Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients.
The Domain Name System (DNS) is a frequent target of DDoS
attacks. Since DNS is a critical infrastructure service, protecting
it from DoS is imperative. Many prior approaches have focused
on specific filters or anti-spoofing techniques to protect generic
services. DNS root nameservers are more challenging to protect,
since they use fixed IP addresses, serve very diverse clients and
requests, receive predominantly UDP traffic that can be spoofed,
and must guarantee high quality of service. In this paper we
propose a layered DDoS defense for DNS root nameservers. Our
defense uses a library of defensive filters, which can be optimized
for different attack types, with different levels of selectivity. We
further propose a method that automatically and continuously
evaluates and selects the best combination of filters throughout
the attack. We show that this layered defense approach provides
exceptional protection against all attack types using traces of ten
real attacks from a DNS root nameserver. Our automated system
can select the best defense within seconds and quickly reduces
traffic to the server within a manageable range, while keeping
collateral damage lower than 2%. We can handle millions of
filtering rules without noticeable operational overhead.
more »
« less
Defending Root DNS Servers against DDoS Using Layered Defenses (Extended)
Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate
clients. The Domain Name System (DNS) is a frequent target of DDoS attacks. Since DNS is a critical
infrastructure service, protecting it from DoS is imperative. Many prior approaches have focused on specific
filters or anti-spoofing techniques to protect generic services. DNS root nameservers are more challenging to
protect, since they use fixed IP addresses, serve very diverse clients and requests, receive predominantly UDP
traffic that can be spoofed, and must guarantee high quality of service. In this paper we propose a layered
DDoS defense for DNS root nameservers. Our defense uses a library of defensive filters, which can be optimized
for different attack types, with different levels of selectivity. We further propose a method that automatically
and continuously evaluates and selects the best combination of filters throughout the attack. We show that this
layered defense approach provides exceptional protection against all attack types using traces of ten real attacks
from a DNS root nameserver. Our automated system can select the best defense within seconds and quickly
reduces traffic to the server within a manageable range, while keeping collateral damage lower than 2%. We
show our system can successfully mitigate resource exhaustion using replay of a real-world attack. We can
handle millions of filtering rules without noticeable operational overhead.
more »
« less
- Award ID(s):
- 2120400
- PAR ID:
- 10470505
- Publisher / Repository:
- Elsevier Ad Hoc Networks
- Date Published:
- Journal Name:
- Ad Hoc Networks
- Volume:
- 151
- Issue:
- C
- ISSN:
- 1570-8705
- Page Range / eLocation ID:
- 103259
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Software-Defined Networking (SDN) is a dynamic, and manageable network architecture which is more cost-effective than existing network architectures. The idea behind this architecture is to centralize intelligence from the network hardware and funnel this intelligence to the management system (controller) [2]-[4]. Since the centralized SDN controller controls the entire network and manages policies and the flow of the traffic throughout the network, it can be considered as the single point of failure [1]. It is important to find some ways to identify different types of attacks on the SDN controller [8]. Distributed Denial of Service (DDoS) attack is one of the most dangerous attacks on SDN controller. In this work, we implement DDoS attack on the Ryu controller in a tree network topology using Mininet emulator. Also, we use a machine learning method, Vector Machines (SVM) to detect DDoS attack. We propose to install flows in switches, and we consider time attack pattern of the DDoS attack for detection. Simulation results show the effects of DDoS attacks on the Ryu controller is reduced by 36% using our detection method.more » « less
-
A Distributed Denial of Service (DDoS) attack is an attempt to make an online service, a network, or even an entire organization, unavailable by saturating it with traffic from multiple sources. DDoS attacks are among the most common and most devastating threats that network defenders have to watch out for. DDoS attacks are becoming bigger, more frequent, and more sophisticated. Volumetric attacks are the most common types of DDoS attacks. A DDoS attack is considered volumetric, or high-rate, when within a short period of time it generates a large amount of packets or a high volume of traffic. High-rate attacks are well-known and have received much attention in the past decade; however, despite several detection and mitigation strategies have been designed and implemented, high-rate attacks are still halting the normal operation of information technology infrastructures across the Internet when the protection mechanisms are not able to cope with the aggregated capacity that the perpetrators have put together. With this in mind, the present paper aims to propose and test a distributed and collaborative architecture for online high-rate DDoS attack detection and mitigation based on an in-memory distributed graph data structure and unsupervised machine learning algorithms that leverage real-time streaming data and analytics. We have successfully tested our proposed mechanism using a real-world DDoS attack dataset at its original rate in pursuance of reproducing the conditions of an actual large scale attack.more » « less
-
DNS latency is a concern for many service operators: CDNs exist to reduce service latency to end-users but must rely on global DNS for reachability and load-balancing. Today, DNS latency is monitored by active probing from distributed platforms like RIPE Atlas, with Verfploeter, or with commercial services. While Atlas coverage is wide, its 10k sites see only a fraction of the Internet. In this paper we show that passive observation of TCP handshakes can measure \emph{live DNS latency, continuously, providing good coverage of current clients of the service}. Estimating RTT from TCP is an old idea, but its application to DNS has not previously been studied carefully. We show that there is sufficient TCP DNS traffic today to provide good operational coverage (particularly of IPv6), and very good temporal coverage (better than existing approaches), enabling near-real time evaluation of DNS latency from \emph{real clients}. We also show that DNS servers can optionally solicit TCP to broaden coverage. We quantify coverage and show that estimates of DNS latency from TCP is consistent with UDP latency. Our approach finds previously unknown, real problems: \emph{DNS polarization} is a new problem where a hypergiant sends global traffic to one anycast site rather than taking advantage of the global anycast deployment. Correcting polarization in Google DNS cut its latency from 100ms to 10ms; and from Microsoft Azure cut latency from 90ms to 20ms. We also show other instances of routing problems that add 100--200ms latency. Finally, \emph{real-time} use of our approach for a European country-level domain has helped detect and correct a BGP routing misconfiguration that detoured European traffic to Australia. We have integrated our approach into several open source tools: Entrada, our open source data warehouse for DNS, a monitoring tool (ANTS), which has been operational for the last 2 years on a country-level top-level domain, and a DNS anonymization tool in use at a root server since March 2021.more » « less
-
Network-on-Chip (NoC) is widely employed by multi-core System-on-Chip (SoC) architectures to cater to their communication requirements. Increasing NoC complexity coupled with its widespread usage has made it a focal point of potential security attacks. Distributed Denial-of-Service (DDoS) is one such attack that is caused by malicious intellectual property (IP) cores flooding the network with unnecessary packets causing significant performance degradation through NoC congestion. In this paper, we propose an efficient framework for real-time detection and localization of DDoS attacks. This paper makes three important contributions. We propose a real-time and lightweight DDoS attack detection technique for NoC-based SoCs by monitoring packets to detect any violations. Once a potential attack has been flagged, our approach is also capable of localizing the malicious IPs using the latency data in the NoC routers. The applications are statically profiled during design time to determine communication patterns. These patterns are then used for real-time detection and localization of DDoS attacks. We have evaluated the effectiveness of our approach against different NoC topologies and architecture models using both real benchmarks and synthetic traffic patterns. Our experimental results demonstrate that our proposed approach is capable of real-time detection and localization of DDoS attacks originating from multiple malicious IPs in NoC-based SoCs.more » « less