Dynamically Selecting Defenses to DDoS for DNS (extended). Rizvi, A., Heidemann, J., & Mirkovic, J. Technical Report ISI-TR-736, USC/Information Sciences Institute, May, 2019. Paper abstract bibtex Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients. The Domain Name System (DNS) is frequently the target of DDoS attacks, and its connectionless communication makes it an easy target for spoofing attacks. A large body of prior work has focused on specific filters or anti-spoofing techniques, but DDoS threats continue to grow, augmented by the addition of millions of Internet-of-Things (IoT) devices. We propose two approaches to DDoS-defense: first, we propose having a \emphlibrary of defensive filters ready, each applicable to different attack types and with different levels of selectivity. Second, we suggest \emphautomatically selecting the best defense mechanism at attack start, and re-evaluating that choice during the attack to account for polymorphic attacks. While commercial services deploy automatic defenses today, there are no detailed public descriptions of how they work—our contribution is to document one automated approach, and to show the importance of multiple types of defenses. We evaluate our approach against captured DDoS attacks against a root DNS server, using analysis and testbed experimentation with real DNS servers. Our automated system can detect attack events within 15\,s, and choose the best defense within 40\,s. We show that we can reduce 23% CPU usage and 63% egress network bandwidth with the same memory consumption and with little collateral damage.
@TechReport{Rizvi19a,
author = "{ASM} Rizvi and John Heidemann and Jelena Mirkovic",
title = "Dynamically Selecting Defenses to {DDoS} for {DNS} (extended)",
institution = "USC/Information Sciences Institute",
year = 2019,
sortdate = "2019-12-03",
project = "ant, ddidd, paaddos",
jsubject = "routing",
number = "ISI-TR-736",
month = may,
jlocation = "johnh: pafile",
keywords = "ddos, filtering, hop-count, rcode, dns",
url = "https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi19a.html",
pdfurl = "https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi19a.pdf",
myorganization = "USC/Information Sciences Institute",
copyrightholder = "authors",
abstract = "
Distributed Denial-of-Service (DDoS) attacks exhaust resources,
leaving a server unavailable to legitimate clients. The Domain Name
System (DNS) is frequently the target of DDoS attacks, and its
connectionless communication makes it an easy target for spoofing
attacks. A large body of prior work has focused on specific filters
or anti-spoofing techniques, but DDoS threats continue to grow,
augmented by the addition of millions of Internet-of-Things (IoT)
devices. We propose two approaches to DDoS-defense: first, we
propose having a \emph{library} of defensive filters ready, each
applicable to different attack types and with different levels of
selectivity. Second, we suggest \emph{automatically selecting} the
best defense mechanism at attack start, and re-evaluating that choice
during the attack to account for polymorphic attacks. While
commercial services deploy automatic defenses today, there are no
detailed public descriptions of how they work---our contribution is to
document one automated approach, and to show the importance of
multiple types of defenses. We evaluate our approach against captured
DDoS attacks against a root DNS server, using analysis and testbed
experimentation with real DNS servers. Our automated system can
detect attack events within 15\,s, and choose the best defense within
40\,s. We show that we can reduce 23\% CPU usage and 63\% egress
network bandwidth with the same memory consumption and with little
collateral damage.
