Mitigating DNS DoS Attacks

Transcription

1 Mitigating DNS DoS Attacks Hitesh Ballani and Paul Francis Cornell University ACM CCS 2008

2 DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the resolution of The zone s resource records And the records for any of the sub-zones. edu. com. us. jp. cornell.edu. cmu.edu mit.edu cs.cornell.edu. eng.cornell.edu.

3 DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the resolution of The zone s resource records And the records for any of the sub-zones FLOOD ATTACK. edu. com. us. jp. cornell.edu. cmu.edu mit.edu cs.cornell.edu. eng.cornell.edu.

4 DoS attacks on DNS Attack: Flood the nameservers of a DNS zone Goal: Disrupt the resolution of The zone s resource records And the records for any of the sub-zones Attacks aplenty (some successful, other not!) Microsoft attacked (2001) DNS Root Servers attacked (2002) SCO attacked (2003) Akamai attacked (2004) Root Servers, TLDs and UltraDNS (2006) Root Servers attacked (2007)

5 Networking community to the rescue Kangasharaju et. al.(g Cox et. al.(g Theimer et. al(g Ramasubramaniam et. al.(g Handley et. al.(g Deegan et. al.(g [INFOCOM 00] [IPTPS 02] [ICDCS 02] [SIGCOMM 04] [HotNets 05] [SIGCOMM CCR 05]

6 Networking community to the rescue Kangasharaju et. al.(g Cox et. al.(g Theimer et. al(g Ramasubramaniam et. al.(g Handley et. al.(g Deegan et. al.(g [INFOCOM 00] [IPTPS 02] [ICDCS 02] [SIGCOMM 04] [HotNets 05] [SIGCOMM CCR 05] Decouple data distribution from authority hierarchy Ensure availability of data distribution mechanism

7 Networking community to the rescue Kangasharaju et. al.(g Cox et. al.(g Theimer et. al(g Ramasubramaniam et. al.(g Handley et. al.(g Deegan et. al.(g [INFOCOM 00] [IPTPS 02] [ICDCS 02] [SIGCOMM 04] [HotNets 05] [SIGCOMM CCR 05] Decouple data distribution from authority hierarchy Ensure availability of data distribution mechanism Centralized approaches(g

8 Networking community to the rescue Kangasharaju et. al.(g Cox et. al.(g Theimer et. al(g Ramasubramaniam et. al.(g Handley et. al.(g Deegan et. al.(g [INFOCOM 00] [IPTPS 02] [ICDCS 02] [SIGCOMM 04] [HotNets 05] [SIGCOMM CCR 05] Decouple data distribution from authority hierarchy Ensure availability of data distribution mechanism Centralized approaches(g Peer-to-peer approaches(g

9 A complementary tact to handle DoS attacks Do away with the need for 100% availability Clients are able to resolve a zone s records even when the zone s nameservers are not available

10 In this paper A minor modification in the caching behavior of DNS resolvers Reduces the need for nameserver availability in the existing DNS framework Mitigates the impact of DoS attacks on DNS

11 Talk Outline Introductiong( DNS Resolvers Todayg( Proposed Modificationg( Evaluationg( The Goodg( The Bad and the Uglyg(

12 DNS Resolvers Today(g Client Root-Server A? Resolver Nameserver (.edu TLD) Cache Nameserver (.cornell.edu)

13 DNS Resolvers Today(g Client Root-Server A? Resolver Nameserver (.edu TLD) Lookup A? Cache Nameserver (.cornell.edu) Resolution Process 1. Lookup the resolver cache 2. Traverse down the DNS hierarchy 3. Traversal fails Resolution fails

14 DNS Resolvers Today(g Client Root-Server A? Resolver Nameserver (.edu TLD) Lookup NS?.cornell.edu NS?.edu Cache Nameserver (.cornell.edu) Resolution Process 1. Lookup the resolver cache 2. Traverse down the DNS hierarchy 3. Traversal fails Resolution fails

15 DNS Resolvers Today(g Client Root-Server Resolver Nameserver (.edu TLD) Cache Nameserver (.cornell.edu) Resolution Process 1. Lookup the resolver cache 2. Traverse down the DNS hierarchy 3. Traversal fails Resolution fails

16 DNS Resolvers Today(g Client Root-Server A= Resolver Nameserver (.edu TLD) Cache Nameserver (.cornell.edu) Resolution Process 1. Lookup the resolver cache 2. Traverse down the DNS hierarchy 3. Traversal fails Resolution fails

17 DNS Resolvers Today(g Client Root-Server Resolver Cache Traversal fails Nameserver (.edu TLD) Nameserver (.cornell.edu) Resolution Process 1. Lookup the resolver cache 2. Traverse down the DNS hierarchy 3. Traversal fails Resolution fails

18 DNS Resolvers Today(g Client Root-Server Resolver Nameserver (.edu TLD) Cache responses for TTL period Cache Nameserver (.cornell.edu) Resolver caching behavior Cached records expunged after their TTL expires

19 Proposed Modification(g Client Root-Server Resolver Nameserver (.edu TLD) Stale Cache Stale Records Cache Nameserver (.cornell.edu) Cached records expunged to a Stale Cache

20 Proposed Modification(g Client Root-Server Resolver Nameserver (.edu TLD) Stale Cache.edu NS Lookup Cache Modified Resolution Process 1. Lookup the resolver cache 2. Traverse down the DNS hierarchy Nameserver (.cornell.edu) 3. Traversal fails Resolution can continue

21 Proposed Modification(g Client Root-Server Resolver Nameserver (.edu TLD) Stale Cache Cache Lookup successful Modified Resolution Process 1. Lookup the resolver cache 2. Traverse down the DNS hierarchy Nameserver (.cornell.edu) 3. Traversal fails Resolution can continue

