Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitigating DNS DoS Attacks Hitesh Ballani, Paul Francis 1.

Published byAugustus Barry Robinson Modified over 8 years ago

Similar presentations

Presentation on theme: "Mitigating DNS DoS Attacks Hitesh Ballani, Paul Francis 1."— Presentation transcript:

1 Mitigating DNS DoS Attacks Hitesh Ballani, Paul Francis 1

2 Worcester Polytechnic Institute Outline What is DNS? What is the Problem? Solution Evaluation Conclusions 2

3 Worcester Polytechnic Institute Domain Name System 3 Client DNS Resolver Root Nameserver.edu TLD Nameserver wpi.edu Nameserver A? users.wpi.edu.edu? wpi.edu? users.wpu.edu? Cache w/TTL

4 Worcester Polytechnic Institute Domain Name System - Problem 4 Client DNS Resolver Root Nameserver.edu TLD Nameserver wpi.edu Nameserver A? users.wpi.edu.edu? wpi.edu? Cache w/TTL

5 Worcester Polytechnic Institute Domain Name System - Problem If the TTL has expired, a DNS resolver must rely on the availability of the authoritative nameservers. If any of the nameservers in the recurse chain are unavailable, resolution will fail. Thus, DoS attacks on nameservers can effectively ‘knock out’ a subset of the Internet. 5

6 Worcester Polytechnic Institute Domain Name System - Solution The functionality to store old DNS lookups is already a component of DNS resolvers. Retain expired cached data beyond TTL in a ‘stale cache’. Use the stale cache as a ‘last resort’ if a step in the lookup chain is unresolvable. 6

7 Worcester Polytechnic Institute Domain Name System - Solution 7 Client DNS Resolver Root Nameserver.edu TLD Nameserver wpi.edu Nameserver A? users.wpi.edu.edu? wpi.edu? Cache w/TTL Stale cache wpi.edu? users.wpi.edu?

8 Worcester Polytechnic Institute Additional Solution Parameters Whenever a nameserver is reached and a record updated, the stale cache must be cleared for that record. This guarantees that a stale cache record will always reflect the ‘last authoritative’ information our resolver saw. 8

9 Worcester Polytechnic Institute Solution Evaluation Collected DNS traffic at the Cornell Computer Science link to the Internet 1300 hosts on the Cornell side of the link Sixty-five days of collected data (21 Nov 2007 – 24 Jan 2008 84,580,513 DNS queries/53,848,115 DNS responses This data was collected outside the first layer of resolvers, so client requests resolved by cache were not seen. 9

10 Worcester Polytechnic Institute Solution Evaluation Two simulation parameters ─ Stale Cache Size: number of days beyond TTL to keep data in the stale cache (1-30 used) ─ Attack Duration: Length of availability attack on DNS nameservers (3,6,12,24 hours used) 10

11 Worcester Polytechnic Institute Test 1 – No DNS Nameservers From “Mitigating DNS DoS Attacks” 11

12 Worcester Polytechnic Institute Test 2/3 – TLD/Second-level DoS From “Mitigating DNS DoS Attacks” 12

13 Worcester Polytechnic Institute Memory Footprint 13

14 Worcester Polytechnic Institute Solution Evaluation - Pros The volume and accuracy of Stale Cache lookups demonstrates that this method can help DNS resilience in the face of a DoS attack. Does not impose additional DNS load. Does not affect query latency, since new lookup only occurs when ordinary lookup would have totally failed. Can be deployed incrementally. 14

15 Worcester Polytechnic Institute Solution Evaluation – Cons Violates traditional DNS guarantee of accurate data outside of TTL period. ─ If DNS records have been changed since last access and outside of TTL, and ─ Zone nameservers are unavailable, ─ Stale Cache will return inaccurate DNS information.  Many DNS resolvers already disregard TTL, so server operators already have to prepare for incorrect resolutions, such as running duplicate servers for several weeks. Zone nameserver no longer has full control over sub-zone access. ─ Similar to above, a namserver may not be able to NXDOMAIN a sub-zone if it is unrechable outside of TTL 15

16 Worcester Polytechnic Institute Solution Evaluation – Cons Both the above concerns rely on using the inaccessability of a Zone nameserver to cause the use of inaccurate data. This could be used in a timed attack by rogue subzones to force the inaccurate data to be used. 16

17 Worcester Polytechnic Institute Conclusions The employment of a ‘stale cache’ at the DNS resolver level could significantly reduce the impact of DoS attacks on DNS nameservers. The primary drawback is the introduction of the possibility of inaccurate records being used if a record is updated and becomes inaccessible between resolver queries. 17

Download ppt "Mitigating DNS DoS Attacks Hitesh Ballani, Paul Francis 1."

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.

Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Implementing Domain Name System

Implementing Domain Name System
DNS DOMAIN NAME SYSTEM NAME SYSTEM By Lijo George.

DNS DOMAIN NAME SYSTEM NAME SYSTEM By Lijo George.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
Mitigating DNS DoS Attacks H. Ballani and P.Francis Presented for CSCE 715 class by Ahmad Almadhor On Nov. 4 th 2010.

Mitigating DNS DoS Attacks H. Ballani and P.Francis Presented for CSCE 715 class by Ahmad Almadhor On Nov. 4 th 2010.
Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.

Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.
King : Estimating latency between arbitrary Internet end hosts Krishna Gummadi, Stefan Saroiu Steven D. Gribble University of Washington Presented by:

King : Estimating latency between arbitrary Internet end hosts Krishna Gummadi, Stefan Saroiu Steven D. Gribble University of Washington Presented by:
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Mitigating DNS DoS Attack Presented by Fei Hu.

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Mitigating DNS DoS Attack Presented by Fei Hu.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.
Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.

Hands-On Microsoft Windows Server 2003 Administration Chapter 9 Administering DNS.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.

Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.
DOMAIN NAME SYSTEM. Domain Name System Hostname Resolution DNS Name Lookup with DNS Domain Name Servers DNS Database Reverse Lookups.

DOMAIN NAME SYSTEM. Domain Name System Hostname Resolution DNS Name Lookup with DNS Domain Name Servers DNS Database Reverse Lookups.

Similar presentations

Ads by Google