This website uses cookies to ensure you have the best experience. Learn more

Enhancing Dns Resilience Against Denial Of Service Attacks

1416 words - 6 pages

Enhancing DNS Resilience against Denial of Service Attacks

Abstract
The Domain Name System (DNS) is a critical Internet
infrastructure that provides name to address mapping services.
In the past few years, distributed denial of service
(DDoS) attacks have targeted the DNS infrastructure and
threaten to disrupt this critical service. In this paper we
show that the existing DNS can gain significant resilience
against DDoS attacks through a simple change to the current
DNS operations, by setting longer time-to-live values
for a special class of DNS resource records, the infrastructure
records. These records are used to navigate the
DNS hierarchy and change infrequently. ...view middle of the document...

A number of distributed
denial of service (DDoS) attacks have been directed
against these top level DNS name-servers in recent
years [2, 3, 5, 7]. The impact on overall DNS availability
is debatable [1, 4], but some attacks did succeed in disabling
the targeted DNS servers and resulted in parts of
the Internet experiencing severe name resolution problems.
Overall, attacks can potentially threaten the DNS availability
and effectively threaten the availability of the Internet
itself.
We have developed a simple approach that can effectively
enhance the DNS resilience against DDoS attacks.
We identify a special class of DNS records called infrastructure
records, which store data for DNS infrastructure
components (namely the name-servers). DNS resolvers
use the infrastructure records to navigate the DNS hierarchy.
The presence of the infrastructure records in DNS
local caches can greatly improve the resilience of the DNS
in the presence of failures. In this paper we propose and
evaluate two methods for caching infrastructure records
for longer periods of time. First, we propose to assign a
much longer TTL value for the infrastructure records than
the data records. This is feasible because, generally speaking,
the infrastructure records change less frequently than
other DNS data records. Second, we propose a set of simple
record renewal policies. Our analysis shows that these
two changes can improve DNS service availability during
a DDoS attack by one order of magnitude.
The main benefit of our approach is that it is operationally
feasible and immediately deployable by either
large or small zones. In contrast, the currently deployed
solution of shared unicast addresses [14] aims at absorbing
the attack load by installing a large number of nameservers.
This solution is suitable for large zones, such
as the root and the top level domains, that can afford the
cost. Smaller zones may not be able to afford adding a
large number of name-servers. Other solutions proposed
by the research community [10, 21, 20, 12, 11] address the
problem of DDoS attacks against DNS by introducing major
protocol changes or by redesigning the whole system.
Although some of them are considered incrementally deployable,
their adoption is hindered by the operators’ reluctance
to introducing major changes in an operational
system. Our approach requires no protocol changes while
achieving similar levels of resilience against DDoS attacks.
The rest of the paper is structured as follows. Sections 2
and 3 review the basic DNS concepts and the threat posed
by DDoS attacks. Section 4 presents our TTL guidelines
and caching enhancements. Section 5 evaluates of our approach
using a set of real DNS traffic traces. Section 6 discusses
some issues related to other attack strategies. Sec-
37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07)
0-7695-2855-4/07 $20.00 © 2007
Authorized licensed use limited...

Other Essays Like Enhancing DNS Resilience Against Denial Of Service Attacks

Network Design Project Essay

4945 words - 20 pages . Antispoofing Capabilities – So based on the fact that a firewall fails to recognize a good address being used as an attack vehicle, it also cannot perform antispoofing on a packet-by-packet basis to separate good or legitimate traffic from bad-action that is essential for defending against attacks using a high volume of spoofed IP addresses ("Cisco Guard Ddos Mitigation Appliances", n.d.). ("Figure 1 Multiple Points Of Vulnerability

Adversaries and Ports Essay

4593 words - 19 pages the attack easier as the adversary would be able to figure out the host names”1. Now this has only allowed for the hacker to do a simply denial of service attack, such as if the administrator had configured an account lockout. However, this serves as a foundation if the adversary wishes to break into the network through vulnerable ports. Next, Host Names, Exposed Hosts and Applications exposed on those hosts. In this phase, the adversary will

Questions

566 words - 3 pages antara virus, worm dam trojan. Tulis satu contoh bagi setiap jawapan. [6 marks] [6 markah] CLO3, C2 ii. Describe the Brute Force attacks. Terangkan mengenai serangan Brute Force. [2 marks] [2 markah] 4 SULIT SULIT FP303: COMPUTER NETWORK (c) Describe the purpose of Helpdesk in network troubleshooting. Terangkan tujuan Helpdesk dalam membaikpulih rangkaian. [3 marks] [3 markah] CLO3, C3 (d) Coaxial cable

