Mitigating DNS DoS attacks

14 years 1 months ago

Download www.cs.cornell.edu

This paper considers DoS attacks on DNS wherein attackers flood the nameservers of a zone to disrupt resolution of resource records belonging to the zone and consequently, any of its sub-zones. We propose a minor change in the caching behavior of DNS resolvers that can significantly alleviate the impact of such attacks. In our proposal, DNS resolvers do not completely evict cached records whose TTL has expired; rather, such records are stored in a separate "stale cache". If, during the resolution of a query, a resolver does not receive any response from the nameservers that are responsible for authoritatively answering the query, it can use the information stored in the stale cache to answer the query. In effect, the stale cache is the part of the global DNS database that has been accessed by the resolver and represents an insurance policy that the resolver uses only when the relevant DNS servers are unavailable. We analyze a 65-day DNS trace to quantify the benefits of a st...

Hitesh Ballani, Paul Francis

Real-time Traffic

CCS 2008 | DNS Resolvers | DoS Attacks | Security Privacy | Stale Cache |

claim paper

Post Info
More Details (n/a)

Added	12 Oct 2010
Updated	12 Oct 2010
Type	Conference
Year	2008
Where	CCS
Authors	Hitesh Ballani, Paul Francis

Comments (0)

Sciweavers

Mitigating DNS DoS attacks

CCS 2008 | DNS Resolvers | DoS Attacks | Security Privacy | Stale Cache |

Explore & Download

Productivity Tools

Document Tools

Image Tools

Sciweavers