Enhancing DNS Resilience against Denial of Service Attacks
The Domain Name System (DNS) is a critical Internet
infrastructure that provides name to address mapping services.
In the past few years, distributed denial of service
(DDoS) attacks have targeted the DNS infrastructure and
threaten to disrupt this critical service. In this paper we
show that the existing DNS can gain significant resilience
against DDoS attacks through a simple change to the current
DNS operations, by setting longer time-to-live values
for a special class of DNS resource records, the infrastructure
records. These records are used to navigate the
DNS hierarchy and change infrequently. ...view middle of the document...
A number of distributed
denial of service (DDoS) attacks have been directed
against these top level DNS name-servers in recent
years [2, 3, 5, 7]. The impact on overall DNS availability
is debatable [1, 4], but some attacks did succeed in disabling
the targeted DNS servers and resulted in parts of
the Internet experiencing severe name resolution problems.
Overall, attacks can potentially threaten the DNS availability
and effectively threaten the availability of the Internet
We have developed a simple approach that can effectively
enhance the DNS resilience against DDoS attacks.
We identify a special class of DNS records called infrastructure
records, which store data for DNS infrastructure
components (namely the name-servers). DNS resolvers
use the infrastructure records to navigate the DNS hierarchy.
The presence of the infrastructure records in DNS
local caches can greatly improve the resilience of the DNS
in the presence of failures. In this paper we propose and
evaluate two methods for caching infrastructure records
for longer periods of time. First, we propose to assign a
much longer TTL value for the infrastructure records than
the data records. This is feasible because, generally speaking,
the infrastructure records change less frequently than
other DNS data records. Second, we propose a set of simple
record renewal policies. Our analysis shows that these
two changes can improve DNS service availability during
a DDoS attack by one order of magnitude.
The main benefit of our approach is that it is operationally
feasible and immediately deployable by either
large or small zones. In contrast, the currently deployed
solution of shared unicast addresses  aims at absorbing
the attack load by installing a large number of nameservers.
This solution is suitable for large zones, such
as the root and the top level domains, that can afford the
cost. Smaller zones may not be able to afford adding a
large number of name-servers. Other solutions proposed
by the research community [10, 21, 20, 12, 11] address the
problem of DDoS attacks against DNS by introducing major
protocol changes or by redesigning the whole system.
Although some of them are considered incrementally deployable,
their adoption is hindered by the operators’ reluctance
to introducing major changes in an operational
system. Our approach requires no protocol changes while
achieving similar levels of resilience against DDoS attacks.
The rest of the paper is structured as follows. Sections 2
and 3 review the basic DNS concepts and the threat posed
by DDoS attacks. Section 4 presents our TTL guidelines
and caching enhancements. Section 5 evaluates of our approach
using a set of real DNS traffic traces. Section 6 discusses
some issues related to other attack strategies. Sec-
37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07)
0-7695-2855-4/07 $20.00 © 2007
Authorized licensed use limited...