22 Proposed Modification(g Client Root-Server Resolver Nameserver (.edu TLD) Stale Cache Cache Lookup successful Nameserver (.cornell.edu) Stale records for a zone used only when the nameservers for the zone are unavailable

23 Stale Cache Details(g Expunging records from the Stale Cache Responses from nameservers used to clean up the stale cache Stale Cache lookup time not critical Lookups can be done while querying the nameservers

25 DNS Trace Collection Cornell CS Dept. INTERNET DNS Trace Collector Anonymise DNS Trace 65-Day DNS Trace 138 million DNS packets 4.5 million unique DNS names Trace collected at Border Router Network s resolvers could not answer the collected queries

26 Stale Cache Simulation Simulation Variables Stale Cache Size Number of days for which stale records are kept Varied from 1 to 30 days Attack Duration Varied from 3 to 24 hours

27 Is History Useful? Attack: Entire DNS Fails

28 Is History Useful? Attack: Entire DNS Fails Fraction of Queries Answered Hr 06 Hr 12 Hr 24 Hr Stale Cache Size (days) 14-Day Stale Cache can answer 80% queries

29 Is History Useful? Attack: Entire DNS Fails Fraction of Accurate Records Hr 06 Hr 12 Hr 24 Hr Stale Cache Size (days) 99.6% accurate answers with 14-Day Stale Cache

30 Root-Servers Fail Other Attack Scenarios Queries for Top-level Domains (TLDs) not resolved Stale Cache can answer all such queries TLD Nameservers Fail Queries for two-level names (eg, a.com) not resolved Stale Cache can answer >75% such queries Accuracy of answers is 99.4%

31 Depends on network Number of hosts Query-rate For the collected trace Memory Footprint 1300 hosts and 25 DNS pkts/sec Month-long Stale Cache = 313MB

32 Proposed Modification: Pros Increased DNS Robustness Nameserver availability less crucial Mitigates the impact of DoS attacks Simplicity Does not change the basic protocol operation Does not impose any load on DNS Does not impact the query resolution latency Incremental Deployment Motivation for deployment

34 Ballani Vixie Obsolete Autonomy Attack Latency Too specific

35 Ballani Vixie Obsolete Autonomy Attack Latency Too specific Possibility of obsolete information being used Obselete zone records used by a resolver only if Zone s records have been updated since the last access by the resolver Zone s nameservers are inaccessible

36 Ballani Vixie Obsolete Autonomy Attack Latency Too specific Possibility of obsolete information being used Obselete zone records used by a resolver only if Zone s records have been updated since the last access by the resolver Zone s nameservers are inaccessible Trade-off between the possibility of obsolete information being used and the inability to resolve queries

37 Ballani Vixie Obsolete Autonomy Attack Latency Too specific Possibility of obsolete information being used Obselete zone records used by a resolver only if Zone s records have been updated since the last access by the resolver Zone s nameservers are inaccessible Trade-off between the possibility of obsolete information being used and the inability to resolve queries Restrict the Stale Cache size

38 Ballani Vixie Obsolete Autonomy Attack Latency Too specific Greg Minshall s former CEO:... he would sign (almost) any contract, as long as he could get out of it in a finite period of time

39 Ballani Vixie Obsolete Autonomy Attack Latency Too specific Greg Minshall s former CEO:... he would sign (almost) any contract, as long as he could get out of it in a finite period of time Zone Autonomy Does the.com zone operator control access to the.xxx.com sub-zone? Today Proposed.xxx.com NS records expire after a TTL period?

40 Obsolete Autonomy Attack Latency Too specific Ballani Vixie Greg Minshall s former CEO:... he would sign (almost) any contract, as long as he could get out of it in a finite period of time Zone Autonomy Does the.com zone operator control access to the.xxx.com sub-zone? Today.xxx.com NS records expire after a TTL period Proposed Can respond with a NXDOMAIN for queries for.xxx.com Zone operators still control access to their sub-zones

41 Obsolete Autonomy Attack Latency Too specific Ballani Vixie Attackers forcing the use of obsolete records for a zone by Waiting for the zone s records to be updated And then flooding the zone s nameservers

42 Obsolete Autonomy Attack Latency Too specific Ballani Vixie Attackers forcing the use of obsolete records for a zone by Waiting for the zone s records to be updated And then flooding the zone s nameservers

43 Obsolete Autonomy Attack Latency Too specific Ballani Vixie Resolution latency in the face of attacks Resolver must query each nameserver of a zone before using the zone s records from the stale cache Given default resolver timeout configurations, this can lead to high resolution latencies

44 Obsolete Autonomy Attack Latency Too specific Ballani Vixie Resolution latency in the face of attacks Resolver must query each nameserver of a zone before using the zone s records from the stale cache Given default resolver timeout configurations, this can lead to high resolution latencies Alleviative: Resolvers configured with aggressive retry and timeout values

45 Obsolete Autonomy Attack Latency Too specific Ballani Vixie DNS servers can still be overwhelmed Unable to update the zone s records Application servers can still be DoS ed

46 Obsolete Autonomy Attack Latency Too specific Ballani Vixie DNS servers can still be overwhelmed Unable to update the zone s records Application servers can still be DoS ed Do DNS servers and Application servers share the network bottleneck?

47 Summary A minor modification in the caching behavior of DNS resolvers Reduces the need for nameserver availability in the existing DNS framework Mitigates the impact of DoS attacks on DNS Stale Cache Modifies the DNS caching semantics Does not impact fundamental DNS characteristics

48 Thank You!