DOI QR코드

DOI QR Code

Analysis of Flooding DoS Attacks Utilizing DNS Name Error Queries

  • Wang, Zheng (China Organizational Name Administration Center)
  • Received : 2012.08.08
  • Accepted : 2012.09.28
  • Published : 2012.10.31

Abstract

The Domain Name System (DNS) is a critical Internet infrastructure that provides name to address mapping services. In the past decade, Denial-of-Service (DoS) attacks have targeted the DNS infrastructure and threaten to disrupt this critical service. While the flooding DoS attacks may be alleviated by the DNS caching mechanism, we show in this paper that flooding DoS attacks utilizing name error queries is capable of bypassing the cache of resolvers and thereby impose overwhelming flooding attacks on the name servers. We analyze the impacts of such DoS attacks on both name servers and resolvers, which are further illustrated by May 19 China's DNS Collapse. We also propose the detection and defense approaches for protecting DNS servers from such DoS attacks. In the proposal, the victim zones and attacking clients are detected through monitoring the number of corresponding responses maintained in the negative cache. And the attacking queries can be mitigated by the resolvers with a sample proportion adaptive to the percent of queries for the existent domain names. We assess risks of the DoS attacks by experimental results. Measurements on the request rate of DNS name server show that this kind of attacks poses a substantial threat to the current DNS service.

Keywords

References

  1. P. Mockapetris, Domain names - concepts and facilities, Internet Request for Comments (RFC 1034), November 1987.
  2. P. Albitz and C. Liu, DNS and BIND, O'Reilly and Associates, 1998.
  3. H. Rood, "What is in a name, what is in a number: some characteristics of identifiers on electronic networks", Telecommunications Policy, vol.24, pp.533-552, 2000. https://doi.org/10.1016/S0308-5961(00)00049-5
  4. Name server DoS Attack October 2002, http://www.caida.org/projects/dns-analysis/, 2002. (last retrieved in October 2011)
  5. UltraDNS DOS Attack, http://www.theregister.co.uk/2002/12/14/, 2002. (last retrieved in September 2012)
  6. DoS Attack against Akamai, http://news.com.com/2100-1038_3-5236403.html/, 2004. (last retrieved in October 2011)
  7. ICANN Factsheet for the February 6, 2007 Root Server Attack. http://www.icann.org/ announcements/ factsheet-dns-attack-08mar07.pdf, 2007. (last retrieved in October 2011)
  8. Events of 21-Oct-2002, http://d.root-servers.org/october21.txt, 2002.
  9. DNS FAQ, http://www.cs.cornell.edu/People/egs/beehive/faq.html, 2004. (last retrieved in September 2012)
  10. M. Handley and A. Greenhalgh, "The Case for Pushing DNS", In Proc. of the 4th ACM Workshop on Hot Topics in Networks (Hotnets), 2005.
  11. H. Yang, H. Luo, Y. Yang, S. Lu, and L. Zhang, "HOURS: Achieving DoS Resilience in an Open Service Hierarchy", In Proc. of the 2004 International Conference on Dependable Systems and Networks Proceedings (DSN), pp. 83-93, 2004.
  12. K. Parka, V. Pai, L. Peterson, and Z. Wang," CoDNS: Improving DNS Performance and Reliability via Cooperative Lookups", In Proc. of the 6th conference on Symposium on Operating Systems Design & Implementation, pp. 14-29, 2004.
  13. H. Ballani and P. Francis, "A Simple Approach to DNS DoS Defense". In Proc. of the 5th ACM Workshop on Hot Topics in Networks, pp. 67-72, 2006.
  14. R. Cox, A. Muthitacharoen, and R. Morris, "Serving DNS Using a Peer-to-Peer Lookup Service", In Proc. of the 1st International Workshop on Peer-to-Peer Systems , pp. 155-165, 2002.
  15. V. Ramasubramanian and E. Sirer, "The Design and Implementation of a Next Generation Name Service for the Internet," In Proc. of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, pp. 331-342, 2004.
  16. T. Deegan, J. Crowcroft, and A. Warfield, T"he Main Name System: An Exercise in Centralized Computing," ACM SIGCOMM Computer Communication Review, vol.35, no.5, pp.5-14, 2005.
  17. J. Kangasharju and K. Ross, "A Replicated Architecture for the Domain Name System", In Proc. of the 19th Annual Joint Conference of the IEEE Computer and Communications, pp. 660-669, 2000.
  18. E. Cohen and H. Kaplan, "Proactive Caching of DNS Records: Addressing a Performance Bottleneck," In Proc. of the 1st IEEE/IPSJ International Symposium on Applications and the Internet (SAINT), pp. 85-94, 2001.
  19. J. Jung, E. Sit, H. Balakrishnan, and R. Morris, "DNS performance and the effectiveness of caching," IEEE/ACM Transactions on Networking, vol.10, no.5, pp.589-603, 2002. https://doi.org/10.1109/TNET.2002.803905
  20. Million-PC botnet threatens consumers. http://www.infomaticsonline.co.uk/vnunet/news/ 2167474/million-pc-botnet-threatens, 2006. (last retrieved in February 2012)
  21. L. Kleinrock, Queueing Systems, vol.2, Wiley-Interscience, 1976.
  22. Ziqian Liu, Lessons learned from May 19 China's DNS collapse, Presentation at the 2nd DNS-OARC Workshop. Beijing, China, Nov. 2009, https://www.dns-oarc.net/files/ workshop-200911/Ziqian_Liu.pdf. (last retrieved in September 2012)
  23. Bind website, http://www.isc.org/products/BIND/.(last retrieved in September 2012)
  24. V. Pappas and E. Osterweil. Improving "DNS Service Availability by Using Long TTL Values." IETF Internet-Draft (draft-pappas-dnsop-long-ttl-04), 2012.
  25. A. Manos, D. David, L. Xiapu, P. Roberto, L. Wenke and B. Justin. "A centralized monitoring infrastructure for improving DNS security". In Proc. of the 13th International Conference on Recent Advances in Intrusion Detection, pp. 18-37, 2010.
  26. Ruoyu Yan, Qinghua Zheng and Haifei Li. "Combining Adaptive Filtering and IF Flows to Detect DDoS Attacks within a Router". KSII Transactions on Internet and Information System, vol.4, no.3, pp. 428-451, 2010