Download presentation
Presentation is loading. Please wait.
1
Hitesh Ballani, Paul Francis(Cornell University) Presenter: Zhenhua Liu Date: Mar. 16 th, 2009
2
Background Information Motivation Contributions Implementation Evaluation Pros & Cons Future Work
3
Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource participating in the Internet. Translate Hostnames to IP addresses ( For example: www.google.com to 74.125.95.147)
4
A? www.sc.edu 198.41.0.5 204.74.113.1 129.252.189.62 “try 204.74.113.1” “try 129.252.189.62” “it’s at xxx.xx.xx.xxx” Cache Not Found Store founded IP Address
5
A? www.sc.edu 198.41.0.5 204.74.113.1 129.252.189.62 “it’s at xxx.xx.xx.xxx” Cache Found Stored IP Address
6
A? www.sc.edu 198.41.0.5 204.74.113.1 129.252.189.62 “try 204.74.113.1” Cache Not Found Traversal fails
7
To alleviate the impact of flooding attacks on DNS which prevent clients from resolving resource records belonging to the zone under attack.
8
A new, robust Distribution Infrastructure Centralized data distribution Peer-to-peer based data distribution
9
Modification on caching behavior Discussion about benefits of Stale Cache Evaluation on 65-day DNS trace Trace-based simulation on memory requirement Analysis on inaccuracy of Stale Cache No adverse impacts by Changing DNS semantics
10
Store those cached records in DNS resolver whose TTL value has expired to a Stale Cache instead of deleting them directly.
11
A? www.sc.edu 198.41.0.5 204.74.113.1 129.252.189.62 “try 204.74.113.1” Cache Not Found Traversal fails Stale Cache “it’s at xxx.xx.xx.xxx” “try 129.252.189.62” Expired Cached Record for.sc.edu Found “it’s at xxx.xx.xx.xxx”
12
Environment setup DNS traffic: Cornell Computer Science Dpt. Date: 11/21/2007 – 1/24/2008(65 days) Different Factors Stale cache size: from 1 to 30 days Attack duration: 3, 6, 12 and 24 hours Types of Query: NS-queries, A-queries Attack scenario: root-server, TLD name server, 2 nd level nameserver
13
Assumption: none of nameservers are operational (unrealistic) Result: those queries that cannot be answered based on the resolver cache can only rely on the stale cache Purpose: use an extreme scenario to test limits of stale cache
15
Accurate Records: responses based on the stale cache that match actual responses from accessible nameservers Inaccurate Records: DNS records have been updated after last access by resolver; The nameservers for the zone are currently inaccessible
17
Figure 5: For(a) NS- queries and (b) A-queries, Fraction of Queries answered and Accurate Records when using a stale cache during an 3- hour attack
21
Pros Simplicity Incremental Deployment Motivation for Deployment Cons Change DNS caching semantics Possibility of using inaccurate record Attacker may force the use of inaccurate information
22
To conclude, Just a very Simple modification on DNS resolver’s caching behavior is quite effective in mitigating the impact of DoS attack on DNS. In future, if possible, implementing an add-on to CoDNS resolution service based on this method to test its efficacy while facing actual attacks.
23
DNS cache poisoning Provides data to a DNS that did not originate from authoritative DNS sources
24
Fast Flux e.g. multiple individual nodes within the network keep registering and de-registering their constant changing addresses with short TTL values as part of the DNS A record list for a single DNS name. Or, registering and de-registering their addresses as part of the DNS NS record list for the DNS zone.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.