Abstract

Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients. The Domain Name System (DNS) is frequently the target of DDoS attacks, and its connectionless communication makes it an easy target for spoofing attacks. A large body of prior work has focused on specific filters or anti-spoofing techniques, but DDoS threats continue to grow, augmented by the addition of millions of Internet-of-Things (IoT) devices. We propose two approaches to DDoS-defense: first, we propose having a library of defensive filters ready, each applicable to different attack types and with different levels of selectivity. Second, we suggest automatically selecting the best defense mechanism at attack start, and reevaluating that choice during the attack to account for polymorphic attacks. While commercial services deploy automatic defenses today, there are no public descriptions of how they work—our contribution is to document one automated approach, and to show the importance of multiple types of defenses. We evaluate our approach against captured DDoS attacks against a root DNS server, using analysis and testbed experimentation with real DNS servers. Our automated system can detect attack events within 15s, and choose the best defense within 40s. We show that we can reduce 23% CPU usage and 63% egress network bandwidth with the same memory consumption and with little collateral damage.

Date

January 1, 1970

Authors

A Rizvi, John Heidemann, Jelena Mirkovic

Journal

USC/Information Sciences Institute, Tech. Rep. ISI-TR-736