",
}
Downloads: 0
{"_id":"gRLRG9492jDkGe7hY","bibbaseid":"rizvi-heidemann-mirkovic-dynamicallyselectingdefensestoddosfordnsextended-2019","author_short":["Rizvi, A.","Heidemann, J.","Mirkovic, J."],"bibdata":{"bibtype":"techreport","type":"techreport","author":[{"firstnames":["ASM"],"propositions":[],"lastnames":["Rizvi"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]},{"firstnames":["Jelena"],"propositions":[],"lastnames":["Mirkovic"],"suffixes":[]}],"title":"Dynamically Selecting Defenses to DDoS for DNS (extended)","institution":"USC/Information Sciences Institute","year":"2019","sortdate":"2019-12-03","project":"ant, ddidd, paaddos","jsubject":"routing","number":"ISI-TR-736","month":"May","jlocation":"johnh: pafile","keywords":"ddos, filtering, hop-count, rcode, dns","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi19a.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi19a.pdf","myorganization":"USC/Information Sciences Institute","copyrightholder":"authors","abstract":"Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients. The Domain Name System (DNS) is frequently the target of DDoS attacks, and its connectionless communication makes it an easy target for spoofing attacks. A large body of prior work has focused on specific filters or anti-spoofing techniques, but DDoS threats continue to grow, augmented by the addition of millions of Internet-of-Things (IoT) devices. We propose two approaches to DDoS-defense: first, we propose having a \\emphlibrary of defensive filters ready, each applicable to different attack types and with different levels of selectivity. Second, we suggest \\emphautomatically selecting the best defense mechanism at attack start, and re-evaluating that choice during the attack to account for polymorphic attacks. While commercial services deploy automatic defenses today, there are no detailed public descriptions of how they work—our contribution is to document one automated approach, and to show the importance of multiple types of defenses. We evaluate our approach against captured DDoS attacks against a root DNS server, using analysis and testbed experimentation with real DNS servers. Our automated system can detect attack events within 15\\,s, and choose the best defense within 40\\,s. We show that we can reduce 23% CPU usage and 63% egress network bandwidth with the same memory consumption and with little collateral damage. ","bibtex":"@TechReport{Rizvi19a,\n\tauthor = \t\"{ASM} Rizvi and John Heidemann and Jelena Mirkovic\",\n\ttitle = \t\"Dynamically Selecting Defenses to {DDoS} for {DNS} (extended)\",\n\tinstitution = \t\"USC/Information Sciences Institute\",\n\tyear = \t\t2019,\n\tsortdate = \t\t\"2019-12-03\", \n\tproject = \"ant, ddidd, paaddos\",\n\tjsubject = \"routing\",\n\tnumber =\t\"ISI-TR-736\",\n\tmonth =\t\tmay,\n\tjlocation =\t\"johnh: pafile\",\n\tkeywords =\t\"ddos, filtering, hop-count, rcode, dns\",\n\turl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi19a.html\",\n\tpdfurl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi19a.pdf\",\n\tmyorganization =\t\"USC/Information Sciences Institute\",\n\tcopyrightholder = \"authors\",\n\tabstract = \"\nDistributed Denial-of-Service (DDoS) attacks exhaust resources,\nleaving a server unavailable to legitimate clients. The Domain Name\nSystem (DNS) is frequently the target of DDoS attacks, and its\nconnectionless communication makes it an easy target for spoofing\nattacks. A large body of prior work has focused on specific filters\nor anti-spoofing techniques, but DDoS threats continue to grow,\naugmented by the addition of millions of Internet-of-Things (IoT)\ndevices. We propose two approaches to DDoS-defense: first, we\npropose having a \\emph{library} of defensive filters ready, each\napplicable to different attack types and with different levels of\nselectivity. Second, we suggest \\emph{automatically selecting} the\nbest defense mechanism at attack start, and re-evaluating that choice\nduring the attack to account for polymorphic attacks. While\ncommercial services deploy automatic defenses today, there are no\ndetailed public descriptions of how they work---our contribution is to\ndocument one automated approach, and to show the importance of\nmultiple types of defenses. We evaluate our approach against captured\nDDoS attacks against a root DNS server, using analysis and testbed\nexperimentation with real DNS servers. Our automated system can\ndetect attack events within 15\\,s, and choose the best defense within\n40\\,s. We show that we can reduce 23\\% CPU usage and 63\\% egress\nnetwork bandwidth with the same memory consumption and with little\ncollateral damage.\n\",\n}\n\n","author_short":["Rizvi, A.","Heidemann, J.","Mirkovic, J."],"bibbaseid":"rizvi-heidemann-mirkovic-dynamicallyselectingdefensestoddosfordnsextended-2019","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi19a.html"},"keyword":["ddos","filtering","hop-count","rcode","dns"],"metadata":{"authorlinks":{}}},"bibtype":"techreport","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["ddos","filtering","hop-count","rcode","dns"],"search_terms":["dynamically","selecting","defenses","ddos","dns","extended","rizvi","heidemann","mirkovic"],"title":"Dynamically Selecting Defenses to DDoS for DNS (extended)","year":2019}