Dynamically Selecting Defenses to DDoS for DNS (extended). Rizvi, A., Heidemann, J., & Mirkovic, J. Technical Report ISI-TR-736, USC/Information Sciences Institute, May, 2019.
Dynamically Selecting Defenses to DDoS for DNS (extended) [link]Paper  abstract   bibtex   
Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients. The Domain Name System (DNS) is frequently the target of DDoS attacks, and its connectionless communication makes it an easy target for spoofing attacks. A large body of prior work has focused on specific filters or anti-spoofing techniques, but DDoS threats continue to grow, augmented by the addition of millions of Internet-of-Things (IoT) devices. We propose two approaches to DDoS-defense: first, we propose having a \emphlibrary of defensive filters ready, each applicable to different attack types and with different levels of selectivity. Second, we suggest \emphautomatically selecting the best defense mechanism at attack start, and re-evaluating that choice during the attack to account for polymorphic attacks. While commercial services deploy automatic defenses today, there are no detailed public descriptions of how they work—our contribution is to document one automated approach, and to show the importance of multiple types of defenses. We evaluate our approach against captured DDoS attacks against a root DNS server, using analysis and testbed experimentation with real DNS servers. Our automated system can detect attack events within 15\,s, and choose the best defense within 40\,s. We show that we can reduce 23% CPU usage and 63% egress network bandwidth with the same memory consumption and with little collateral damage.
@TechReport{Rizvi19a,
	author = 	"{ASM} Rizvi and John Heidemann and Jelena Mirkovic",
	title = 	"Dynamically Selecting Defenses to {DDoS} for {DNS} (extended)",
	institution = 	"USC/Information Sciences Institute",
	year = 		2019,
	sortdate = 		"2019-12-03", 
	project = "ant, ddidd, paaddos",
	jsubject = "routing",
	number =	"ISI-TR-736",
	month =		may,
	jlocation =	"johnh: pafile",
	keywords =	"ddos, filtering, hop-count, rcode, dns",
	url =		"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi19a.html",
	pdfurl =	"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi19a.pdf",
	myorganization =	"USC/Information Sciences Institute",
	copyrightholder = "authors",
	abstract = "
Distributed Denial-of-Service (DDoS) attacks exhaust resources,
leaving a server unavailable to legitimate clients.  The Domain Name
System (DNS) is frequently the target of DDoS attacks, and its
connectionless communication makes it an easy target for spoofing
attacks.  A large body of prior work has focused on specific filters
or anti-spoofing techniques, but DDoS threats continue to grow,
augmented by the addition of millions of Internet-of-Things (IoT)
devices.  We propose two approaches to DDoS-defense:  first, we
propose having a \emph{library} of defensive filters ready, each
applicable to different attack types and with different levels of
selectivity.  Second, we suggest \emph{automatically selecting} the
best defense mechanism at attack start, and re-evaluating that choice
during the attack to account for polymorphic attacks.  While
commercial services deploy automatic defenses today, there are no
detailed public descriptions of how they work---our contribution is to
document one automated approach, and to show the importance of
multiple types of defenses.  We evaluate our approach against captured
DDoS attacks against a root DNS server, using analysis and testbed
experimentation with real DNS servers.  Our automated system can
detect attack events within 15\,s, and choose the best defense within
40\,s.  We show that we can reduce 23\% CPU usage and 63\% egress
network bandwidth with the same memory consumption and with little
collateral damage.
",
}
Downloads: 0
About
Documentation
Keywords
Search
Users
Terms and Conditions of Use
Privacy Policy
Sitemap
© BibBase.org 2021