Giovane C. M. Moura
ABSTRACT
The Internet's Domain Name System (DNS) is a frequent target of Distributed Denial-of-Service (DDoS) attacks, but such attacks have had very different outcomes---some attacks have disabled major public websites, while the external effects of other attacks have been minimal. While on one hand the DNS protocol is relatively simple, the system has many moving parts, with multiple levels of caching and retries and replicated servers. This paper uses controlled experiments to examine how these mechanisms affect DNS resilience and latency, exploring both the client side's DNS user experience, and server-side traffic. We find that, for about 30% of clients, caching is not effective. However, when caches are full they allow about half of clients to ride out server outages that last less than cache lifetimes, caching and retries together allow up to half of the clients to tolerate DDoS attacks longer than cache lifetimes, with 90% query loss, and almost all clients to tolerate attacks resulting in 50% packet loss. While clients may get service during an attack, tail-latency increases for clients. For servers, retries during DDoS attacks increase normal traffic up to 8x. Our findings about caching and retries help explain why users see service outages from some real-world DDoS events, but minimal visible effects from others.
- 1.1.1.1. 2018. The Internet's Fastest, Privacy-First DNS Resolver. https://1.1.1.1/.https://1.1.1.1/Google Scholar
- Mario Almeida, Alessandro Finamore, Diego Perino, Narseo Vallina-Rodriguez, and Matteo Varvello. 2017. Dissecting DNS Stakeholders in Mobile Networks. In Proceedings of the 1"th International Conference on Emerging Networking EX-periments and Technologies (CoNEXT '17). ACM, New York, NY, USA, 28--34. Google ScholarDigital Library
- Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai Botnet. In Proceedings of the "6th USENIX Security Symposium. USENIX, Vancouver, BC, Canada, 1093--1110. https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf Google ScholarDigital Library
- Arbor Networks. 2012. Worldwide Infrastructure Security Report. Technical Report 2012 Volume VIII. Arbor Networks. http://www.arbornetworks.com/resources/infrastructure-security-reportGoogle Scholar
- Vaibhav Bajpai, Steffie Eravuchira, Jürgen Schönwälder, Robert Kisteleki, and Emile Aben. 2017. Vantage Point Selection for IPv6 Measurements: Benefits and Limitations of RIPE Atlas Tags. In IFIP/IEEE International Symposium on Integrated Network Management (IM "017). Lisbon, Portugal.Google ScholarCross Ref
- Vaibhav Bajpai, Steffie Jacob Eravuchira, and Jürgen Schönwälder. 2015. Lessons Learned from using the RIPE Atlas Platform for Measurement Research. SIGCOMM Comput. Commun. Rev. 45, 3 (July 2015), 35--42. http://www.sigcomm.org/sites/default/files/ccr/papers/2015/July/0000000--0000005.pdf Google ScholarDigital Library
- Matt Calder, Ashley Flavel, Ethan Katz-Bassett, Ratul Mahajan, and Jitendra Padhye. 2015. Analyzing the Performance of an Anycast CDN. In Proceedings of the ACM Internet Measurement Conference. ACM, Tokyo, Japan. Google ScholarDigital Library
- DNS OARC. 2018. DITL Traces and Analysis. https://www.dns-oarc.net/index.php/oarc/data/ditl/2018.Google Scholar
- R. Elz, R. Bush, S. Bradner, and M. Patton. 1997. Selection and Operation of Secondary DNS Servers. RFC 2182 (Best Current Practice)., 11 pages. Google ScholarDigital Library
- Google. 2018. Public DNS. https://developers.google.com/speed/public-dns/. https://developers.google.com/speed/public-dns/Google Scholar
- Shuai Hao and Haining Wang. 2017. Exploring Domain Name Based Features on the Effectiveness of DNS Caching. SIGCOMM Comput. Commun. Rev. 47, 1 (Jan. 2017), 36--42. Google ScholarDigital Library
- Scott Hilton. 2016. Dyn Analysis Summary Of Friday October 21 Attack. Dyn blog https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/.Google Scholar
- Paul Hoffman, Andrew Sullivan, and K. Fujiwara. 2018. DNS Terminology. Internet Draft. https://datatracker.ietf.org/doc/draft-ietf-dnsop-terminology-bis/?include_text=1Google Scholar
- ICANN. 2014. RSSAC002: RSSAC Advisory on Measurements of the Root Server System. https://www.icann.org/en/system/files/files/rssac-002-measurements-root-20nov14-en.pdf.Google Scholar
- ISC BIND. 2018. Chapter 6. BIND 9 Configuration Reference. https://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch06.html.Google Scholar
