Defending Root DNS Servers Against DDoS Using Layered Defenses (Extended). Rizvi, A., Mirkovic, J., Heidemann, J., Hardaker, W., & Story, R. Ad Hoc Networks Journal, Elsevier Science Publishing Co., Inc., December, 2023. Paper doi abstract bibtex Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients. The Domain Name System (DNS) is a frequent target of DDoS attacks. Since DNS is a critical infrastructure service, protecting it from DoS is imperative. Many prior approaches have focused on specific filters or anti-spoofing techniques to protect generic services. DNS root nameservers are more challenging to protect, since they use fixed IP addresses, serve very diverse clients and requests, receive predominantly UDP traffic that can be spoofed, and must guarantee high quality of service. In this paper we propose a layered DDoS defense for DNS root nameservers. Our defense uses a \emphlibrary of defensive filters, which can be optimized for different attack types, with different levels of selectivity. We further propose a method that \emphautomatically and continuously evaluates and selects the best combination of filters throughout the attack. We show that this layered defense approach provides exceptional protection against all attack types using traces of ten real attacks from a DNS root nameserver. Our automated system can select the best defense within seconds and quickly reduces traffic to the server within a manageable range, while keeping collateral damage lower than 2%. We show our system can successfully mitigate resource exhaustion using replay of a real-world attack. We can handle millions of filtering rules without noticeable operational overhead.
@Article{Rizvi23b,
author = "{A S M} Rizvi and Jelena Mirkovic and John
Heidemann and Wes Hardaker and Robert Story",
title = "Defending Root {DNS} Servers Against {DDoS} Using Layered
Defenses (Extended)",
journal = "Ad Hoc Networks Journal",
year = 2023,
volume = 151,
xpages = "no pages",
month = dec,
sortdate = "2023-12-01",
project = "ant, ddidd, paaddos",
jsubject = "network_security",
publisher = "Elsevier Science Publishing Co., Inc.",
jlocation = "johnh: pafile",
keywords = "ddidd, ddos, filtering, frade",
doi = "https://doi.org/10.1016/j.adhoc.2023.103259",
xblogurl = "https://ant.isi.edu/blog/?p=tbd",
url = "https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi23b.html",
pdfurl = "https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi23b.pdf",
abstract = "Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients. The Domain Name System (DNS) is a frequent target of DDoS attacks. Since DNS is a critical infrastructure service, protecting it from DoS is imperative. Many prior approaches have focused on specific filters or anti-spoofing techniques to protect generic services. DNS root nameservers are more challenging to protect, since they use fixed IP addresses, serve very diverse clients and requests, receive predominantly UDP traffic that can be spoofed, and must guarantee high quality of service. In this paper we propose a layered DDoS defense for DNS root nameservers. Our defense uses a \emph{library} of defensive filters, which can be optimized for different attack types, with different levels of selectivity. We further propose a method that \emph{automatically and continuously evaluates and selects} the best combination of filters throughout the attack. We show that this layered defense approach provides exceptional protection against all attack types using traces of ten real attacks from a DNS root nameserver. Our automated system can select the best defense within seconds and quickly reduces traffic to the server within a manageable range, while keeping collateral damage lower than 2\%. We show our system can successfully mitigate resource exhaustion using replay of a real-world attack. We can handle millions of filtering rules without noticeable operational overhead."
