John Heidemann / Papers / Dynamically Selecting Defenses to DDoS for DNS (extended)

Dynamically Selecting Defenses to DDoS for DNS (extended)
ASM Rizvi, John Heidemann and Jelena Mirkovic
USC/Information Sciences Institute

Citation

ASM Rizvi, John Heidemann and Jelena Mirkovic. Dynamically Selecting Defenses to DDoS for DNS (extended). Technical Report ISI-TR-736. USC/Information Sciences Institute. [PDF] [alt PDF]

Abstract

Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients. The Domain Name System (DNS) is frequently the target of DDoS attacks, and its connectionless communication makes it an easy target for spoofing attacks. A large body of prior work has focused on specific filters or anti-spoofing techniques, but DDoS threats continue to grow, augmented by the addition of millions of Internet-of-Things (IoT) devices. We propose two approaches to DDoS-defense: first, we propose having a library of defensive filters ready, each applicable to different attack types and with different levels of selectivity. Second, we suggest automatically selecting the best defense mechanism at attack start, and re-evaluating that choice during the attack to account for polymorphic attacks. While commercial services deploy automatic defenses today, there are no detailed public descriptions of how they work—our contribution is to document one automated approach, and to show the importance of multiple types of defenses. We evaluate our approach against captured DDoS attacks against a root DNS server, using analysis and testbed experimentation with real DNS servers. Our automated system can detect attack events within 15 s, and choose the best defense within 40 s. We show that we can reduce 23% CPU usage and 63% egress network bandwidth with the same memory consumption and with little collateral damage.

Bibtex Citation

@techreport{Rizvi19a,
  author = {Rizvi, {ASM} and Heidemann, John and Mirkovic, Jelena},
  title = {Dynamically Selecting Defenses to {DDoS} for {DNS} (extended)},
  institution = {USC/Information Sciences Institute},
  year = {2019},
  sortdate = {2019-12-03},
  project = {ant, ddidd, paaddos},
  jsubject = {routing},
  number = {ISI-TR-736},
  month = may,
  jlocation = {johnh: pafile},
  keywords = {ddos, filtering, hop-count, rcode, dns},
  url = {https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi19a.html},
  pdfurl = {https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi19a.pdf},
  myorganization = {USC/Information Sciences Institute},
  copyrightholder = {authors}
}
Copyright © by John Heidemann