- Sam Kottler. 2018. February 28th DDoS Incident Report | Github Engineering.. https://githubengineering.com/ddos-incident-report/.Google Scholar
- D. Lawrence and W. Kumari. 2017. Serving Stale Data to Improve DNS Resiliency-02. Internet Draft. https://www.ietf.org/archive/id/draft-tale-dnsop-serve-stale-02.txtGoogle Scholar
- P.V. Mockapetris. 1987. Domain names - concepts and facilities. RFC 1034 (Internet Standard)., 55 pages. Updated by RFCs 1101, 1183, 1348, 1876, 1982, 2065, 2181, 2308, 2535, 4033, 4034, 4035, 4343, 4035, 4592, 5936, 8020 Google ScholarDigital Library
- P.V. Mockapetris. 1987. Domain names - implementation and specification. RFC 1035 (Internet Standard)., 55 pages. Updated by RFCs 1101, 1183, 1348, 1876, 1982, 1995, 1996, 2065, 2136, 2181, 2137, 2308, 2535, 2673, 2845, 3425, 3658, 4033, 4034, 4035, 4343, 5936, 5966, 6604, 7766 Google ScholarDigital Library
- Carlos Morales. 2018. February 28th DDoS Incident Report | Github EngineeringNETSCOUT Arbor Confirms 1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon Us. https://www.arbornetworks.com/blog/asert/netscout-arbor-confirms-1-7-tbps-ddos-attack-terabit-attack-era-upon-us/.Google Scholar
- Giovane C. M. Moura, Ricardo de O. Schmidt, John Heidemann, Wouter B. de Vries, Moritz Müller, Lan Wei, and Christian Hesselman. 2016. Anycast vs. DDoS: Evaluating the November 2015 Root DNS Event. In Proceedings of the ACM Internet Measurement Conference. Google ScholarDigital Library
- Giovane C. M. Moura, John Heidemann, Moritz Müller, Ricardo de O. Schmidt, and Marco Davids. 2018. Datasets from "When the Dike Breaks: Dissecting DNS Defenses During DDoS". (May 2018). Web page https://ant.isi.edu/datasets/dns/Moura18a_data.Google Scholar
- Giovane C. M. Moura, John Heidemann, Moritz Müller, Ricardo de O. Schmidt, and Marco Davids. 2018. When the Dike Breaks:Dissecting DNS Defenses During DDoS (extended). Technical Report ISI-TR-725b. USC/Information Sciences Institute. https://www.isi.edu/%7ejohnh/PAPERS/Moura18a.html (updated Sept. 2018).Google Scholar
- Moritz Müller, Giovane C. M. Moura, Ricardo de O. Schmidt, and John Heidemann. 2017. Recursives in the Wild: Engineering Authoritative DNS Servers. In Proceedings of the ACM Internet Measurement Conference. London, UK, 489--495. Google ScholarDigital Library
- NL Netlabs. 2018. NL Netlabs Documentation - Unbound - undbound.conf.5. https://nlnetlabs.nl/documentation/unbound/unbound.conf/.Google Scholar
- OpenDNS. 2018. Setup Guide: OpenDNS. https://www.opendns.com/setupguide/. https://www.opendns.com/setupguideGoogle Scholar
- Jianping Pan, Y Thomas Hou, and Bo Li. 2003. An overview of DNS-based server selections in content distribution networks. Computer Networks 43, 6 (2003), 695--711. Google ScholarDigital Library
- Jeffrey Pang, Aditya Akella, Anees Shaikh, Balachander Krishnamurthy, and Srinivasan Seshan. 2004. On the Responsiveness of DNS-based Network Control. In Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement (IMC '04). ACM, New York, NY, USA, 21--26. Google ScholarDigital Library
- Jeffrey Pang, James Hendricks, Aditya Akella, Roberto De Prisco, Bruce Maggs, and Srinivasan Seshan. 2004. Availability, Usage, and Deployment Characteristics of the Domain Name System. In Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement (IMC '04). ACM, New York, NY, USA, 1--14. Google ScholarDigital Library
- Paul Vixie and Gerry Sneeringer and Mark Schleifer. 2002. Events of 21-Oct-2002. http://c.root-servers.org/october21.txt.Google Scholar
- Nicole Perlroth. 2016. Hackers Used New Weapons to Disrupt Major Websites Across U.S. New York Times (Oct. 22 2016), A1. http://www.nytimes.com/2016/10/22/business/internet-problems-attack.htmlGoogle Scholar
- Nicole Perlroth. 2016. Tally of Cyber Extortion Attacks on Tech Companies Grows. New York Times Bits Blog, http://bits.blogs.nytimes.com/2014/06/19/tally-of-cyber-extortion-attacks-on-tech-companies-grows/.Google Scholar
- Alec Peterson. 2017. EC2 resolver changing TTL on DNS answers? Post on the DNS-OARC dns-operations mailing list, https://lists.dns-oarc.net/pipermail/dns-operations/2017-November/017043.html.Google Scholar
- Quad9. 2018. Quad9 | Internet Security & Privacy In a Few Easy Steps. https://quad9.net.Google Scholar
- RIPE NCC. 2017. RIPE Atlas Measurement IDS. https://atlas.ripe.net/measurements/ID. ID is the experiment ID: TTL60: 10443671, TTL1800: 10507676, TTL3600: 10536725, TTL86400: 10579327, TTL3600--10min: 10581463, A:10859822, B: 11102436, C:11221270, D:11804500, E: 11831403, F: 11831403, G: 12131707, H:12177478, I: 12209843.Google Scholar
