research-article

Mitigating DNS DoS attacks

Authors:

Hitesh Ballani,

Paul FrancisAuthors Info & Claims

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

Pages 189 - 198

https://doi.org/10.1145/1455770.1455796

Published: 27 October 2008 Publication History

Abstract

This paper considers DoS attacks on DNS wherein attackers flood the nameservers of a zone to disrupt resolution of resource records belonging to the zone and consequently, any of its sub-zones. We propose a minor change in the caching behavior of DNS resolvers that can significantly alleviate the impact of such attacks. In our proposal, DNS resolvers do not completely evict cached resource records whose TTL has expired; rather, such resource records are stored in a separate "stale cache". If, during the resolution of a query, a resolver does not receive any response from the nameservers that are responsible for authoritatively answering the query, it can use the information stored in the stale cache to answer the query. In effect, the stale cache is the part of the global DNS database that has been accessed by the resolver and represents an insurance policy that the resolver uses only when the relevant DNS servers are unavailable. We analyze a 65-day DNS trace to quantify the benefits of a stale cache under different attack scenarios. Further, while the proposed change to DNS resolvers also changes DNS semantics, we argue that it does not adversely impact any of the fundamental DNS characteristics such as the autonomy of zone operators and hence, is a very simple and practical candidate for mitigating the impact of DoS attacks on DNS.

References

[1]

H. Balakrishnan, K. Lakshminarayanan, S. Ratnasamy, S. Shenker, I. Stoica, and M. Walfish, "A Layered Naming Architecture for the Internet," in Proc. of ACM SIGCOMM, 2004.

Digital Library

[2]

H. Ballani and P. Francis, "A Simple Approach to DNS DoS Mitigation," in Proc. of workshop on Hot Topics in Networks, Nov 2006.

[3]

D. J. Bernstein, "djbdns: Domain Name System Tools," Apr 2008, http://cr.yp.to/djbdns.html.

[4]

N. Brownlee, k claffy, and E. Nemeth, "DNS Measurements at a Root Server," in Proc. of Globecom, 2001.

[5]

B. Chun, D. Culler, T. Roscoe, A. Bavier, L. Peterson, M. Wawrzoniak, and M. Bowman, "PlanetLab: An Overlay Testbed for Broad-Coverage Services," ACM SIGCOMM Computer Communication Review, vol. 33, no. 3, July 2003.

Digital Library

[6]

E. Cohen and H. Kaplan, "Proactive Caching of DNS Records: Addressing a Performance Bottleneck," in Proc. of Symposium on Applications and the Internet, 2001.

Digital Library

[7]

R. Cox, A. Muthitacharoen, and R. T. Morris, "Serving DNS using a Peer-to-Peer Lookup Service," in Proc. of IPTPS, 2002.

Digital Library

[8]

T. Deegan, J. Crowcroft, and A. Warfield, "The Main Name System: An Exercise in Centralized Computing," SIGCOMM Comput. Commun. Rev., vol. 35, no. 5, 2005.

Digital Library

[9]

M. Handley and A. Greenhalgh, "The Case for Pushing DNS," in Proc. of Hotnets-IV, 2005.

[10]

T. Hardy, "RFC 3258 -- Distributing Authoritative Name Servers via Shared Unicast Addresses," April 2002.

[11]

J. Jung, E. Sit, H. Balakrishnan, and R. Morris, "DNS performance and the effectiveness of caching," IEEE/ACM Trans. Netw., vol. 10, no. 5, 2002.

Digital Library

[12]

J. Kangasharju and K. W. Ross, "A Replicated Architecture for the Domain Name System," in Proc. of INFOCOM, 2000.

[13]

R. Ladin, B. Liskov, L. Shrira, and S. Ghemawat, "Providing high availability using lazy replication," ACM Trans. Comput. Syst., vol. 10, no. 4, 1992.

Digital Library

[14]

P. Mockapetris, "RFC 1035, DOMAIN NAMES -- IMPLEMENTATION AND SPECIFICATION," Nov 1987.

Digital Library

[15]

D. Oppenheimer, B. Chun, D. Patterson, A. C. Snoeren, and A. Vahdat, "Service placement in a shared wide-area platform," in phProc. of the USENIX '06 Annual Technical Conference, 2006.

Digital Library

[16]

J. Pang, J. Hendricks, A. Akella, R. D. Prisco, B. Maggs, and S. Seshan, "Availability, usage, and deployment characteristics of the domain name system," in Proc. of Internet Measurement Conference, 2004.

