Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients.
The Domain Name System (DNS) is a frequent target of DDoS
attacks. Since DNS is a critical infrastructure service, protecting
it from DoS is imperative. Many prior approaches have focused
on specific filters or anti-spoofing techniques to protect generic
services. DNS root nameservers are more challenging to protect,
since they use fixed IP addresses, serve very diverse clients and
requests, receive predominantly UDP traffic that can be spoofed,
and must guarantee high quality of service. In this paper we
propose a layered DDoS defense for DNS root nameservers. Our
defense uses a library of defensive filters, which can be optimized
for different attack types, with different levels of selectivity. We
further propose a method that automatically and continuously
evaluates and selects the best combination of filters throughout
the attack. We show that this layered defense approach provides
exceptional protection against all attack types using traces of ten
real attacks from a DNS root nameserver. Our automated system
can select the best defense within seconds and quickly reduces
traffic to the server within a manageable range, while keeping
collateral damage lower than 2%. We can handle millions of
filtering rules without noticeable operational overhead.
more »
« less
Query-Crafting DoS Threats Against Internet DNS
Domain name system (DNS) resolves the IP addresses
of domain names and is critical for IP networking. Recent
denial-of-service (DoS) attacks on the Internet targeted the DNS
system (e.g., Dyn), which has the cascading effect of denying
the availability of the services and applications relying on the
targeted DNS. In view of these attacks, we investigate the DoS
on the DNS system and introduce the query-crafting threats where the
attacker controls the DNS query payload (the domain name) to
maximize the threat impact per query (increasing the communications
between the DNS servers and the threat time duration),
which is orthogonal to other DoS approaches to increase the
attack impact such as flooding and DNS amplification. We model
the DNS system using a state diagram and comprehensively
analyze the threat space, identifying the threat vectors which
include not only the random/invalid domains but also those using
the domain name structure to combine valid strings and random
strings. Query-crafting DoS threats generate new domain-name
payloads for each query and force increased complexity in the
DNS query resolution. We test the query-crafting DoS threats
by taking empirical measurements on the Internet and show
that they amplify the DoS impact on the DNS system (recursive
resolver) by involving more communications and taking greater
time duration. To defend against such DoS or DDoS threats, we
identify the relevant detection features specific to query-crafting
threats and evaluate the defense using our prototype in CloudLab.
more »
« less
- Award ID(s):
- 1723804
- NSF-PAR ID:
- 10205621
- Date Published:
- Journal Name:
- IEEE Conference on Communications and Network Security (CNS)
- Page Range / eLocation ID:
- 1 to 9
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients. The Domain Name System (DNS) is a frequent target of DDoS attacks. Since DNS is a critical infrastructure service, protecting it from DoS is imperative. Many prior approaches have focused on specific filters or anti-spoofing techniques to protect generic services. DNS root nameservers are more challenging to protect, since they use fixed IP addresses, serve very diverse clients and requests, receive predominantly UDP traffic that can be spoofed, and must guarantee high quality of service. In this paper we propose a layered DDoS defense for DNS root nameservers. Our defense uses a library of defensive filters, which can be optimized for different attack types, with different levels of selectivity. We further propose a method that automatically and continuously evaluates and selects the best combination of filters throughout the attack. We show that this layered defense approach provides exceptional protection against all attack types using traces of ten real attacks from a DNS root nameserver. Our automated system can select the best defense within seconds and quickly reduces traffic to the server within a manageable range, while keeping collateral damage lower than 2%. We show our system can successfully mitigate resource exhaustion using replay of a real-world attack. We can handle millions of filtering rules without noticeable operational overhead.more » « less
-
—Infrastructure-as-a-Service (IaaS), and more generally the “cloud,” like Amazon Web Services (AWS) or Microsoft Azure, have changed the landscape of system operations on the Internet. Their elasticity allows operators to rapidly allocate and use resources as needed, from virtual machines, to storage, to bandwidth, and even to IP addresses, which is what made them popular and spurred innovation. In this paper, we show that the dynamic component paired with recent developments in trust-based ecosystems (e.g., SSL certificates) creates so far unknown attack vectors. Specifically, we discover a substantial number of stale DNS records that point to available IP addresses in clouds, yet, are still actively attempted to be accessed. Often, these records belong to discontinued services that were previously hosted in the cloud. We demonstrate that it is practical, and time and