Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients.
The Domain Name System (DNS) is a frequent target of DDoS
attacks. Since DNS is a critical infrastructure service, protecting
it from DoS is imperative. Many prior approaches have focused
on specific filters or anti-spoofing techniques to protect generic
services. DNS root nameservers are more challenging to protect,
since they use fixed IP addresses, serve very diverse clients and
requests, receive predominantly UDP traffic that can be spoofed,
and must guarantee high quality of service. In this paper we
propose a layered DDoS defense for DNS root nameservers. Our
defense uses a library of defensive filters, which can be optimized
for different attack types, with different levels of selectivity. We
further propose a method that automatically and continuously
evaluates and selects the best combination of filters throughout
the attack. We show that this layered defense approach provides
exceptional protection against all attack types using traces of ten
real attacks from a DNS root nameserver. Our automated system
can select the best defense within seconds and quickly reduces
traffic to the server within a manageable range, while keeping
collateral damage lower than 2%. We can handle millions of
filtering rules without noticeable operational overhead.
more »
« less
This content will become publicly available on December 1, 2024
Defending Root DNS Servers against DDoS Using Layered Defenses (Extended)
Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate
clients. The Domain Name System (DNS) is a frequent target of DDoS attacks. Since DNS is a critical
infrastructure service, protecting it from DoS is imperative. Many prior approaches have focused on specific
filters or anti-spoofing techniques to protect generic services. DNS root nameservers are more challenging to
protect, since they use fixed IP addresses, serve very diverse clients and requests, receive predominantly UDP
traffic that can be spoofed, and must guarantee high quality of service. In this paper we propose a layered
DDoS defense for DNS root nameservers. Our defense uses a library of defensive filters, which can be optimized
for different attack types, with different levels of selectivity. We further propose a method that automatically
and continuously evaluates and selects the best combination of filters throughout the attack. We show that this
layered defense approach provides exceptional protection against all attack types using traces of ten real attacks
from a DNS root nameserver. Our automated system can select the best defense within seconds and quickly
reduces traffic to the server within a manageable range, while keeping collateral damage lower than 2%. We
show our system can successfully mitigate resource exhaustion using replay of a real-world attack. We can
handle millions of filtering rules without noticeable operational overhead.
more »
« less
- Award ID(s):
- 2120400
- NSF-PAR ID:
- 10470505
- Publisher / Repository:
- Elsevier Ad Hoc Networks
- Date Published:
- Journal Name:
- Ad Hoc Networks
- Volume:
- 151
- Issue:
- C
- ISSN:
- 1570-8705
- Page Range / eLocation ID:
- 103259
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
DNS latency is a concern for many service operators: CDNs exist to reduce service latency to end-users but must rely on global DNS for reachability and load-balancing. Today, DNS latency is monitored by active probing from distributed platforms like RIPE Atlas, with Verfploeter, or with commercial services. While Atlas coverage is wide, its 10k sites see only a fraction of the Internet. In this paper we show that passive observation of TCP handshakes can measure \emph{live DNS latency, continuously, providing good coverage of current clients of the service}. Estimating RTT from TCP is an old idea, but its application to DNS has not previously been studied carefully. We show that there is sufficient TCP DNS traffic today to provide good operational coverage (particularly of IPv6), and very good temporal coverage (better than existing approaches), enabling near-real time evaluation of DNS latency from \emph{real clients}. We also show that DNS servers can optionally solicit TCP to broaden coverage. We quantify coverage and show that estimates of DNS latency from TCP is consistent with UDP latency. Our approach finds previously unknown, real problems: \emph{DNS polarization} is a new problem where a hypergiant sends global traffic to one anycast site rather than taking advantage of the global anycast deployment. Correcting polarization in Google DNS cut its latency from 100ms to 10ms; and from Microsoft Azure cut latency from 90ms to 20ms. We also show other instances of routing problems that add 100--200ms latency. Finally, \emph{real-time} use of our approach for a European country-level domain has helped detect and correct a BGP routing misconfiguration that detoured European traffic to Australia. We have integrated our approach into several open source tools: Entrada, our open source data warehouse for DNS, a monitoring tool (ANTS), which has been operational for the last 2 years on a country-level top-level domain, and a DNS anonymization tool in use at a root server since March 2021.more » « less
-
Software-Defined Networking (SDN) is a dynamic, and manageable network architecture which is more cost-effective than existing network architectures. The idea behind this architecture is to centralize intelligence from the network hardware and funnel this intelligence to the management system (controller) [2]-[4]. Since the centralized SDN controller controls the entire network and manages policies and the flow of the traffic throughout the network, it can be considered as the single point of failure [1]. It is important to find some ways to identify different types of attacks on the SDN controller [8]. Distributed Denial of Service (DDoS) attack is one of the most dangerous attacks on SDN controller. In this work, we implement DDoS attack on the Ryu controller in a tree network topology using Mininet emulator. Also, we use a machine learning method, Vector Machines (SVM) to detect DDoS attack. We propose to install flows in switches, and we consider time attack pattern of the DDoS attack for detection. Simulation results show the effects of DDoS attacks on the Ryu controller is reduced by 36% using our detection method.more » « less
-
A Distributed Denial of Service (DDoS) attack is an attempt to make an online service, a network, or even an entire organization, unavailable by saturating it with traffic from multiple sources. DDoS attacks are among the most common and most devastating threats that network defenders have to watch out for. DDoS attacks are becoming bigger, more frequent, and more sophisticated. Volumetric attacks are the most common types of DDoS attacks. A DDoS attack is considered volumetric, or high-rate, when within a short period of time it generates a large amount of packets or a high volume of traffic. High-rate attacks are well-known and have received much attention in the past decade; however, despite several detection and mitigation strategies have been designed and implemented, high-rate attacks are still halting the normal operation of information technology infrastructures across the Internet when the protection mechanisms are not able to cope with the aggregated capacity that the perpetrators have put together. With this in mind, the present paper aims to propose and test a distributed and collaborative architecture for online high-rate DDoS attack detection and mitigation based on an in-memory distributed graph data structure and unsupervised machine learning algorithms that leverage real-time streaming data and analytics. We have successfully tested our proposed mechanism using a real-world DDoS attack dataset at its original rate in pursuance of reproducing the conditions of an actual large scale attack.more » « less
-
A centralized Software-defined Network (SDN) controller, due to its nature, faces many issues such as a single point of failure, computational complexity growth, different types of attacks, reliability challenges and scalability concerns. One of the most common fifth generation cyber-attacks is the Distributed Denial of Service (DDoS) attack. Having a single SDN controller can lead to a plethora of issues with respect to latency, computational complexity in the control plane, reachability, and scalability as the network scale increases. To address these issues, state-of-the-art approaches have investigated multiple SDN controllers in the network. The placement of these multiple controllers has drawn more attention in recent studies. In our previous work, we evaluated an Entropy-based technique and a machine learning-based Support Vector Machine (SVM) to detect DDoS using a single SDN controller. In this paper, we extend our previous work to further decrease the impact of the DDoS attacks on the SDN controller. Our new technique called Hierarchical Classic Controllers (HCC) uses SVM and Entropy methods to detect abnormal traffic which can lead to network failures caused by overwhelming a single controller. Determining the number of controllers and their best placement are major contributions in our new method. Our results show that the combination of the above three methods (HCC with SVM and Entropy), in the case of a network with 3 controllers provides greater accuracy and improves the DDoS attack detection rate to 86.12% compared to 79.03% and 81.33% using Entropy-based HCC and SVM-based HCC, respectively.more » « less