- RIPE NCC Staff. 2015. RIPE Atlas: A Global Internet Measurement Network. Internet Protocol Journal (IPJ) 18, 3 (Sep 2015), 2--26.Google Scholar
- RIPE Network Coordination Centre. 2018. RIPE Atlas - Raw data structure documentations, https://atlas.ripe.net/docs/data_struct/.Google Scholar
- Root Server Operators. 2015. Events of 2015-11-30. http://root-servers.org/news/events-of-20151130.txt.Google Scholar
- Root Server Operators. 2016. Events of 2016-06-25. Technical Report. Root Server Operators. http://www.root-servers.org/news/events-of-20160625.txtGoogle Scholar
- Root Server Operators. 2017. Root DNS. http://root-servers.org/.Google Scholar
- José Jair Santanna, Roland van Rijswijk-Deij, Rick Hofstede, Anna Sperotto, Mark Wierbosch, Lisandro Zambenedetti Granville, and Aiko Pras. 2015. Booters---An Analysis of DDoS-as-a-Service Attacks. In Proceedings of the 14th IFIP/IEEE Interatinoal Symposium on Integrated Network Management. IFIP, Ottowa, Canada.Google ScholarCross Ref
- D. Schinazi and T. Pauly. 2017. Happy Eyeballs Version 2:Better Connectivity Using Concurrency. RFC 8305. Internet Request For Comments.Google Scholar
- Ricardo de O. Schmidt, John Heidemann, and Jan Harm Kuipers. 2017. Anycast Latency: How Many Sites Are Enough?. In Proceedings of the Passive and Active Measurement Workshop. Springer, Sydney, Australia, 188--200. http://www.isi.edu/%7ejohnh/PAPERS/Schmidt17a.htmlGoogle ScholarCross Ref
- Bruce Schneier. 2016. Lessons From the Dyn DDoS Attack. blog https://www.schneier.com/essays/archives/2016/11/lessons_from_the_dyn.html.Google Scholar
- Kyle Schomp, Tom Callahan, Michael Rabinovich, and Mark Allman. 2013. On measuring the client-side DNS infrastructure. In Proceedings of the "015 ACM Conference on Internet Measurement Conference. ACM, 77--90. Google ScholarDigital Library
- Somini Sengupta. 2012. After Threats, No Signs of Attack by Hackers. New York Times (Apr. 1 2012), A1. http://www.nytimes.com/2012/04/01/technology/no-signs-of-attack-on-internet.htmlGoogle Scholar
- SIDN Labs. 2017. .nl stats and data. http://stats.sidnlabs.nl.Google Scholar
- Matthew Thomas and Duane Wessels. 2015. A study of caching behavior with respect to root server TTLs. DNS-OARC. https://indico.dns-oarc.net/event/24/contributions/374/Google Scholar
- Unbound. 2018. Unbound Documentation. https://www.unbound.net/documentation/unbound.conf.html.Google Scholar
- Weinberg, M., Wessels, D. 2016. Review and analysis of attack traffic against A-root and J-root on November 30 and December 1, 2015. In: DNS OARC 24 - Buenos Aires, Argentina. https://indico.dns-oarc.net/event/22/session/4/contribution/7.Google Scholar
- Maarten Wullink, Giovane CM Moura, Moritz Müller, and Cristian Hesselman. 2016. ENTRADA: A high-performance network traffic data streaming warehouse. In Network Operations and Management Symposium (NOMS), "016 IEEE/IFIP. IEEE, 913--918.Google ScholarCross Ref
- Yingdi Yu, Duane Wessels, Matt Larson, and Lixia Zhang. 2012. Authority Server Selection in DNS Caching Resolvers. SIGCOMM Comput. Commun. Rev. 42, 2 (March 2012), 80--86. Google ScholarDigital Library
Recommendations
Cache Me If You Can: Effects of DNS Time-to-Live
IMC '19: Proceedings of the Internet Measurement ConferenceDNS depends on extensive caching for good performance, and every DNS zone owner must set Time-to-Live (TTL) values to control their DNS caching. Today there is relatively little guidance backed by research about how to set TTLs, and operators must ...
Recursives in the wild: engineering authoritative DNS servers
IMC '17: Proceedings of the 2017 Internet Measurement ConferenceIn Internet Domain Name System (DNS), services operate authoritative name servers that individuals query through recursive resolvers. Operators strive to provide reliability by operating multiple name servers (NS), each on a separate IP address, and by ...
Enhancing DNS Resilience against Denial of Service Attacks
DSN '07: Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and NetworksThe Domain Name System (DNS) is a critical Internet infrastructure that provides name to address mapping services. In the past few years, distributed denial of service (DDoS) attacks have targeted the DNS infrastructure and threaten to disrupt this ...
Comments