Authoritative DNS infrastructures are at the core of the Internet ecosystem.
But how resilient are typical authoritative DNS name servers against application-layer Denial-of-Service attacks?
In this paper, with the help of a large country-code TLD operator, we assess the expected attack load and DoS countermeasures.
We find that standard botnets or even single-homed attackers can overload the computational resources of authoritative name servers—even if redundancy such as anycast is in place.
To prevent the resulting devastating DNS outages, we assess how effective upstream filters can be as a last resort.
We propose an anomaly detection defense that allows both, well-behaving high-volume DNS resolvers as well as low-volume clients to continue name lookups—while blocking most of the attack traffic.
Upstream ISPs or IXPs can deploy our scheme and drop attack traffic to reasonable query loads at or below 100k queries per second at a false positive rate of 1.2 % to 5.7 % (median 2.4 %).
History
Preferred Citation
Jonas Bushart and Christian Rossow. Anomaly-based Filtering of Application-Layer DDoS Against DNS Authoritatives. In: IEEE European Symposium on Security and Privacy (EuroS&P). 2023.
Primary Research Area
Threat Detection and Defenses
Name of Conference
IEEE European Symposium on Security and Privacy (EuroS&P)
Legacy Posted Date
2023-04-06
Open Access Type
Unknown
BibTeX
@inproceedings{cispa_all_3925,
title = "Anomaly-based Filtering of Application-Layer DDoS Against DNS Authoritatives",
author = "Bushart, Jonas and Rossow, Christian",
booktitle="{IEEE European Symposium on Security and Privacy (EuroS&P)}",
year="2023",
}