DNS Guard
The Domain Name System (DNS) is a critical element of the Internet infrastructure. Even a small part of the DNS infrastructure being unavailable for a very short period of time could potentially upset the entire Internet and is thus totally unacceptable. Unfortunately, because DNS queries and responses are mostly UDP-based, it is vulnerable to spoofing-based denial of service (DoS) attacks, which are difficult to defeat without incurring significant collateral damage.
Indeed, some DoS attacks against DNS have been reported in the past. ComputerWire reported that seven of the Internet's thirteen DNS root servers became inaccessible for an hour. Hu reported that an attack aiming at Akamai's DNS servers blocked nearly all accesses to Apple Computer, Google, Microsoft and Yahoo's Web sites for two hours. The importance of effectively stopping spoofing-based DoS attacks against DNS is pointedly summarized in ComputerWire, ``If you could take down .com, what would be the cost in billions of dollars?''
The key to thwart this type of DoS attacks is spoof detection, which enables selective discarding of spoofed DNS requests without jeopardizing the quality of service to legitimate requests. Assuming a DNS server can distinguish between spoofed requests from real ones, it can selectively drop those spoofed ones with little collateral damage. If a DNS server is sure that the incoming requests use a genuine source IP address, it can use a rate-limiting strategy to drop packets in a fair way.
The idea of this project is to use cookies to authenticate requests. However, how to introduce cookies in a way that is transparent to the existing Internet infrastructure and incurs minimal performance overhead is the design challenge. The key contribution of this project is that it provides a comprehensive study on the use of cookies in DNS spoof detection. A major finding of the project is that cookies can be imbedded in DNS messages transparently in NS name and NS IP address. Thus there is no need to modify the DNS infrastructure.
The cookie-based spoof detection mechanisms are implemented as a Linux kernel module called DNS guard. The measurements on the DNS guard prototype demonstrate that the DNS guard can indeed protect DNS servers from DoS attacks by maintaining 80K requests/sec throughput in the presence of 250K requests/sec attacks. In contrast, the service of BIND (version 9.3.1) can be denied with attack rate at merely 14 K requests/sec.
The key advantages of this project are as follows:
l Transparent to the DNS infrastructure. It can be deployed like traditional firewalls in front of DNS servers only when a DoS attack arises and contains the DoS attack without lengthy training or tuning.
l No false positives.
l No obvious way to evade the protection.
l Simple and efficient spoof detection algorithm with high throughput.
l Fanglu Guo, Jiawu Chen and Tzi-cker Chiueh, ``Spoof Detection for Preventing DoS Attacks against DNS Servers,'' under submission.
l Denial of Service Attacks using Nameservers
l
An
analysis of using reflectors for distributed denial-of-service attacks
V Paxson, CA Berkeley - ACM SIGCOMM Computer
Communication Review, 2001
l
Implementing
Pushback: Router-Based Defense Against DDoS Attacks
J Ioannidis, SM Bellovin - Proceedings of the
Symposium on Network and Distributed …, 2002
l
Pi:
A Path Identification Mechanism to Defend against DDoS Attack
A Yaar, A Perrig, DX Song -
IEEE Symposium on Security and Privacy, 2003
l
Hop-count
filtering: An effective defense against spoofed DDoS traffic
C Jin, H Wang, KG Shin - Proceedings of ACM Conference on Computer and
Communications …, 2003
l
The
design and implementation of a next generation name service for the internet
V Ramasubramanian, EG Sirer
- ACM SIGCOMM Computer Communication Review, 2004
l
HOURS:
Achieving DoS Resilience in an Open Service Hierarchy
H Yang, H Luo, Y Yang, S Lu, L Zhang -
(DSN'04), 2004
l
An
empirical analysis of target-resident DoS filters
M Collins, M Reiter - IEEE Symposium on Security and Privacy, 2004
l
SIFF:
A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks
A Yaar, A Perrig, D Song -
IEEE Symposium on Security and Privacy, 2004
l
A
DoS-limiting network architecture
X Yang, D Wetherall, T Anderson - Proceedings of ACM
SIGCOMM, 2005