Digital Library

[17]

V. Pappas, B. Zhang, E. Osterweil, D. Massey, and L. Zhang, "Improving DNS Service Availability by Using Long TTLs," draft-pappas-dnsop-long-ttl-02, June 2006.

[18]

V. Pappas, D. Massey, and L. Zhang, "Enhancing DNS Resilience against Denial of Service Attacks," in Proc. of Conference on Dependable Systems and Networks (DSN), 2007.

Digital Library

[19]

K. Park, V. Pai, L. Peterson, and Z. Wang, "CoDNS: Improving DNS Performance and Reliability via Cooperative Lookups," in Proc. of USENIX OSDI, 2004.

Digital Library

[20]

D. S. Phatak, "Spread-Identity mechanisms for DOS resilience and Security," in Proc. of SecureComm, 2005.

Digital Library

[21]

L. Poole and V. S. Pai, "ConfiDNS: leveraging scale and history to improve DNS security," in Proc. of the 3rd USENIX Workshop on Real, Large Distributed Systems (WORLDS), 2006.

Digital Library

[22]

V. Ramasubramanian and E. G. Sirer, "The Design and Implementation of a Next Generation Name Service for the Internet," in Proc of ACM SIGCOMM, 2004.

Digital Library

[23]

D. Soring, "Using lightweight checkpoint/recovery to improve the availability and designability of shared memory multiprocessors," Ph.D. dissertation, University of Wisconsin-Madison, 2002.

Digital Library

[24]

M. Theimer and M. B. Jones, "Overlook: Scalable Name Service on an Overlay Network," in Proc. of ICDCS, 2002.

Digital Library

[25]

H. Yang, H. Luo, Y. Yang, S. Lu, and L. Zhang, "HOURS: Achieving DoS Resilience in an Open Service Hierarchy," in Proc. of Conference on Dependable Systems and Networks (DSN), 2004.

Digital Library

[26]

"Microsoft DDoS Attack, NetworkWorld," Jan 2001, http://www.networkworld.com/news/2001/0125mshacked.html.

[27]

"Root Server DDoS Attack, RIPE Mail Archive," Nov 2002, https://www.ripe.net/ripe/maillists/archives/eof-list/2002/msg00009.html.

[28]

"Akamai DDoS Attack, Internet Security News," Jun 2004, http://www.landfield.com/isn/mail-archive/2004/Jun/0088.html.

[29]

"UltrDNS DDoS Attack, Washington Post," May 2005, http://blog.washingtonpost.com/securityfix/2006/05/blue_security_surrenders_but_s.html.

[30]

"CISCO DNSSEC page," Aug 2006, http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-2/dnssec.html.

[31]

"Internet Systems Consortium," Aug 2006, http://www.isc.org/.

[32]

"SLASHDOT: Providers Ignoring DNS TTL?" Aug 2006, http://ask.slashdot.org/article.pl?sid=05/04/18/198259&tid=95&tid=128&tid=4.

[33]

"SiteKey at Bank of America," Jul 2007, http://www.bankofamerica.com/privacy/sitekey/.

[34]

"DNS -- What do big sites do?" Aug 2008, http://forum.powweb.com/archive/index.php/t-54961.html.

[35]

"nonamed -- Man page," Aug 2008, http://www.minix3.org/previous-versions/Intel-2.0.3/wwwman/man8/nonamed.8.html.

Cited By

Li XXu WLiu BZhang MLi ZZhang JChang DZheng XWang CChen JDuan HLi Q(2024)TuDoor Attack: Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed Packets2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00172(4459-4477)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00172
Kumar SDwivedi MKumar MGill S(2024)A comprehensive review of vulnerabilities and AI-enabled defense against DDoS attacks for securing cloud servicesComputer Science Review10.1016/j.cosrev.2024.10066153:COnline publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1016/j.cosrev.2024.100661
Alayoff IEinziger G(2023)Optimizing DNS Resolvers for High Loads2023 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking57963.2023.10186425(1-9)Online publication date: 12-Jun-2023
https://doi.org/10.23919/IFIPNetworking57963.2023.10186425
Show More Cited By

Index Terms

Mitigating DNS DoS attacks
1. Computer systems organization
  1. Dependable and fault-tolerant systems and networks
2. General and reference
  1. Cross-computing tools and techniques
    1. Reliability

Recommendations

DNSSEC and its potential for DDoS attacks: a comprehensive measurement study
IMC '14: Proceedings of the 2014 Conference on Internet Measurement Conference

Over the past five years we have witnessed the introduction of DNSSEC, a security extension to the DNS that relies on digital signatures. DNSSEC strengthens DNS by preventing attacks such as cache poisoning. However, a common argument against the ...
Alleviating the Impact of DNS DDoS Attacks
NSWCTC '10: Proceedings of the 2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing - Volume 01

