Mitigating DNS DoS attacks

This paper considers DoS attacks on DNS wherein attackers flood the nameservers of a zone to disrupt resolution of resource records belonging to the zone and consequently, any of its sub-zones. We propose a minor change in the caching behavior of DNS resolvers that can significantly alleviate the impact of such attacks. In our proposal, DNS resolvers do not completely evict cached resource records whose TTL has expired; rather, such resource records are stored in a separate "stale cache". If, during the resolution of a query, a resolver does not receive any response from the nameservers that are responsible for authoritatively answering the query, it can use the information stored in the stale cache to answer the query. In effect, the stale cache is the part of the global DNS database that has been accessed by the resolver and represents an insurance policy that the resolver uses only when the relevant DNS servers are unavailable. We analyze a 65-day DNS trace to quantify the benefits of a stale cache under different attack scenarios. Further, while the proposed change to DNS resolvers also changes DNS semantics, we argue that it does not adversely impact any of the fundamental DNS characteristics such as the autonomy of zone operators and hence, is a very simple and practical candidate for mitigating the impact of DoS attacks on DNS.

[1]  Robert Tappan Morris,et al.  Serving DNS Using a Peer-to-Peer Lookup Service , 2002, IPTPS.

[2]  Mark Handley,et al.  The Case for Pushing DNS , 2005 .

[3]  Srinivasan Seshan,et al.  Availability, usage, and deployment characteristics of the domain name system , 2004, IMC '04.

[4]  Ted Hardie,et al.  Distributing Authoritative Name Servers via Shared Unicast Addresses , 2002, RFC.

[5]  Paul Francis,et al.  A Simple Approach to DNS DoS Mitigation , 2006 .

[6]  Daniel Massey,et al.  Enhancing DNS Resilience against Denial of Service Attacks , 2007, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07).

[7]  Vivek S. Pai,et al.  ConfiDNS: Leveraging Scale and History to Improve DNS Security , 2006, WORLDS.

[8]  Robert Tappan Morris,et al.  DNS performance and the effectiveness of caching , 2001, IMW '01.

[9]  Edith Cohen,et al.  Proactive caching of DNS records: addressing a performance bottleneck , 2001, Proceedings 2001 Symposium on Applications and the Internet.

[10]  Evi Nemeth,et al.  DNS measurements at a root server , 2001, GLOBECOM'01. IEEE Global Telecommunications Conference (Cat. No.01CH37270).

[11]  Jon Crowcroft,et al.  The main name system: an exercise in centralized computing , 2005, CCRV.

[12]  Michael B. Jones,et al.  Overlook: scalable name service on an overlay network , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[13]  David E. Culler,et al.  PlanetLab: an overlay testbed for broad-coverage services , 2003, CCRV.

[14]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[15]  Michael Walfish,et al.  A layered naming architecture for the internet , 2004, SIGCOMM '04.

[16]  David A. Wood,et al.  Using lightweight checkpoint/recovery to improve the availability and designability of shared memory multiprocessors , 2002 .

[17]  Dhananjay S. Phatak,et al.  Spread-Identity mechanisms for DOS resilience and Security. , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[18]  Jussi Kangasharju,et al.  A replicated architecture for the Domain Name System , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[19]  Amin Vahdat,et al.  Service Placement in a Shared Wide-Area Platform , 2006, USENIX Annual Technical Conference, General Track.

[20]  Liuba Shrira,et al.  Providing high availability using lazy replication , 1992, TOCS.

[21]  Haiyun Luo,et al.  HOURS: achieving DoS resilience in an open service hierarchy , 2004, International Conference on Dependable Systems and Networks, 2004.

[22]  Zhe Wang,et al.  CoDNS: Improving DNS Performance and Reliability via Cooperative Lookups , 2004, OSDI.

[23]  Emin Gün Sirer,et al.  The design and implementation of a next generation name service for the internet , 2004, SIGCOMM '04.