论文信息 - Mitigating DNS random subdomain DDoS attacks by distinct heavy hitters sketches

Mitigating DNS random subdomain DDoS attacks by distinct heavy hitters sketches

Random Subdomain DDoS attacks on the Domain Name System (DNS) infrastructure are becoming a popular vector in recent attacks (e.g., recent Mirai attack on Dyn). In these attacks, many queries are sent for a single or a few victim domains, yet they include highly varying non-existent subdomains generated randomly. Motivated by these attacks we designed and implemented novel and efficient algorithms for distinct heavy hitters (dHH). A (classic) heavy hitter (HH) in a stream of elements is a key (e.g., the domain of a query) which appears in many elements (e.g., requests). When stream elements consist of ¡key, subkey¿ pairs, (¡domain, subdomain¿) a distinct heavy hitter (dhh) is a key that is paired with a large number of different subkeys. Our algorithms dominate previous designs in both the asymptotic (theoretical) sense and practicality. Specifically the new fixed-size algorithms are simple to code and with asymptotically optimal space accuracy tradeoffs. Based on these algorithms, we build and implement a system for detection and mitigation of Random Subdomain DDoS attacks. We perform experimental evaluation, demonstrating the effectiveness of our algorithms.

[1] Edith Cohen,et al. All-Distances Sketches, Revisited: HIP Estimators for Massive Graphs Analysis , 2013, IEEE Transactions on Knowledge and Data Engineering.

[2] Yizheng Chen,et al. DNS Noise: Measuring the Pervasiveness of Disposable Domains in Modern DNS Traffic , 2014, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[3] Yossi Matias,et al. New sampling-based summary statistics for improving approximate query answers , 1998, SIGMOD '98.

[4] P. Flajolet,et al. HyperLogLog: the analysis of a near-optimal cardinality estimation algorithm , 2007 .

[5] Dawn Xiaodong Song,et al. New Streaming Algorithms for Fast Detection of Superspreaders , 2005, NDSS.

[6] Edith Cohen,et al. Size-Estimation Framework with Applications to Transitive Closure and Reachability , 1997, J. Comput. Syst. Sci..

[7] Philippe Flajolet,et al. Probabilistic Counting Algorithms for Data Base Applications , 1985, J. Comput. Syst. Sci..

[8] Cristian Estan,et al. New directions in traffic measurement and accounting , 2001, IMW '01.

[9] Thomas Locher,et al. Finding heavy distinct hitters in data streams , 2011, SPAA '11.

[10] B. Rosén. Asymptotic Theory for Successive Sampling with Varying Probabilities Without Replacement, II , 1972 .

[11] Luca Trevisan,et al. Counting Distinct Elements in a Data Stream , 2002, RANDOM.