Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitigating DNS DoS Attacks

Published byΜελίτη Κορνάρος Modified over 5 years ago

Similar presentations

Presentation on theme: "Mitigating DNS DoS Attacks"— Presentation transcript:

1 Mitigating DNS DoS Attacks
Written by Hitesh Ballani and Paul Francis Cornell University Presented by Yinyan He University of South Carolina kkk UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

2 Outline Introduction What is DNS? What is DNS caching?
How does DoS attack the DNS? Research and Discussion How to mitigate DoS attack on DNS? How does the stale cache work? How to demonstrate the stale cache works good? What are the objections for the stale cache? Related works Future works UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

3 What is Domain Name System?
Likes a distributed phone book? DNS maintains a distributed database of network names and addresses, generally, it is used to map hostnames to IP address or reversely mapping. 1) Directory service 2) Address resolution mechanism Translate host name which is meaningful for human to numerical identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide. UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

4 What is DNS caching? A DNS cache records entries that translate Internet hostname to IP address. The Internet's DNS involves caching on both Internet DNS server and DNS resolver on the client side. These caches provide an efficient way for DNS to efficiently keep the Internet synchronized as the IP addresses of some servers change and as new servers come online. The amount of time for the DNS caching depends on: Time-to-live(TTL) Assigned to the record stored in the DNS authoritative zone. 2) The maximum value of the operating system The client-side of the DNS is called a DNS resolver. It is responsible for initiating and sequencing the queries that ultimately lead to a full resolution (translation). e.g., translation of a domain name into an IP address. DNS server also called nameserver, provides translation services between these two namespaces.  Because of the large volume of DNS requests, the designers wished to provide a mechanism to reduce the load on individual DNS servers.  The local resolver records and subsequent consult with the copy instead of initiating a new request upstream.  UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

5 How does DoS attack the DNS? Flooding attack!
Prevent DNS requests from being served Corrupting the configuration of a DNS component Flooding-based distributed DoS attacks CSL Technical Report SRI-CSL • July 27, 2005 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

6 How to mitigate the DoS attack to the DNS?
New DNS architecture Add new mechanism to the original structure Modify the caching behavior of DNS resolvers, which will make name servers availability less critical than previous Protect against flooding attack by implementing a stale cache in DNS resolver UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

7 How to mitigate the DoS attack? New centralized DNS architectures
Remove the unnecessary and inefficient distribution and recentralized the DNS Advantage: Reduced latency / a single request needed only Simplicity/ simple enough both to configure and implement Able to avoid multi-level DoS attack They replace the all upper level name-servers (server side) expect the resolver with a large-scale, closely connected authoritative servers. Original DNS takes several steps to obtain the final result, each step has a interact delay. Original design has the vulnerability of DoS due to its hierarchical structure. need to keep consistent between different nodes. Disadvantage: Totally new distribution mechanism/ inconsistent and complex T. Deegan et. Al (2005) UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

8 How does DNS resolver work?
1. Look up the cache for a matching record. Return the response as a matching record is found. 2. If no matching record was found, the resolver uses DNS resolution process to find it. Determine the closet zone to match the query cornell.edu edu b) Start from the closet enclosing zone, traverse down the DNS zone hierarchy by querying subsequent sub-zones . Figure show the case when traversal fails which always occurs in DoS attack. They build a trusted, closed and fast peer network with several local DNS resolvers to construct a Content Distributed Network (CDN) DNS record will separate through this small network. 3. If no response by traversing down all possible sub-zones, shows “failure” to indicate the unavailability of the nameservers of a zone. UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

9 How to modify DNS resolver to work better?
Problem: Attackers flood the nameservers of a zone as well as all its sub-zones to disrupt the resolution of records. Method: Change the caching behavior to make them able to address DNS flooding attacker when nameservers are unavailable Stale cache: Expunged cached records whose TTL value has expired are stored in a separate stale cache UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

10 How to modify DNS resolver to work better?
Resolving queries: When the resolution process fails due to the resolver unable to contact all the nameservers at any step, search the stale cache for the required record. If such a record is found, the process can continue based on the stale record UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

11 How to modify DNS resolver to work better?
Stale cache clean-up Newly received response (negative responses included) are used to evict the corresponding stale records Newly cached response will be evicted to the stale cache on expiration of its TTL value Example: If NXDOMAIN response received by requesting .edu, then it indicates that .sc.edu is no longer exist and also lead to eviction of the existing namesever record for .cornell.edu in the stale cache Advantage: The clean-up process ensures that records in the stale cache always corresponds to the latest authoritative information UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

