Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.

Slides:



Advertisements
Similar presentations
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Advertisements

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
Mitigating DNS DoS Attacks H. Ballani and P.Francis Presented for CSCE 715 class by Ahmad Almadhor On Nov. 4 th 2010.
King : Estimating latency between arbitrary Internet end hosts Krishna Gummadi, Stefan Saroiu Steven D. Gribble University of Washington Presented by:
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Mitigating DNS DoS Attack Presented by Fei Hu.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.
Threat infrastructure: proxies, botnets, fast-flux
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
Web Caching and CDNs March 3, Content Distribution Motivation –Network path from server to client is slow/congested –Web server is overloaded Web.
Domain Name System ( DNS )  DNS is the system that provides name to address mapping for the internet.
CSE 461 Section (Week 0x02). Port numbers for applications MAC addresses for hardware IP addresses for a way to send data in a smart, routable way.
COEN 445 Communication Networks and Protocols Lab 3
Domain Name Services Oakton Community College CIS 238.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,
Domain Name System (DNS)
Ch-9: NAME SERVICES By Srinivasa R. Gudipati. To be discussed.. Fundamentals of Naming Services Naming Resolution The Domain Name System (DNS) Directory.
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
Got DNS? A review of Domain Name Services and how it impacts website developers. By Jason Baker Digital North.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
CSUF Chapter 6 1. Computer Networks: Domain Name System 2.
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
DNS and C# SWE 344 Internet Protocols & Client Server Programming.
DNS: Domain Name System
1 DNS: Domain Name System People: many identifiers: m SSN, name, Passport # Internet hosts, routers: m IP address (32 bit) - used for addressing datagrams.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
Chapter 17 Domain Name System
1 Application Layer Lecture 6 Imran Ahmed University of Management & Technology.
Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
Zone Properties. Zone Properties Continued Aging allows zone to remove “stale” or “old” records for clients who have not updated within a certain period.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 6: Name Resolution.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 6: Name Resolution.
Chapter 29 Domain Name System (DNS) Allows users to reference computer names via symbolic names translates symbolic host names into associated IP addresses.
Domain Name System CH 25 Aseel Alturki
Fully Qualified Domain Names FQDNs. DNS Database A distributed, hierarchical database Resolves Fully Qualified Domain Names (FQDNs) to IP addresses –
Pharming Group 10: Phuc H. Dao Anita Lugonja. Motivation To give students an opportunity to learn about DNS poisoning To give students an opportunity.
Strong Cache Consistency Support for Domain Name System Xin Chen, Haining Wang, Sansi Ren and Xiaodong Zhang College of William and Mary, Williamsburg,
1 Kyung Hee University Chapter 18 Domain Name System.
CPSC 441: DNS 1. DNS: Domain Name System Internet hosts: m IP address (32 bit) - used for addressing datagrams m “name”, e.g., - used by.
Domain Name System (DNS). DNS Server Service Overview of Domain Name System What Is a Domain Namespace? Standards for DNS Naming.
Module 6: Designing Name Resolution. Module Overview Collecting Information for a Name Resolution Design Designing a DNS Server Strategy Designing a DNS.
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
Security in DNS(DNSSEC) Yalda Edalat Pramodh Pallapothu.
Computer Networks Fall, 2007 Prof Peterson. CIS 235: Networks Fall, 2007 Western State College How’s it going??
Mitigating DNS DoS Attacks Hitesh Ballani, Paul Francis 1.
DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.
DNS Measurement at a Root Server Nevil Brownlee, kc Claffy and Evi Nemeth Presented by Zhengxiang Pan Mar. 27 th, 2003.
BZUPAGES.COM. Presented to: Sir. Muizuddin sb Presented by: M.Sheraz Anjum Roll NO Atif Aneaq Roll NO Khurram Shehzad Roll NO Wasif.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
1 CMPT 471 Networking II DNS © Janice Regan,
COMP2322 Lab 3 DNS Steven Lee Feb. 19, Content Understand the Domain Name System (DNS). Analyze the DNS protocol with Wireshark. 2.
COMP 431 Internet Services & Protocols
The Design and Implementation of a Next Generation Name Service for the Internet V. Ramasubramanian, E. Gun Sirer Cornell Univ. SIGCOMM 2004 Ciprian Tutu.
So DNS is A client-server application that maps domain names into their corresponding IP addresses with the help of name servers. Mapping domain names.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
Short Intro to DNS (part of Tirgul 9) Nir Gazit. What is DNS? DNS = Domain Name System. For translation of host names to IPs. A Distributed Database System.
1) The size of the Domain name system. 2) The main components of the Domain Naming System operation. 3) The function of the Domain Naming System. 4)Legislation.
CSE 461 Section. Port numbers for applications MAC addresses for hardware IP addresses for a way to send data in a smart, routable way.
Domain Name System: DNS To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the Connection of a host to the Internet.
Understand Names Resolution
DNS.
Mitigating DNS DoS Attacks
Windows Name Resolution
Computer Networks Presentation
Presentation transcript:

Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009

 Background Information  Motivation  Contributions  Implementation  Evaluation  Pros & Cons  Future Work

 Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource participating in the Internet. Translate Hostnames to IP addresses ( For example: to )

A? “try ” “try ” “it’s at xxx.xx.xx.xxx” Cache Not Found Store founded IP Address

A? “it’s at xxx.xx.xx.xxx” Cache Found Stored IP Address

A? “try ” Cache Not Found Traversal fails

 To alleviate the impact of flooding attacks on DNS which prevent clients from resolving resource records belonging to the zone under attack.

 A new, robust Distribution Infrastructure  Centralized data distribution  Peer-to-peer based data distribution

 Modification on caching behavior  Discussion about benefits of Stale Cache  Evaluation on 65-day DNS trace  Trace-based simulation on memory requirement  Analysis on inaccuracy of Stale Cache  No adverse impacts by Changing DNS semantics

Store those cached records in DNS resolver whose TTL value has expired to a Stale Cache instead of deleting them directly.

A? “try ” Cache Not Found Traversal fails Stale Cache “it’s at xxx.xx.xx.xxx” “try ” Expired Cached Record for.sc.edu Found “it’s at xxx.xx.xx.xxx”

 Environment setup DNS traffic: Cornell Computer Science Dpt. Date: 11/21/2007 – 1/24/2008(65 days)  Different Factors Stale cache size: from 1 to 30 days Attack duration: 3, 6, 12 and 24 hours Types of Query: NS-queries, A-queries Attack scenario: root-server, TLD name server, 2 nd level nameserver

 Assumption: none of nameservers are operational (unrealistic)  Result: those queries that cannot be answered based on the resolver cache can only rely on the stale cache  Purpose: use an extreme scenario to test limits of stale cache

 Accurate Records: responses based on the stale cache that match actual responses from accessible nameservers  Inaccurate Records: DNS records have been updated after last access by resolver; The nameservers for the zone are currently inaccessible

Figure 5: For(a) NS- queries and (b) A-queries, Fraction of Queries answered and Accurate Records when using a stale cache during an 3- hour attack

 Pros  Simplicity  Incremental Deployment  Motivation for Deployment  Cons  Change DNS caching semantics  Possibility of using inaccurate record  Attacker may force the use of inaccurate information

To conclude, Just a very Simple modification on DNS resolver’s caching behavior is quite effective in mitigating the impact of DoS attack on DNS. In future, if possible, implementing an add-on to CoDNS resolution service based on this method to test its efficacy while facing actual attacks.

 DNS cache poisoning Provides data to a DNS that did not originate from authoritative DNS sources

 Fast Flux e.g. multiple individual nodes within the network keep registering and de-registering their constant changing addresses with short TTL values as part of the DNS A record list for a single DNS name. Or, registering and de-registering their addresses as part of the DNS NS record list for the DNS zone.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.