When the Dike Breaks: Dissecting DNS Defenses During DDoS. Moura, G. C. M., Heidemann, J., Müller, M., de O. Schmidt, R., & Davids, M. In Proceedings of the ACM Internet Measurement Conference, October, 2018. ![When the Dike Breaks: Dissecting DNS Defenses During DDoS [link]](https://bibbase.org/img/filetypes/link.svg "link")
Paper doi abstract bibtex The Internet's Domain Name System (DNS) is a frequent target of Distributed Denial-of-Service (DDoS) attacks, but such attacks have had very different outcomes—some attacks have disabled major public websites, while the external effects of other attacks have been minimal. While on one hand the DNS protocol is relatively simple, the \emphsystem has many moving parts, with multiple levels of caching and retries and replicated servers. This paper uses controlled experiments to examine how these mechanisms affect DNS resilience and latency, exploring both the client side's DNS \emphuser experience, and server-side traffic. We find that, for about 30% of clients, caching is not effective. However, when caches are full they allow about half of clients to ride out server outages that last less than cache lifetimes, Caching and retries together allow up to half of the clients to tolerate DDoS attacks longer than cache lifetimes, with 90% query loss, and almost all clients to tolerate attacks resulting in 50% packet loss. While clients may get service during an attack, tail-latency increases for clients. For servers, retries during DDoS attacks increase normal traffic up to $8×$. Our findings about caching and retries help explain why users see service outages from some real-world DDoS events, but minimal visible effects from others.
@InProceedings{Moura18b,
author = {Giovane C. M. Moura and John Heidemann and
Moritz M{\"u}ller and Ricardo de O. Schmidt
and Marco Davids},
title = "When the Dike Breaks: Dissecting {DNS}
Defenses During {DDoS}",
booktitle = "Proceedings of the " # "ACM Internet Measurement Conference",
year = 2018,
sortdate = "2018-10-31",
project = "ant, lacanic, pinest, nipet, ddidd",
jsubject = "network_security",
month = oct,
jlocation = "johnh: pafile",
keywords = "anycast, dns, ddos, root ddos",
url = "https://ant.isi.edu/%7ejohnh/PAPERS/Moura18b.html",
pdfurl = "https://ant.isi.edu/%7ejohnh/PAPERS/Moura18b.pdf",
dataurl = "https://ant.isi.edu/datasets/dns/#Moura18b_data",
otherurl = "https://conferences.sigcomm.org/imc/2018/papers/imc18-final18.pdf",
doi = "https://doi.org/10.1145/3278532.3278534",
blogurl = "https://ant.isi.edu/blog/?p=1244",
myorganization = "USC/Information Sciences Institute",
copyrightholder = "authors",
abstract = "
The Internet's Domain Name System (DNS) is a frequent target of
Distributed Denial-of-Service (DDoS) attacks, but such attacks have
had very different outcomes---some attacks have disabled major public
websites, while the external effects of other attacks have been
minimal. While on one hand the DNS protocol is relatively simple,
the \emph{system} has many moving parts, with multiple levels of caching
and retries and replicated servers. This paper uses controlled
experiments to examine how these mechanisms affect DNS resilience and
latency, exploring both the client side's DNS \emph{user experience},
and server-side traffic. We find that, for about 30\% of clients,
caching is not effective. However, when caches are full they allow
about half of clients to ride out server outages that last less than
cache lifetimes, Caching and retries together allow up to half of the
clients to tolerate DDoS attacks longer than cache lifetimes, with
90\% query loss, and almost all clients to tolerate attacks resulting
in 50\% packet loss. While clients may get service during an attack,
tail-latency increases for clients. For servers, retries during DDoS
attacks increase normal traffic up to $8\times$. Our findings about
caching and retries help explain why users see service outages from
some real-world DDoS events, but minimal visible effects from others.