cost efficient for attackers to allocate IP addresses to which stale DNS records point. Considering the ubiquity of domain validation in trust ecosystems, like SSL certificates, an attacker can impersonate the service using a valid certificate trusted by all major operating systems and browsers. The attacker can then also exploit residual trust in the domain name for phishing, receiving and sending emails, or possibly distribute code to clients that load remote code from the domain (e.g., loading of native code by mobile apps, or JavaScript libraries by websites). Even worse, an aggressive attacker could execute the attack in less than 70 seconds, well below common time-to-live (TTL) for DNS records. In turn, it means an attacker could exploit normal service migrations in the cloud to obtain a valid SSL certificate for domains owned and managed by others, and, worse, that she might not actually be bound by DNS records being (temporarily) stale, but that she can exploit caching instead. We introduce a new authentication method for trust-based domain validation that mitigates staleness issues without incurring additional certificate requester effort by incorporating existing trust of a name into the validation process. Furthermore, we provide recommendations for domain name owners and cloud operators to reduce their and their clients’ exposure to DNS staleness issues and the resulting domain takeover attacks.more » « less
-
The NTT (Nippon Telegraph and Telephone) Data Corporation report found that 80% of U.S. consumers are concerned about their smart home data security. The Internet of Things (IoT) technology brings many benefits to people's homes, and more people across the world are heavily dependent on the technology and its devices. However, many IoT devices are deployed without considering security, increasing the number of attack vectors available to attackers. Numerous Internet of Things devices lacking security features have been compromised by attackers, resulting in many security incidents. Attackers can infiltrate these smart home devices and control the home via turning off the lights, controlling the alarm systems, and unlocking the smart locks, to name a few. Attackers have also been able to access the smart home network, leading to data exfiltration. There are many threats that smart homes face, such as the Man-in-the-Middle (MIM) attacks, data and identity theft, and Denial of Service (DoS) attacks. The hardware vulnerabilities often targeted by attackers are SPI, UART, JTAG, USB, etc. Therefore, to enhance the security of the smart devices used in our daily lives, threat modeling should be implemented early on in developing any given system. This past Spring semester, Morgan State University launched a (senior) capstone project targeting undergraduate (electrical) engineering students who were thus allowed to research with the Cybersecurity Assurance and Policy (CAP) center for four months. The primary purpose of the capstone was to help students further develop both hardware and software skills while researching. For this project, the students mainly focused on the Arduino Mega Board. Some of the expected outcomes for this capstone project include: 1) understanding the physical board components, 2) learning how to attack the board through the STRIDE technique, 3) generating a Data Flow Diagram (DFD) of the system using the Microsoft threat modeling tool, 4) understanding the attack patterns, and 5) generating the threat based on the user's input. To prevent future threats and attacks from taking advantage of systems vulnerabilities, the practice of "threat modeling" is implemented. This method allows the analysis of potential attackers, including their goals and techniques, while also providing solutions and mitigation strategies. Although Threat modeling can be performed throughout the development of a system, implementing it during developmental stages will prevent further problems in the future. Threat Modeling is crucial because it will help identify any potential threat before it propagates in the system. Identifying threats and providing countermeasures will save both time and money while also keeping the consumers safe. As a result, students must grow to understand how essential detecting and preventing attacks are to protect consumer information systems and networks. At the end of this capstone project, students should take away hands-on skills in cyber defense.more » « less
-
The Domain Name System (DNS) is a critical piece of Internet infrastructure with remarkably complex properties and uses, and accordingly has been extensively studied. In this study we contribute to that body of work by organizing and analyzing records maintained within the DNS as a bipartite graph. We find that relating names and addresses in this way uncovers a surprisingly rich structure. In order to characterize that structure, we introduce a new graph decomposition for DNS name-to-IP mappings, which we term elemental decomposition. In particular, we argue that (approximately) decomposing this graph into bicliques — maximally connected components — exposes this rich structure. We utilize large-scale censuses of the DNS to investigate the characteristics of the resulting decomposition, and illustrate how the exposed structure sheds new light on a number of questions about how the DNS is used in practice and suggests several new directions for future research.more » « less