers –DNS servers DNS caching based on time-to-live (TTL)

5 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Domain Name Service Traverse down hierarchy NXDOMAIN(Non-Existent Domain) =! Failure NS-record A-record

6 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DDoS Attack on DNS –Overload : high-level DNS server –Malfunction: of all its sub-zones due to its hierarchical infrastructure –Local resolver can use cached info to answer a query before TTL has expired, but it can be also configured to cache nothing. –Unavoidable: as DNS is public service for all

7 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Mitigating the DDoS Attack There have been a huge amount of researches try to mitigate this problem –Re-designs the DNS architecture –Change the original configuration –Add new mechanism to the original structure Stale cache

8 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Mitigating the DDoS Attack Pro: –low latency, one inquiry only –avoid multi-level DDoS attack –simplicity Con: –Hard to keep consistent –Autonomy Re-design the DNS infrastructure T. Deegan et. Al (2005)

9 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Mitigating the DDoS Attack Change the original configuration –Due to short TTL time, frequent refresh may cause DoS. –But too long TTL causes inconsistency. –TTL refresh TTL refresh keeps popular record alive in the cache. This is done when the record has just been queried –TTL Renewal Allow record to expire C times before it's removed from cache. There have been several proposals to determine how to increase and decrease the value of C. V. Pappas et. al. (2007)

10 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Mitigating the DDoS Attack Add new mechanism to the original structure K. Park et. Al. (2004) They build a trusted, closed and fast peer network with several local DNS resolvers to construct a Content Distributed Network (CDN) Run at background as a backup DNS known as coDNS. Building such trust-connected environment increase the system complexity When one of the peers is compromised, the trust connection will dissolve.

11 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Method Stale Cache: expunged cached records which TTL value has expired are stored in a separate stale cache Resolving Queries: when the process fails to contact all the name servers at any step, search the cache for required record. If it's found, the process can continue. The modification will take over only when the unavailability of name servers occurs

12 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Method Stale Clean-up: –Newly received response(including the negative response) evict the corresponding stale record –Note that new record will eventually be evicted to stale cache upon expiration of TTL. –For example, if the client received a negative response of ".edu", then sub-zone records such as "sc.edu" should all be evicted. –In this way, stale cache is always consistent to the latest authoritative information

13 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Method

14 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Evaluation Data Preparation: –Data was collected for a period of 65 days which consists of millions of queries and responses and a total of 4,478,731 unique names. Simulation: –Stale cache size : measure in terms of days from 1 to 30 instead of number of entries. –Attack duration : lasting for 3, 6,12 and 24 hours

15 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Is history useful –Is it worth to maintain history information? –Suppose none of namespace server is functional representing the extreme case of DDoS attack –All queries cannot be answered by resolver cache rely on simulated stale cache Queries answered by stale cache is less in case of shorter attack

16 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Is history useful –Accuracy is based on comparison between the response from stale cache and the actual response according to the traced data.

17 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Is history useful –A-query: looking for a IP address –NS-query: looking for IP of the sub-zone name-server –NS-records have higher TTL values, so resolver cache can answer most of NS-queries –IP of a host change more frequently, so A-queries got relatively lower accuracy. 3 hour attack

18 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Performance under various attack scenarios –When TLD is inaccessible, NS-query such as a.com and longer names will fail to resolve –Experiment is strict to two-level names. –NS-records for like ‘a.com’ that are frequently accessed trend to be cached and assigned a high TTL-value in resolver’s cache.

19 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Performance under various attack scenarios –if second-level name servers are inaccessible, NS- query such as b.a.com or longer name will fail –Those records tend to have lower TTL. –The gain by increasing the stale cache size diminish faster then the previous scenario

20 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Memory footprint –Maintain stale records for 30 days requires <313MB of storage space. –Previous results indicate practically maintain two week will be enough

21 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Discussion Some arguments in favor of Stale Cache –Does not change the basic protocol operation and infrastructure –Does not impose any extra load on DNS –Does not impact the latency of query resolution –Can be incrementally deployed

22 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Objections: Inaccurate Info Problem : records become inaccurate in stale cache, when : DNS records in question have been updated since the last access Name server for the zone is inaccessible. Solution Restrict the duration for records in stale cache to prevent false response. Make changes on the client side software to let it decide whether to use stale records based on user’s decision