,}
Downloads: 0
{"_id":"t2yfcXmYETHrX5f5F","bibbaseid":"rizvi-mirkovic-heidemann-hardaker-story-defendingrootdnsserversagainstddosusinglayereddefensesextended-2023","author_short":["Rizvi, A.","Mirkovic, J.","Heidemann, J.","Hardaker, W.","Story, R."],"bibdata":{"bibtype":"article","type":"article","author":[{"firstnames":["A S M"],"propositions":[],"lastnames":["Rizvi"],"suffixes":[]},{"firstnames":["Jelena"],"propositions":[],"lastnames":["Mirkovic"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]},{"firstnames":["Wes"],"propositions":[],"lastnames":["Hardaker"],"suffixes":[]},{"firstnames":["Robert"],"propositions":[],"lastnames":["Story"],"suffixes":[]}],"title":"Defending Root DNS Servers Against DDoS Using Layered Defenses (Extended)","journal":"Ad Hoc Networks Journal","year":"2023","volume":"151","xpages":"no pages","month":"December","sortdate":"2023-12-01","project":"ant, ddidd, paaddos","jsubject":"network_security","publisher":"Elsevier Science Publishing Co., Inc.","jlocation":"johnh: pafile","keywords":"ddidd, ddos, filtering, frade","doi":"https://doi.org/10.1016/j.adhoc.2023.103259","xblogurl":"https://ant.isi.edu/blog/?p=tbd","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi23b.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi23b.pdf","abstract":"Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients. The Domain Name System (DNS) is a frequent target of DDoS attacks. Since DNS is a critical infrastructure service, protecting it from DoS is imperative. Many prior approaches have focused on specific filters or anti-spoofing techniques to protect generic services. DNS root nameservers are more challenging to protect, since they use fixed IP addresses, serve very diverse clients and requests, receive predominantly UDP traffic that can be spoofed, and must guarantee high quality of service. In this paper we propose a layered DDoS defense for DNS root nameservers. Our defense uses a \\emphlibrary of defensive filters, which can be optimized for different attack types, with different levels of selectivity. We further propose a method that \\emphautomatically and continuously evaluates and selects the best combination of filters throughout the attack. We show that this layered defense approach provides exceptional protection against all attack types using traces of ten real attacks from a DNS root nameserver. Our automated system can select the best defense within seconds and quickly reduces traffic to the server within a manageable range, while keeping collateral damage lower than 2%. We show our system can successfully mitigate resource exhaustion using replay of a real-world attack. We can handle millions of filtering rules without noticeable operational overhead.","bibtex":"@Article{Rizvi23b,\n author = \"{A S M} Rizvi and Jelena Mirkovic and John\n Heidemann and Wes Hardaker and Robert Story\",\n title = \"Defending Root {DNS} Servers Against {DDoS} Using Layered\n Defenses (Extended)\",\n journal = \"Ad Hoc Networks Journal\",\n year = 2023,\n volume = 151,\n xpages = \"no pages\",\n month = dec,\n\tsortdate = \t\t\"2023-12-01\", \n\tproject = \"ant, ddidd, paaddos\",\n\tjsubject = \"network_security\",\n publisher = \"Elsevier Science Publishing Co., Inc.\",\n jlocation = \"johnh: pafile\",\n keywords = \"ddidd, ddos, filtering, frade\",\n doi = \"https://doi.org/10.1016/j.adhoc.2023.103259\",\n\txblogurl = \"https://ant.isi.edu/blog/?p=tbd\",\n\turl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi23b.html\",\n\tpdfurl =\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi23b.pdf\",\n\tabstract = \"Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients. The Domain Name System (DNS) is a frequent target of DDoS attacks. Since DNS is a critical infrastructure service, protecting it from DoS is imperative. Many prior approaches have focused on specific filters or anti-spoofing techniques to protect generic services. DNS root nameservers are more challenging to protect, since they use fixed IP addresses, serve very diverse clients and requests, receive predominantly UDP traffic that can be spoofed, and must guarantee high quality of service. In this paper we propose a layered DDoS defense for DNS root nameservers. Our defense uses a \\emph{library} of defensive filters, which can be optimized for different attack types, with different levels of selectivity. We further propose a method that \\emph{automatically and continuously evaluates and selects} the best combination of filters throughout the attack. We show that this layered defense approach provides exceptional protection against all attack types using traces of ten real attacks from a DNS root nameserver. Our automated system can select the best defense within seconds and quickly reduces traffic to the server within a manageable range, while keeping collateral damage lower than 2\\%. We show our system can successfully mitigate resource exhaustion using replay of a real-world attack. We can handle millions of filtering rules without noticeable operational overhead.\"\n,}\n\n","author_short":["Rizvi, A.","Mirkovic, J.","Heidemann, J.","Hardaker, W.","Story, R."],"bibbaseid":"rizvi-mirkovic-heidemann-hardaker-story-defendingrootdnsserversagainstddosusinglayereddefensesextended-2023","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Rizvi23b.html"},"keyword":["ddidd","ddos","filtering","frade"],"metadata":{"authorlinks":{}}},"bibtype":"article","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["fxEParwu2ZfurScPY","5ByepEgrvFujJFiRX","5522rqg4rez4tcnch","7nuQvtHTqKrLmgu99"],"keywords":["ddidd","ddos","filtering","frade"],"search_terms":["defending","root","dns","servers","against","ddos","using","layered","defenses","extended","rizvi","mirkovic","heidemann","hardaker","story"],"title":"Defending Root DNS Servers Against DDoS Using Layered Defenses (Extended)","year":2023}