Simple Getaways, Inc

1303 words - 6 pages INDUSTRY BEST PRACTICES NETWORK PROTECTION AGAINST DDoS ATTACKS BY SODJINE ANATO INTRODUCTION  A distributed denial-of-service (DDoS) attack is a large-scale, coordinated attack on the availability of services on a victim’s system or network resources, launched indirectly through many compromised computers on the Internet. (Cengage Learning,2010). Most of the companies used a firewall to stop Denial of services. But a firewall could not

Week 5 midterm

2090 words - 9 pages flows and interdependency studies? Selected Answer: Correct systems diagramming Correct Answer: Correct systems diagramming Question 30 1 out of 1 points Which of the following collects and provides reports on failed login attempts, probes, scans, denial-of-service attacks, and detected malware? Selected Answer: Correct system logs Correct Answer: Correct system logs Question 31 1 out of 1 points The last stage of a business

Threat and Risk Assesment

2051 words - 9 pages will require an additional 3 hours weekly of IT time. This is 200 additional hours at $90/hour = $18,000/year. The total id $19,800/year. This results in savings of $2,700/year. Denial of Service attacks is on the rise. They are one of the most common forms of attacks after phishing attacks. There have been several reports over the last few months in 215 of DoS attacks. The website DDoSattacks.net (2015) has listed multiple pages of attacks in

Information Security In Business Organizations

3793 words - 16 pages devastating attacks against a single victim.(6) Increasing threat from infrastructure attacksInfrastructure attacks broadly affect key components of the Internet. Three types of infrastructure attack are: distributed denial of service; worms; attacks on the Internet Domain Name System (DNS).5.2 What's Hot in the Security MarketE-commerce corporations are grappling with a variety of security issues. Among them are identity management, application

Sec 280 Week 4 Case Study

2410 words - 10 pages all the regular authentication service. It is usually installed before any virus or Trojan infection because having a backdoor installed will ease the transfer effort of those threats. 9. Wabbits. Is another a self-replicating threat but it does not work like a Virus or Worms. It does not harm your system like a Virus and it does not replicate via your LAN network like a Worms. An example of Wabbit’s attack is the fork bomb, a form of DDoS attack

The whole community approach

696 words - 3 pages community resilience. It takes all aspects of a community to effectively prevent, protect against, mitigate, respond to, and recover from threats and hazards. It is critical that individuals take responsibility for their own self preparedness efforts and that the community members work together to develop the collective capacity needed to enhance their community’s security and strength. Throughout this concept you can see that one of the

Ddos Testing

1197 words - 5 pages communication but also create many issues like Denial of Service (DoS), Cross Site Scripting (XSS), Authentication Bypass, etc. These attacks can cause millions in loss for the organization. Therefore, an effective and efficient security software solutions are required so that these attacks can be prevented well in advanced. In this report, a solution is proposed for Advanced Research Company so that it can manage against potential DOS and DDOS

Key Terms

577 words - 3 pages Networks of “zombie” PCs infiltrated by bot malware A group of computers that have been infected with bot malware without users’ knowledge, enabling a hacker to use the amassed resources of the computers to launch distributed denial-of-service attacks, phishing campaigns or spam. Bugs software program code defects Businesss continuity planning Focuses on restoring business operations after disaster Click fraud Computer crime Computer

Related Papers

Active Directory And Dns Design Essay

2525 words - 11 pages of ISCSI on Windows Servers. 7. Communications between VLANs is provisioned by CLT 8. DR procedures are managed by 3rd party vendor 9. Private Namespace is hosted by CLT 10. Privileges to logon to DNS Servers / Domain Controllers are provisioned by CLT which includes Group Policy creation and Service accounts provisioning. SKV Tasks: a) Installing and configuration of Windows Server Operating Systems for the Domain Controllers are performed by

Identifying Potential Malicious Attacks Essay

1095 words - 5 pages and hazards.   Hackers’ always targeting applications and their goal is to get into one of these:   Denying service to legitimate users (denial-of-service attacks)   Gaining administrator access to servers or clients   Gaining access to back-end information databases   Installing Trojan horse software that bypasses security and enables access to applications   installing software on a server that runs in "sniffer" mode and captures user

Information Security Threat Mitigation Essay

814 words - 4 pages 4 Introduction Our company faces the largest information security threat and we need to take steps to mitigate the risks associated with each one of them. Steps Denial-of-Service attacks (DoS) We will analyze the attack as best as we can and implement the correct defense. We will ask ourselves if there are any common packet signatures that are easy to filter against. We will ask ourselves if all attackers hitting a single

Is4560 Hacking And Countermeasures Essay

3935 words - 16 pages defenses against database attacks? a. Nonstandard ports b. Firewalls c. OS security d. a, b, and c 50. HTTP/1.1 200 OKServer: can be found by accessing which of the following on a Web server? a. The configuration file b. The version information c. The banner d. The Web page MID-TERM EXAM: ANSWER SHEET DATE: ____________________________ STUDENT NAME: ____________________________ COURSE NUMBER