The Domain Name System (DNS) is a critical fundamental service of the Internet that provides mapping between domain names and IP addresses. In the past few years, distributed denial of service (DDoS) attacks aimed at core DNS servers have caused huge ...
Recovering and Protecting against DNS Cache Poisoning Attacks
ICM '11: Proceedings of the 2011 International Conference of Information Technology, Computer Engineering and Management Sciences - Volume 02

DNSSEC can provide a strong countermeasure to DNS Cache Poisoning Attacks, however, DNSSEC can't be actually deployed in a short time, it is still impossible to avoid poisoning attacks thoroughly, a majority of DNS servers are still hreatened from the ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '08: Proceedings of the 15th ACM conference on Computer and communications security

October 2008

590 pages

ISBN:9781595938107

DOI:10.1145/1455770

General Chair:
Peng Ning
North Carolina State University, USA
,
Program Chairs:
Paul Syverson
Naval Research Laboratory, USA
,
Somesh Jha
University of Wisconsin, USA

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS08

Sponsor:

CCS08: 15th ACM Conference on Computer and Communications Security 2008

October 27 - 31, 2008

Virginia, Alexandria, USA

Acceptance Rates

CCS '08 Paper Acceptance Rate 51 of 280 submissions, 18%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
1,447
Total Downloads

Downloads (Last 12 months)24
Downloads (Last 6 weeks)6

Reflects downloads up to 18 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li XXu WLiu BZhang MLi ZZhang JChang DZheng XWang CChen JDuan HLi Q(2024)TuDoor Attack: Systematically Exploring and Exploiting Logic Vulnerabilities in DNS Response Pre-processing with Malformed Packets2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00172(4459-4477)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00172
Kumar SDwivedi MKumar MGill S(2024)A comprehensive review of vulnerabilities and AI-enabled defense against DDoS attacks for securing cloud servicesComputer Science Review10.1016/j.cosrev.2024.10066153:COnline publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1016/j.cosrev.2024.100661
Alayoff IEinziger G(2023)Optimizing DNS Resolvers for High Loads2023 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking57963.2023.10186425(1-9)Online publication date: 12-Jun-2023
https://doi.org/10.23919/IFIPNetworking57963.2023.10186425
Mahjabin TXiao YLi TGuizani M(2022)Hotlist and stale content update mitigation in local databases for DNS flooding attacksTelecommunications Systems10.1007/s11235-022-00950-x81:3(417-430)Online publication date: 1-Nov-2022
https://dl.acm.org/doi/10.1007/s11235-022-00950-x
Tripathi NHubballi N(2021)Application Layer Denial-of-Service Attacks and Defense MechanismsACM Computing Surveys10.1145/344829154:4(1-33)Online publication date: 3-May-2021
https://dl.acm.org/doi/10.1145/3448291
Li ZGao SPeng ZGuo SYang YXiao B(2021)B-DNS: A Secure and Efficient DNS Based on the Blockchain TechnologyIEEE Transactions on Network Science and Engineering10.1109/TNSE.2021.30687888:2(1674-1686)Online publication date: 1-Apr-2021
https://doi.org/10.1109/TNSE.2021.3068788
Berger HDvir AGeva M(2021)A wrinkle in time: a case study in DNS poisoningInternational Journal of Information Security10.1007/s10207-020-00502-x20:3(313-329)Online publication date: 1-Jun-2021
https://dl.acm.org/doi/10.1007/s10207-020-00502-x
Mahjabin TXiao YLi TChen C(2020)Load Distributed and Benign-Bot Mitigation Methods for IoT DNS Flood AttacksIEEE Internet of Things Journal10.1109/JIOT.2019.29476597:2(986-1000)Online publication date: Feb-2020
https://doi.org/10.1109/JIOT.2019.2947659
Syed NBaig ZIbrahim AValli C(2020)Denial of service attack detection through machine learning for the IoTJournal of Information and Telecommunication10.1080/24751839.2020.17674844:4(482-503)Online publication date: 12-Jun-2020
https://doi.org/10.1080/24751839.2020.1767484
Cika PClupek V(2019)Stress Tester and Network Emulator in Apache JMeter2019 PhotonIcs & Electromagnetics Research Symposium - Spring (PIERS-Spring)10.1109/PIERS-Spring46901.2019.9017650(3722-3726)Online publication date: Jun-2019
https://doi.org/10.1109/PIERS-Spring46901.2019.9017650
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents