Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE."— Presentation transcript:

1 Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE Information Assurance Workshop 2004

2 Introduction to DNS DNS: Domain Name System DNS translates between domain names and IP addresses. Berkeley Internet Name Domain package (BIND). DNS was designed two decades ago. DNS is undergoing changes with various enhancements.  DNSSEC (DNS Security Extensions)  Dynamic DNS update and secure DNS update RFC  DNS for loading balancing and traffic distribution  Storing IPSec keying material in DNS  And many more

3 Introduction to SCOLD SCOLD: Secure COLlective Defense system, designed to defend against DDoS attack. The key idea of SCOLD: follow intrusion tolerance and network reconfiguration paradigm by providing alternate routes via a set of proxy servers and alternate gateways when the normal route is unavailable or unstable due to network failure, congestion, or DDoS attack. In SCOLD, the DNS is utilized to store the indirect routing information, like the proxy server IP addresses

4 Introduction to SCOLD Motivation of SCOLD:  Multiple gateways or multi-homing scheme are popular.  When the main gateway is under attack, the traffic should be redirected through the alternate gateways.  We may not want to reveal the alternate gateway IP addresses to public domain, because otherwise they may become new targets of attacks.  We design to use proxy servers to protect the alternate gateways and reroute the traffic. A key technique in SCOLD is the enhanced secure dynamic DNS update with indirect route. We refer to it as the IR DNS update.

5 SCOLD Overview: Target site under DDoS attack

6 SCOLD Overview: The control flow

7 SCOLD Overview: Indirect Route

8 The enhanced DNS update with indirect route: IR DNS Redefine the DNS record format for storing the additional information. A sample of the new DNS record in the DNS zone file: The first line is a normal DNS entry, containing host name and its IP address. The next 3 lines contain the IP addresses of proxy servers, as the newly defined “ALT” type (type 99). target.targetnet.com. 10 IN A 133.41.96.71 target.targetnet.com. 10 IN ALT 203.55.57.102 10 IN ALT 203.55.57.103 10 IN ALT 185.11.16.49

9 Why DNS update with Indirect Route? In the scenario of DDoS attack, the main gateway of the target server domain may become unavailable or unstable. Therefore, the normal DNS update might experience significant delay or even completely fail. By setting up indirect route and perform the DNS update via the indirect route, we can overcome the problem. IR DNS can also be used to protect the Root DNS servers.

10 IR DNS update

11 Protect the root DNS server

12 Implementation We implement the IR DNS update on BIND v. 9.2.2 and Redhat Linux v. 8 / 9. The indirect route is implemented by using IP tunnel protocol The BIND 9 DNS server was enhanced. The DNS dynamic update utility (nsupdate) was enhanced as a new program named “nsreroute” The domain name resolve library (v.2.3.2) was enhanced An agent program runs on each participating node (DNS servers, proxy servers, gateways) listening for the control message.

13 Implementation All the control messages are encrypted using Secure Sockets Layer (SSL) and all participating nodes must be mutually authenticated. Nsreroute and input_file format: nsreroute input_file reroute client.clientnet1.com. victimDNSserver1.victimnet.com. victimDNSserver2.victimnet.com.... reroute client.clientnet2.com. victimDNSserver1.victimnet.com. victimDNSserver2.victimnet.com....

14 Experimental Results

15

16 1.Overhead of resolve library and DNS server is limited 2.Overhead of IP tunnel is acceptable 3.There is a limit on how many client DNS servers one IR DNS update can handle concurrently. 4.Overhead of Indirect Route is acceptable compared with the impact of DDoS attacks. 70-300% overhead vs. possibly infinity

17 Conclusion We present the design and implementation of the IR DNS update. It is an essential part of the SCOLD system, but can also serve as a useful extension to the existing DNS update utility. BIND 9 DNS package is modified to support IR DNS update. IP tunnel was utilized to implement indirect routing. New ALT 99 type data is defined and a new DNS update utility named nsreroute is developed. The preliminary results show that SCOLD can improve the network security, availability and performance.

18 References [1] P. Mockapetris, “Domain Names--Implementation and Specification”, RFC 3658, Nov. 1987RFC 3658 [2] P. Mockapetris, “Domain Names--Concepts and Facilities”, RFC 1034, Nov. 1987RFC [3] Internet Systems Consortium, “ISC BIND”, http://www.isc.org/index.pl?/sw/bind/http://www.isc.org/index.pl?/sw/bind/ [4] The SANS Institute, “How To Eliminate The Ten Most Critical Internet Security Threats” http://www.sans.org/top20/top10.php, 2001 [5] Internetnews.com, “Massive DDoS Attack Hit DNS Root Servers”, http://www.internetnews.com/ent-ews/article.php/1486981 [6] Edward Chow, Yu Cai, “Secure Collective Defense system (SCOLD)”, http://cs.uccs.edu/~scold/doc/ SCOLD_globecom2004.doc, submitted to Globecom 2004 [7] DNSSEC, http://www.dnssec.net/ [8] Dynamic DNS update, RFC 2136, http://www.faqs.org/rfcs/rfc2136.html [9] Secure DNS update, RFC 3007, http://www.faqs.org/rfcs/rfc3007.html [10] Y. Shim, et al., “Extension and Design of Secure Dynamic Updates in Domain Name Systems”, 5th Asia-Pacific Conference on Communications, 1998

Download ppt "Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE."

Similar presentations

RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.

Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.
On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.
IDMP-based Fast Handoffs and Paging in IP-based Cellular Networks IEEE 3G Wireless Conference, 2001 李威廷 11/22/2001 Telcordia.

IDMP-based Fast Handoffs and Paging in IP-based Cellular Networks IEEE 3G Wireless Conference, 2001 李威廷 11/22/2001 Telcordia.
IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.

IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Mobile IP Security Dominic Maguire Research Essay Presentation Communications Infrastructure Module MSc Communications Software, WIT 1 1 1 0 11 0.

Mobile IP Security Dominic Maguire Research Essay Presentation Communications Infrastructure Module MSc Communications Software, WIT
Enhanced Secure DNS: A Defense Against DDOS Attacks by David B. Wilkinson University of Colorado at Colorado Springs November 26, 2003.

Enhanced Secure DNS: A Defense Against DDOS Attacks by David B. Wilkinson University of Colorado at Colorado Springs November 26, 2003.
WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.

WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.
RASD Rapid Adaptive Secure DNS Matthew Weaver Jeremy Witmer Dr. Chow, Advising CS 622 – Fall 2007.

RASD Rapid Adaptive Secure DNS Matthew Weaver Jeremy Witmer Dr. Chow, Advising CS 622 – Fall 2007.
Dynamic Process Allocation in Apache Server Yu Cai.

Dynamic Process Allocation in Apache Server Yu Cai.
Design and Implementation of Alternative Route Against DDOS Jing Yang and Su Li.

Design and Implementation of Alternative Route Against DDOS Jing Yang and Su Li.
On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 10/2003 University of Colorado at Colorado Springs.

On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 10/2003 University of Colorado at Colorado Springs.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.

PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ChowSCID1 Secure Collective Internet Defense (SCID) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.

ChowSCID1 Secure Collective Internet Defense (SCID) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.
ChowSCOLD1 Secure Collective Defense Network (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.

ChowSCOLD1 Secure Collective Defense Network (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.
RASD Rapid Adaptive Secure DNS Matthew Weaver Jeremy Witmer Dr. Chow, Advising CS 622 – Fall 2007.

RASD Rapid Adaptive Secure DNS Matthew Weaver Jeremy Witmer Dr. Chow, Advising CS 622 – Fall 2007.

Similar presentations

Ads by Google