Abstract
DDoS attacks have been a problem since 2000. In October 2016, there was a major DDoS attack against the service provider Dyn’s DNS service, which took the service down. This was one of the largest bandwidth DDoS attack ever documented, with attack bandwidth over 650 Gbps. By taking down just Dyn’s DNS service, clients could not obtain the IP addresses, of the organizations hosting their DNS with Dyn, such as Twitter. Our contribution is that we have found a way to mitigate the effect of DDoS attacks against DNS services. We only require some very small algorithm changes, in the DNS protocol. More specifically, we propose to add two additional timers. Even if the end DNS clients don’t support these timers, they will receive our new functionality via the DNS resolvers and recursive servers. In summary, our contributions give much more control to the organizations, as to under which specific conditions the DNS cache entries should be aged or used. This allows the organization to (1) much more quickly expire client DNS caches and (2) to mitigate the DDoS DNS attack effects. Our contributions are also helpful to organizations, even if there are no DDoS DNS attack.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Almeida, V.A.F., Doneda, D., de Souza Abreu, J.: Cyberwarfare and digital governance. IEEE Internet Comput. 21(2), 68–71 (2017)
Aydeger, A., Saputro, N., Akkaya, K., Rahman, M.: Mitigating crossfire attacks using SDN-based moving target defense. In: 2016 IEEE 41st Conference on Local Computer Networks (LCN), pp. 627–630, November 2016
Boell, S.K., Cecez-Kecmanovic, D.: What is an information system? In: 2015 48th Hawaii International Conference on System Sciences, pp. 4959–4968, January 2015
Booth, T., Andersson, K.: Network security of internet services: eliminate DDoS reflection amplification attacks. J. Internet Serv. Inform. Secur. (JISIS) 5(3), 58–79 (2015)
Booth, T., Andersson, K.: Network DDoS Layer 3/4/7 mitigation via dynamic web redirection. In: Doss, R., Piramuthu, S., Zhou, W. (eds.) FNSS 2016. CCIS, vol. 670, pp. 111–125. Springer, Cham (2016). doi:10.1007/978-3-319-48021-3_8
Czyz, J., Kallitsis, M., Gharaibeh, M., Papadopoulos, C., Bailey, M., Karir, M.: Taming the 800 pound gorilla: the rise and decline of NTP DDoS attacks. In: Internet Measurement Conference (2014)
Esch, J.: Software-defined networking: a comprehensive survey (2014)
Fayaz, S.K., Tobioka, Y., Sekar, V., Bailey, M.: Bohatei: flexible and elastic DDoS defense. In: USENIX Security Symposium (2015)
Google. “API Reference \(\mid \) Cloud DNS Documentation” “Domain Name System”. https://cloud.google.com/dns/api/v1/. Accessed 11 April 2017
Google. DNS-over-HTTPS \(\mid \) Public DNS. https://developers.google.com/speed/public-dns/docs/dns-over-https. Accessed 24 April 2017
Lim, S., Ha, J., Kim, H., Kim, Y., Yang, S.: A SDN-oriented DDoS blocking scheme for botnet-based attacks. In: 2014 Sixth International Conference on Ubiquitous and Future Networks (ICUFN), pp. 63–68, July 2014
Microsoft. API Management: Establish API Gateways \(\mid \) Microsoft Azure. https://azure.microsoft.com/en-us/services/api-management/. Accessed 13 April 2017
Microsoft. Azure Functions—Serverless Architecture \(\mid \) Microsoft Azure. https://azure.microsoft.com/en-us/services/functions/. Accessed 14 April 2017
Mousavi, S.M., St-Hilaire, M.: Early detection of DDoS attacks against SDN controllers. In: 2015 International Conference on Computing, Networking and Communications (ICNC), pp. 77–81 (2015)
OpenDNS. OpenDNS Introduces SmartCache - New Feature Enables Web Sites to Load Successfully With OpenDNS, While Offline for the Rest of the Internet. https://www.opendns.com/about/press-releases/opendns-introduces-smartcache-new-feature-enables-web-sites-to-load-successfully-with-opendns-while-offline-for-the-rest-of-the-internet. Accessed 14 April 2017
Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: NDSS (2014)
Sahay, R., Blanc, G., Zhang, Z., Debar, H.: Towards autonomic DDoS mitigation using Software Defined Networking. In: SENT 2015: NDSS Workshop on Security of Emerging Networking Technologies, San Diego, CA, United States. Internet Society, February 2015
Shtern, M., Sandel, R., Litoiu, M., Bachalo, C., Theodorou, V.: Towards mitigation of low and slow application DDoS attacks. In: 2014 IEEE International Conference on Cloud Engineering, pp. 604–609, March 2014
Soni, R., Ambalkar, S., Bansal, P.: Security and privacy in cloud computing. In: 2016 Symposium on Colossal Data Analysis and Networking (CDAN), pp. 1–6, March 2016
Twitter. Twitter \(\mid \) About. https://about.twitter.com/company. Accessed 21 April 2017
Venkatesan, S., Albanese, M., Amin, K., Jajodia, S., Wright, M.: A moving target defense approach to mitigate DDoS attacks against proxy-based architectures. In: 2016 IEEE Conference on Communications and Network Security (CNS), pp. 198–206, October 2016
Wang, B., Zheng, Y., Lou, W., Hou, Y.T.: DDoS attack protection in the era of cloud computing and Software-Defined Networking. Comput. Netw. 81, 308–319 (2015)
Wang, H., Jia, Q., Fleck, D., Powell, W., Li, F., Stavrou, A.: A moving target DDoS defense mechanism. Comput. Commun. 46, 10–21 (2014)
Wikipedia. Denial-of-service attack. https://en.wikipedia.org/w/index.php?title=Denial-of-service_attack&oldid=781501497. Accessed 9 April 2017
Wikipedia. Domain Name System. https://en.wikipedia.org/w/index.php?title=Domain_name_system&oldid=779318292. Accessed 27 April 2017
Wikipedia. Serverless computing. https://en.wikipedia.org/w/index.php?title=Serverless_computing&oldid=780878012. Accessed 14 April 2017
Yu, S., Tian, Y., Guo, S., Wu, D.: Can we beat DDoS attacks in clouds? IEEE Trans. Parallel Distrib. Syst. 25, 2245–2254 (2014)
Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutorials 15(4), 2046–2069 (2013)
Zeb, K., Baig, O., Asif, M.K.: DDoS attacks and countermeasures in cyberspace. In: 2015 2nd World Symposium on Web Applications and Networking (WSWAN), pp. 1–6, March 2015
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Booth, T., Andersson, K. (2017). DNS DDoS Mitigation, via DNS Timer Design Changes. In: Doss, R., Piramuthu, S., Zhou, W. (eds) Future Network Systems and Security. FNSS 2017. Communications in Computer and Information Science, vol 759. Springer, Cham. https://doi.org/10.1007/978-3-319-65548-2_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-65548-2_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-65547-5
Online ISBN: 978-3-319-65548-2
eBook Packages: Computer ScienceComputer Science (R0)