23 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Objections : Autonomy Problem : zone operators' control over its sub-zones may be damaged due to stale records Rebuttal : This is not the case For example, '.sc.edu' want to kill its sub-zone 'engr.sc.edu‘ The resolver still need to access NS for info, thus NXDOMAIN is returned Stale record will be replace with this newly responded NXDOMAIN. Thus autonomy is not affected

24 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Objections Problem : Attacker attempting to force the use of inaccurate information For example 'sc.edu' may flood '.edu' to force the client to use the inaccurate record in stale cache, as '.edu' no longer responds. This often happens right after zone operator has updated its records. The incentive could be to prevent from being killed. Consequently the autonomy of zone operators is undermined Rebuttal : The sub-zones will stay alive only as long as the zone’s name servers are inaccessible. Countering DoS attack usually takes one or two days only.

25 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Objections : Latency Problem : Resolution latency in the face of an attack Using current timeout values would entail a high lookup latency in the face of attacks. The time to wait for the timeout of a NS before stale cache can take charge could be as long as 30 sec. For example, to resolve ‘a.com’, if the name servers for ‘.com’ and ‘a.com’ are both unavailable, resolver needs to wait for 60 sec for a reply. This can only be relieved by using aggressive values for these timers.

26 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Objections : Privacy Concern Problem : Privacy Concern When a resolver is compromised, the attacker can access the stale cache. The attack may use it to learn the web-access pattern. Fortunately, usually a lot of clients may attach to a resolver, thus individual client's information can hardly be extracted from stale cache.

27 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Objections Problem : DoS’ing the application servers –The modification does not reduce the vulnerability of name server to DoS attacks. –Rather, the methods make the availability of name server less critical and reduce the impact of DoS attacks on DNS. –Further more, if the application server and the name server share the same network bottleneck, then once the name server is flooded by DoS attack, resolving the name of the application server would be valueless, since network has been choked. –Highlighted as the future work.

28 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Objections : DNSSec friendly Problem : DNSSec friendly –In case a name server is not reachable, the records reading from stale cache ought to be classified as “Undetermined*”. –Thus, any DNSSec policies expressed by the resolver operator for undetermined records naturally apply to the stale records. –Undetermined records correspond to records resulting from a non-DNSSec lookup.

29 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Conclusion –A simple modification to the caching behavior at resolver side. –Evaluation based on DNS trace shows its effectiveness.

30 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Other DNS related attacks –DNS cache poisoning –DNS hijacking

31 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DNS cache poisoning –The attacker exploits a flaw in the DNS software. –If the server does not correctly validate DNS responses to ensure that they are from an authoritative the server will end up caching the incorrect entries locally –DNSSec can counter cache poisoning attacks. Secure DNS uses cryptographic electronic signatures signed with a trusted public key certificate to determine the authenticity of data.

32 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering DNS hijacking Rogue DNS Server Change the default DNS servers assigned by your ISP to rogue DNS server in order to redirect user to malicious websites. Often by DNS-changing trojans Manipulation by ISPs ISPs such as Comcast, Time Warner use DNS hijacking for their own purpose, such as displaying advertisement or collecting statistics. DNS service providers to block access to selected domains as a form of censorship.

Download ppt "UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Mitigating DNS DoS Attack Presented by Fei Hu."

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.

Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.

Naming Computer Engineering Department Distributed Systems Course Asst. Prof. Dr. Ahmet Sayar Kocaeli University - Fall 2014.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
Mitigating DNS DoS Attacks H. Ballani and P.Francis Presented for CSCE 715 class by Ahmad Almadhor On Nov. 4 th 2010.

Mitigating DNS DoS Attacks H. Ballani and P.Francis Presented for CSCE 715 class by Ahmad Almadhor On Nov. 4 th 2010.
Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.

Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.
Impact of Configuration Errors on DNS Robustness Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, Lixia Zhang SIGCOMM 2004 Presented.

Impact of Configuration Errors on DNS Robustness Vasileios Pappas, Zhiguo Xu, Songwu Lu, Daniel Massey, Andreas Terzis, Lixia Zhang SIGCOMM 2004 Presented.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.

Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Domain Name Services Oakton Community College CIS 238.

Domain Name Services Oakton Community College CIS 238.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
11.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.

NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g., www.yahoo.com.

1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,

Similar presentations

Ads by Google