12 How to evaluate the advantage of a stale cache?
Data preparation: The trace was collected for a period of 65 days consists of 84,580,513 DNS queries and 53,848,115 DNS response for a total of 4,478,731 unique names. Simulation: Stale cache size: stale records are kept from 1 to 30 days Attack duration: attack lasting for 3, 6, 12, 24 hours UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

13 Is history useful? Assumed none of the DNS nameservers are operational by a simulated DoS attack All queries that cannot be answered based on the information cached at the resolvers rely on the simulated stale cache. An attack wherein none of the DNS nameservers are operational and hence all queries that cannot be answered based on the information cached at the resolvers rely on the simulated stale cache. We simulated thia attack for varing attack durations and varying stale cache sizes. Here we focus on thoese queries that cannot be answered based on the resolver cache. Excluding the queries that have been answered by resolver’s cache. The fraction of queries answered increases with the stale cache size The effect diminishes after 14 days size stale cache UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

14 How to determine the stale cache works?
Compare the response based on the stale cache and the actual response from the nameserver for each query received during a simulated attack A-query for IPV4 address NS-query for the name servers responsible for a domain The accuracy percentage increases with increasing stale cache size/ the answer is more accurate based on the more stable NS record when the cache size increases UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

15 How to determine the stale cache works?
A-query: looking up IPV4 address NS-query: looking up nameservers responsible for a domain NS-records have higher TTL values compared with A-records, thus most of NS queries can be answered using the resolver cache. The accuracy of NS-records is higher than A-records Stale cache works! Significant fraction answered and accuracy! UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

16 How does stale cache works for other attack scenarios? The 2nd attack!
Client not being able to access TLD nameservers, which will cause any queries for any records corresponding to 2-level names (a.com) to fail. 2 level names Experiments strict to two-level names. Most of queries were answered by the resolver cache, so the queries answered fraction is not high (NS-queries), but it increases with the stale cache size The accuracy is increasing as well, a 14-day stale cache are 99.4% accurate. UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

17 How does stale cache works for other attack scenarios? The 3rd attack!
When the second-level nameservers being inaccessible, it will cause queries for any records corresponding to a 3-level name(b.a.com) fail. The fraction of queries answered increases with an increasing stale cache size, but the returns from increasing the stale cache size are diminished much sooner the 2nd attack. UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

18 What is the memory requirement for the stale cache?
Very small memory footprint needed/ 30 days stale cache needs < 313 MB storage space UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

19 Discussion: what are the advantages of the stale cache?
Simplicity Does not change the basic protocol operation and infrastructure Does not impose any load on DNS Does not impact the latency of query resolution Incremental deployment Any single resolver can adopt this modification Motivation of deployment The resolver operators have motivation to switch the modified resolver UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

20 Objections: Inaccurate Information
Problems Record will be inaccurate in stale cache when The DNS records for the zone in question have been updated since the last access by the resolver The nameservers for the zone are currently inaccessible Solutions Restrict the duration of the records in stale cache can prevent inaccurate response Modify the DNS record to balance client Just apply the modified caching scheme to infrastructure record only ( NS record and the corresponding A record) Make changes on the client-side DNS software to make applications decide to use stale cache or not Condition 1) arise due to several reasons: the nameservers for a zone have been moved, the service itself has migrated or there have been address space changes, DNS based load balancing across the nameservers or the application servers etc. UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

21 Objections : Autonomy Problem
Zone operator lost autonomy over its sub-zones due to the new stale cache scheme. BUT it is not the case! Explanation The modification doesn’t influence DNS’s hierarchical resolution process, resolvers still need to go through the nameservers for a zone in order to access its sub-zones. Example: If the operator for .edu needs to kill off the sub-zone .sc.edu, the resolver still need to access NS-record for information, and NXDOMAIN received for the query Stale record will be replaced with the newly response NXDOMAIN Allowing resolvers to store records after their TTL value has expired suggests that zone operators do not control the access to their sub-zones, for instance, it not able to kill off their sub-zones when they wish to. UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

22 Objections: Attackers attempting to force the use of inaccurate information
Example The owner of the .sc.edu zone may flood the .edu nameservers to force the use of stale NS records for their zone to prevent their zone from being killed. Attackers just keep track of updates to the records of a zone and flooding attack the authoritative nameservers Solution The sub-zones will only stay alive as long as the zone’s nameservers are inaccessible. Counter DoS flooding attack only take one or two days, the sub-zones would be able to stay alive for not too long duration. The propagation of the update has been delayed. UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

23 Objections : Privacy concerns
Problem The attacker can access to all the stale cache when a resolver is compromised and use it to learn the web-access pattern Explanation The stale cache would not provide the attacker information about queries from individual clients UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

24 Objections : Resolution latency
Problem: Resolution latency occurs in the face of an attack The resolver will entail a high lookup latency by using current timeout values The resolver need to wait 30 sec for the timeout of a NS record before stale cache can take charge Example To query .sc.edu, if both .edu and .sc.edu are not available, resolvers need to wait 60 sec for a reply Solutions: Most resolvers allow the retry and timeout values to be configured, hence the lookup latency problem can be solved by using aggressive values for these timers UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

25 Objections: DoS’ing the application servers
Problem: The new stale cache mechanism does not reduce the vulnerability of nameservers to DoS attack Explanation: The modification makes the availability of DNS nameservers less critical, thus reduce the impact of DoS attacks on DNS Problem 2: If the application server and the corresponding nameserver are using the same network bottleneck, then once the nameserver is attacked by flooding DoS, resolving the name of the application server will be useless, since the flooding attack choked the network. UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

26 Objections: Interaction with DNSSec
Friendly to DNSSec If the resolver can not reach the nameservers of a zone, the record thought to be classified as “Undetermined” Any DNSSec policies expressed by the resolver operator undetermined records naturally apply to the stale records UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

27 Summaries The modification in the caching behavior of DNS resolver that would make nameserver less critical, thus it is able to mitigate the impact of DoS attack They analyzed a 65-day DNS trace to quantify the benefits of having a stale cache under different attack scenarios and find that the stale cache can solve a significant fraction of client queries even under severe attack of long durations Stale cache records need a very small amount of memory Inaccurate records being returned in case of an attack is very small UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

28 Mitigate DNS DoS attacks related works
New architectures for the DNS to increase its robustness against DoS attack Change the DNS architecture 1) Multicasting the DNS database to specialized servers to reduce the response time for clients 2) Augmenting the DNS structure with additional pointers that can be used to access sub-zones UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

29 DNS cache poisoning Problem:
The attacker exploits a flaw in the DNS software. The server might cache incorrect entries locally. Solutions: DNSSec! Secure DNS uses cryptographic electronic signatures signed with a trusted public key certificate to determine the authenticity of data UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

30 Future work Since they are not able to study the DNS records which would be inaccurate for whether had they been used as stale record against an attack, unanonymized trace record is necessary Implement the proposed stale cache mechanism into the dbjdns DNS resolver The djbdns software consists of server, client, and some miscellaneous configuration tools UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering

31 Thank you! UNIVERSITY OF SOUTH CAROLINA
Department of Computer Science and Engineering

Download ppt "Mitigating DNS DoS Attacks"

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.

Domain Name System. DNS is a client/server protocol which provides Name to IP Address Resolution.
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.

1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
Mitigating DNS DoS Attacks H. Ballani and P.Francis Presented for CSCE 715 class by Ahmad Almadhor On Nov. 4 th 2010.

Mitigating DNS DoS Attacks H. Ballani and P.Francis Presented for CSCE 715 class by Ahmad Almadhor On Nov. 4 th 2010.
Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.

Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009.
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Mitigating DNS DoS Attack Presented by Fei Hu.

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Mitigating DNS DoS Attack Presented by Fei Hu.
EEC-681/781 Distributed Computing Systems Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC-681/781 Distributed Computing Systems Lecture 3 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.

DNS Security Extensions (DNSSEC) Ryan Dearing. Topics History What is DNS? DNS Stats Security DNSSEC DNSSEC Validation Deployment.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
11.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,

11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
SAINT ‘01 Proactive DNS Caching: Addressing a Performance Bottleneck Edith Cohen AT&T Labs-Research Haim Kaplan Tel-Aviv University.

SAINT ‘01 Proactive DNS Caching: Addressing a Performance Bottleneck Edith Cohen AT&T Labs-Research Haim Kaplan Tel-Aviv University.
Chapter 17 Domain Name System

Chapter 17 Domain Name System
Paper Presentation – CAP 6135. Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.

Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
Designing Active Directory for Security

Designing Active Directory for Security
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 6: Name Resolution.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 6: Name Resolution.

Similar presentations

Ads by Google