(2023) Anomaly-based Filtering of Application-Layer DDoS Against DNS Authoritatives.
![[img]](https://publications.cispa.saarland/style/images/fileicons/text.png) |
Text
dns-applayer-ddos-protection.pdf Download (2MB) |
Abstract
Authoritative DNS infrastructures are at the core of the Internet ecosystem. But how resilient are typical authoritative DNS name servers against application-layer Denial-of-Service attacks? In this paper, with the help of a large country-code TLD operator, we assess the expected attack load and DoS countermeasures. We find that standard botnets or even single-homed attackers can overload the computational resources of authoritative name servers—even if redundancy such as anycast is in place. To prevent the resulting devastating DNS outages, we assess how effective upstream filters can be as a last resort. We propose an anomaly detection defense that allows both, well-behaving high-volume DNS resolvers as well as low-volume clients to continue name lookups—while blocking most of the attack traffic. Upstream ISPs or IXPs can deploy our scheme and drop attack traffic to reasonable query loads at or below 100k queries per second at a false positive rate of 1.2 % to 5.7 % (median 2.4 %).
| Item Type: | Conference or Workshop Item (A Paper) (Paper) |
|---|---|
| Divisions: | Christian Rossow (System Security Group, SysSec) |
| Conference: | EuroS&P IEEE European Symposium on Security and Privacy |
| Depositing User: | Jonas Bushart |
| Date Deposited: | 06 Apr 2023 07:09 |
| Last Modified: | 06 Apr 2023 07:09 |
| Primary Research Area: | NRA3: Threat Detection and Defenses |
| URI: | https://publications.cispa.saarland/id/eprint/3925 |
Actions
Actions (login required)
 |
View Item |