Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate
clients. The Domain Name System (DNS) is a frequent target of DDoS attacks. Since DNS is a critical
infrastructure service, protecting it from DoS is imperative. Many prior approaches have focused on specific
filters or anti-spoofing techniques to protect generic services. DNS root nameservers are more challenging to
protect, since they use fixed IP addresses, serve very diverse clients and requests, receive predominantly UDP
traffic that can be spoofed, and must guarantee high quality of service. In this paper we propose a layered
DDoS defense for DNS root nameservers. Our defense uses a library of defensive filters, which can be optimized
for different attack types, with different levels of selectivity. We further propose a method that automatically
and continuously evaluates and selects the best combination of filters throughout the attack. We show that this
layered defense approach provides exceptional protection against all attack types using traces of ten real attacks
from a DNS root nameserver. Our automated system can select the best defense within seconds and quickly
reduces traffic to the server within a manageable range, while keeping collateral damage lower than 2%. We
show our system can successfully mitigate resource exhaustion using replay of a real-world attack. We can
handle millions of filtering rules without noticeable operational overhead.
more »
« less
Defending Root DNS Servers Against DDoS Using Layered Defenses
Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients.
The Domain Name System (DNS) is a frequent target of DDoS
attacks. Since DNS is a critical infrastructure service, protecting
it from DoS is imperative. Many prior approaches have focused
on specific filters or anti-spoofing techniques to protect generic
services. DNS root nameservers are more challenging to protect,
since they use fixed IP addresses, serve very diverse clients and
requests, receive predominantly UDP traffic that can be spoofed,
and must guarantee high quality of service. In this paper we
propose a layered DDoS defense for DNS root nameservers. Our
defense uses a library of defensive filters, which can be optimized
for different attack types, with different levels of selectivity. We
further propose a method that automatically and continuously
evaluates and selects the best combination of filters throughout
the attack. We show that this layered defense approach provides
exceptional protection against all attack types using traces of ten
real attacks from a DNS root nameserver. Our automated system
can select the best defense within seconds and quickly reduces
traffic to the server within a manageable range, while keeping
collateral damage lower than 2%. We can handle millions of
filtering rules without noticeable operational overhead.
more »
« less
- Award ID(s):
- 2120400
- PAR ID:
- 10470503
- Publisher / Repository:
- Proceedings of COMSNETS 2023
- Date Published:
- Format(s):
- Medium: X
- Location:
- Bangalore, India
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Software-Defined Networking (SDN) is a dynamic, and manageable network architecture which is more cost-effective than existing network architectures. The idea behind this architecture is to centralize intelligence from the network hardware and funnel this intelligence to the management system (controller) [2]-[4]. Since the centralized SDN controller controls the entire network and manages policies and the flow of the traffic throughout the network, it can be considered as the single point of failure [1]. It is important to find some ways to identify different types of attacks on the SDN controller [8]. Distributed Denial of Service (DDoS) attack is one of the most dangerous attacks on SDN controller. In this work, we implement DDoS attack on the Ryu controller in a tree network topology using Mininet emulator. Also, we use a machine learning method, Vector Machines (SVM) to detect DDoS attack. We propose to install flows in switches, and we consider time attack pattern of the DDoS attack for detection. Simulation results show the effects of DDoS attacks on the Ryu controller is reduced by 36% using our detection method.more » « less
-
A Distributed Denial of Service (DDoS) attack is an attempt to make an online service, a network, or even an entire organization, unavailable by saturating it with traffic from multiple sources. DDoS attacks are among the most common and most devastating threats that network defenders have to watch out for. DDoS attacks are becoming bigger, more frequent, and more sophisticated. Volumetric attacks are the most common types of DDoS attacks. A DDoS attack is considered volumetric, or high-rate, when within a short period of time it generates a large amount of packets or a high volume of traffic. High-rate attacks are well-known and have received much attention in the past decade; however, despite several detection and mitigation strategies have been designed and implemented, high-rate attacks are still halting the normal operation of information technology infrastructures across the Internet when the protection mechanisms are not able to cope with the aggregated capacity that the perpetrators have put together. With this in mind, the present paper aims to propose and test a distributed and collaborative architecture for online high-rate DDoS attack detection and mitigation based on an in-memory distributed graph data structure and unsupervised machine learning algorithms that leverage real-time streaming data and analytics. We have successfully tested our proposed mechanism using a real-world DDoS attack dataset at its original rate in pursuance of reproducing the conditions of an actual large scale attack.more » « less
-
IP anycast is used for services such as DNS and Content Delivery Networks (CDN) to provide the capacity to handle Distributed Denial-of-Service (DDoS) attacks. During a DDoS attack service operators redistribute traffic between anycast sites to take advantage of sites with unused or greater capacity. Depending on site traffic and attack size, operators may instead concentrate attackers in a few sites to preserve operation in others. Operators use these actions during attacks, but how to do so has not been described systematically or publicly. This paper describes several methods to use BGP to shift traffic when under DDoS, and shows that a \emph{response playbook} can provide a menu of responses that are options during an attack. To choose an appropriate response from this playbook, we also describe a new method to estimate true attack size, even though the operator's view during the attack is incomplete. Finally, operator choices are constrained by distributed routing policies, and not all are helpful. We explore how specific anycast deployment can constrain options in this playbook, and are the first to measure how generally applicable they are across multiple anycast networks.more » « less
-
Distributed Denial of Service (DDoS) attacks has been a persistent threat for network and applications. Successful attacks can lead to inaccessible service to legitimate users in time and loss of business reputation. In this paper, we explore DDoS attack detection using Term Frequency (TF)-Inverse Document Frequency (IDF) and Latent Semantic Indexing (LSI). We analyzed web server log data generated in a distributed environment.more » « less