",
}
Downloads: 0
{"_id":"BukxwaM3BfTrBdeJY","bibbaseid":"moura-heidemann-mller-deoschmidt-davids-whenthedikebreaksdissectingdnsdefensesduringddos-2018","author_short":["Moura, G. C. M.","Heidemann, J.","Müller, M.","de O. Schmidt, R.","Davids, M."],"bibdata":{"bibtype":"inproceedings","type":"inproceedings","author":[{"firstnames":["Giovane","C.","M."],"propositions":[],"lastnames":["Moura"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]},{"firstnames":["Moritz"],"propositions":[],"lastnames":["Müller"],"suffixes":[]},{"firstnames":["Ricardo"],"propositions":["de"],"lastnames":["O.","Schmidt"],"suffixes":[]},{"firstnames":["Marco"],"propositions":[],"lastnames":["Davids"],"suffixes":[]}],"title":"When the Dike Breaks: Dissecting DNS Defenses During DDoS","booktitle":"Proceedings of the ACM Internet Measurement Conference","year":"2018","sortdate":"2018-10-31","project":"ant, lacanic, pinest, nipet, ddidd","jsubject":"network_security","month":"October","jlocation":"johnh: pafile","keywords":"anycast, dns, ddos, root ddos","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Moura18b.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Moura18b.pdf","dataurl":"https://ant.isi.edu/datasets/dns/#Moura18b_data","otherurl":"https://conferences.sigcomm.org/imc/2018/papers/imc18-final18.pdf","doi":"https://doi.org/10.1145/3278532.3278534","blogurl":"https://ant.isi.edu/blog/?p=1244","myorganization":"USC/Information Sciences Institute","copyrightholder":"authors","abstract":"The Internet's Domain Name System (DNS) is a frequent target of Distributed Denial-of-Service (DDoS) attacks, but such attacks have had very different outcomes—some attacks have disabled major public websites, while the external effects of other attacks have been minimal. While on one hand the DNS protocol is relatively simple, the \\emphsystem has many moving parts, with multiple levels of caching and retries and replicated servers. This paper uses controlled experiments to examine how these mechanisms affect DNS resilience and latency, exploring both the client side's DNS \\emphuser experience, and server-side traffic. We find that, for about 30% of clients, caching is not effective. However, when caches are full they allow about half of clients to ride out server outages that last less than cache lifetimes, Caching and retries together allow up to half of the clients to tolerate DDoS attacks longer than cache lifetimes, with 90% query loss, and almost all clients to tolerate attacks resulting in 50% packet loss. While clients may get service during an attack, tail-latency increases for clients. For servers, retries during DDoS attacks increase normal traffic up to $8×$. Our findings about caching and retries help explain why users see service outages from some real-world DDoS events, but minimal visible effects from others. ","bibtex":"@InProceedings{Moura18b,\n\tauthor = \t{Giovane C. M. Moura and John Heidemann and\n \t\tMoritz M{\\\"u}ller and Ricardo de O. Schmidt\n and Marco Davids},\n\ttitle = \t\"When the Dike Breaks: Dissecting {DNS}\n Defenses During {DDoS}\",\n booktitle = \"Proceedings of the \" # \"ACM Internet Measurement Conference\",\n\tyear = \t\t2018,\n\tsortdate = \"2018-10-31\",\n\tproject = \"ant, lacanic, pinest, nipet, ddidd\",\n\tjsubject = \"network_security\",\n\tmonth = \toct,\n\tjlocation = \t\"johnh: pafile\",\n\tkeywords = \t\"anycast, dns, ddos, root ddos\",\n\turl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Moura18b.html\",\n\tpdfurl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Moura18b.pdf\",\n\tdataurl =\t\"https://ant.isi.edu/datasets/dns/#Moura18b_data\",\n\totherurl = \"https://conferences.sigcomm.org/imc/2018/papers/imc18-final18.pdf\",\n\tdoi = \"https://doi.org/10.1145/3278532.3278534\",\n\tblogurl = \"https://ant.isi.edu/blog/?p=1244\",\n\tmyorganization =\t\"USC/Information Sciences Institute\",\n\tcopyrightholder = \"authors\",\n\tabstract = \"\nThe Internet's Domain Name System (DNS) is a frequent target of\nDistributed Denial-of-Service (DDoS) attacks, but such attacks have\nhad very different outcomes---some attacks have disabled major public\nwebsites, while the external effects of other attacks have been\nminimal. While on one hand the DNS protocol is relatively simple,\nthe \\emph{system} has many moving parts, with multiple levels of caching\nand retries and replicated servers. This paper uses controlled\nexperiments to examine how these mechanisms affect DNS resilience and\nlatency, exploring both the client side's DNS \\emph{user experience},\nand server-side traffic. We find that, for about 30\\% of clients,\ncaching is not effective. However, when caches are full they allow\nabout half of clients to ride out server outages that last less than\ncache lifetimes, Caching and retries together allow up to half of the\nclients to tolerate DDoS attacks longer than cache lifetimes, with\n90\\% query loss, and almost all clients to tolerate attacks resulting\nin 50\\% packet loss. While clients may get service during an attack,\ntail-latency increases for clients. For servers, retries during DDoS\nattacks increase normal traffic up to $8\\times$. Our findings about\ncaching and retries help explain why users see service outages from\nsome real-world DDoS events, but minimal visible effects from others.\n\",\n}\n\n","author_short":["Moura, G. C. M.","Heidemann, J.","Müller, M.","de O. Schmidt, R.","Davids, M."],"bibbaseid":"moura-heidemann-mller-deoschmidt-davids-whenthedikebreaksdissectingdnsdefensesduringddos-2018","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Moura18b.html"},"keyword":["anycast","dns","ddos","root ddos"],"metadata":{"authorlinks":{}}},"bibtype":"inproceedings","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["anycast","dns","ddos","root ddos"],"search_terms":["dike","breaks","dissecting","dns","defenses","during","ddos","moura","heidemann","müller","de o. schmidt","davids"],"title":"When the Dike Breaks: Dissecting DNS Defenses During DDoS","year":2018}