When the Dike Breaks: Dissecting DNS Defenses During DDoS (extended). Moura, G. C. M., Heidemann, J., Müller, M., de O. Schmidt, R., & Davids, M. Technical Report ISI-TR-725b, USC/Information Sciences Institute, May, 2018. (updated Sept. 2018)
When the Dike Breaks: Dissecting DNS Defenses During DDoS (extended) [link]Paper  abstract   bibtex   
The Internet's Domain Name System (DNS) is a frequent target of Distributed Denial-of-Service (DDoS) attacks, but such attacks have had very different outcomes—some attacks have disabled major public websites, while the external effects of other attacks have been minimal. While on one hand the DNS protocol is relatively simple, the \emphsystem has many moving parts, with multiple levels of caching and retries and replicated servers. This paper uses controlled experiments to examine how these mechanisms affect DNS resilience and latency, exploring both the client side's DNS \emphuser experience, and server-side traffic. We find that, for about 30% of clients, caching is not effective. However, when caches are full they allow about half of clients to ride out server outages that last less than cache lifetimes, Caching and retries together allow up to half of the clients to tolerate DDoS attacks longer than cache lifetimes, with 90% query loss, and almost all clients to tolerate attacks resulting in 50% packet loss. While clients may get service during an attack, tail-latency increases for clients. For servers, retries during DDoS attacks increase normal traffic up to $8×$. Our findings about caching and retries help explain why users see service outages from some real-world DDoS events, but minimal visible effects from others.
@TechReport{Moura18a,
	author = 	{Giovane C. M. Moura and John Heidemann and
        		Moritz M{\"u}ller and Ricardo de O. Schmidt
                  and Marco Davids},
	title = 	"When the Dike Breaks: Dissecting {DNS}
                  Defenses During {DDoS} (extended)",
	institution = 	"USC/Information Sciences Institute",
	year = 		2018,
	sortdate = "2018-05-30",
	number = 	"ISI-TR-725b",
	project = "ant, lacanic, pinest, nipet",
	jsubject = "network_security",
	month = 	may,
	note = "(updated Sept.~2018)",
	jlocation = 	"johnh: pafile",
	keywords = 	"anycast, dns, ddos, root ddos",
	url =		"https://ant.isi.edu/%7ejohnh/PAPERS/Moura18a.html",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Moura18a.pdf",
	blogurl = "https://ant.isi.edu/blog/?p=1192",
	otherurl = "ftp://ftp.isi.edu/isi-pubs/tr-709.pdf",
	dataurl =	"https://ant.isi.edu/datasets/dns/#Moura18a_data",
	myorganization =	"USC/Information Sciences Institute",
	copyrightholder = "authors",
	abstract = "
The Internet's Domain Name System (DNS) is a frequent target of
Distributed Denial-of-Service (DDoS) attacks, but such attacks have
had very different outcomes---some attacks have disabled major public
websites, while the external effects of other attacks have been
minimal.  While on one hand the DNS protocol is relatively simple,
the \emph{system} has many moving parts, with multiple levels of caching
and retries and replicated servers.  This paper uses controlled
experiments to examine how these mechanisms affect DNS resilience and
latency, exploring both the client side's DNS \emph{user experience},
and server-side traffic.  We find that, for about 30\% of clients,
caching is not effective.  However, when caches are full they allow
about half of clients to ride out server outages that last less than
cache lifetimes, Caching and retries together allow up to half of the
clients to tolerate DDoS attacks longer than cache lifetimes, with
90\% query loss, and almost all clients to tolerate attacks resulting
in 50\% packet loss.  While clients may get service during an attack,
tail-latency increases for clients.  For servers, retries during DDoS
attacks increase normal traffic up to $8\times$.  Our findings about
caching and retries help explain why users see service outages from
some real-world DDoS events, but minimal visible effects from others.
",
}

Downloads: 0