Protecting Against DNS Cache Poisoning Attacks: Jonathan Trostle Bill Van Besien Ashish Pujari

Download as pdf or txt
Download as pdf or txt
You are on page 1of 6

Protecting Against DNS Cache Poisoning Attacks

Jonathan Trostle Bill Van Besien Ashish Pujari


Johns Hopkins University, APL Johns Hopkins University, APL Johns Hopkins University
11100 Johns Hopkins Rd. 11100 Johns Hopkins Rd. Information Security Institute
Laurel, MD 20273 Laurel, MD 20273 3400 Charles St.
Email: [email protected] Baltimore, MD 20273
Email: [email protected]

AbstractDNS is vulnerable to cache poisoning attacks, does not have eavesdropping access to DNS messages over the
whereby an attacker sends a spoofed reply to its own query. network. There are also specifications for Internet standards
Historically, an attacker only needed to guess a predictable, that provide stronger cryptographic mechanisms for DNS
or more recently, a 16 bit pseudorandom ID in order to be
successful. The Kaminsky attack [7] demonstrated successful security including DNSSEC and TSIG [3], [14]. DNSSEC
poisoning attacks that required only 6 seconds on typical net- and TSIG protect against on-the-wire attacks as well as
works. Since then, source port randomization (spr) has been used preventing spoofing in the remote attacker model. However,
for additional protection. Nevetheless, E. Polyakov demonstrated deployment of DNSSEC has not yet occurred due to the
successful poisoning attacks against spr given a Gigabit network, initial deployment costs and policy/legal issues associated with
on the order of 10 hours. Even with slower network speeds,
an attack is likely to be successful in a moderate time period. public key certification. Thus there is value in solutions that
DNSSEC [3] will provide a strong countermeasure to poisoning as can improve DNS security, provided they can be deployed
well as other attacks against the DNS. However, until DNSSEC is immediately. We emphasize that DNSSEC provides security
actually deployed, there is a need for additional countermeasures against a wider range of attacks, in addition to protecting
that can be deployed in the near term. In this paper, we against cache poisoning.
describe a new approach that is based on detecting a poisoning
attack, then sending an additional request for the same DNS In [2], a clever mechanism, 0x20, is proposed to give addi-
Resource Record. Since the defense is only activated when attacks tional protection against DNS poisoning attacks. DNS requests
occur, we expect the performance impact to be minimal. The are sent with a random mixture of lower case and upper case
countermeasure requires no changes to the DNS standards, and characters. Most servers will reply with the same random
only requires modifications to the caching server. Thus it can mixture of characters in the domain name. Thus one additional
be deployed incrementally in order to obtain immediate security
benefits. We show that our proposed defense makes poisoning bit per character in the domain name is gained, for the entropy
attacks substantially more difficult. We have implemented the of the request. Given both spr and 0x20, the attacker has to
countermeasure using a local proxy for the BIND caching server, guess the transaction ID, the source port number, and the
and our tests show that the performance impact is minimal. particular mixture of cases in the request. 0x20 only gives
limited protection for short domain names. A more significant
I. I NTRODUCTION limitation is that not all DNS servers are 0x20 compliant,
The Domain Name Service (DNS) has long been subject to and 0x20 is unlikely to advance as an IETF standard. The
poisoning attacks. A poisoning attack is carried out as follows: effectiveness of this countermeasure is greatly reduced given
(1) a DNS resolver sends a DNS request to a recursive server even a small percentage of non-compliant servers, since then a
(2) the resolver sends an answer to its own query using the list of the non-compliant servers would have to be maintained
address of the authority server as the source address. This by all DNS requestors. It would be difficult to ensure that this
attack has been facilitated historically, since both the source list is up to date and accurate.
port and destination port have been well known ports. Since Given the current countermeasure, random IDs combined
the recursive server caches the answer, a spoofed incorrect with spr, an attacker may need to send requests for a period
answer will also be returned to every other DNS client that of anywhere between 1-5 days in order to successfully poison
requests a RR (Resource Record) for the same name, for the a DNS cache (we have verified this attack in our lab).
duration of the TTL (time to live). Thus this attack can be Unfortunately, a determined attacker could carry out such
used in conjunction with web spoofing [5] to spoof a heavily an attack. In this paper, we present a technique that greatly
used ecommerce web site. Even careful users will be fooled increases the difficulty of DNS cache poisoning. We will show
since the web url will be correct. that a persistent long-lived attack has a minimal chance of
There have been several improvements to DNS that have succeeding, even over a period of a year or longer.
increased the difficulty of mounting poisoning attacks from Our new technique is based on sending additional DNS
trivially easy to requiring substantial work on the part of the queries when a likely poisoning attack is detected. The recur-
attacker. The latest approach is to use random transaction IDs sive DNS server (our implementation uses a proxy) initially
together with source port randomization (spr) [1]. These all listens on k random ports. A packet received on any of
operate in a security model where the attacker is remote and these ports indicates a potential spoofing attack. When such

978-1-4244-8915-2/10/$26.00 2010 IEEE 25


a packet is received, the server enters the secure mode for a II. BACKGROUND
short period (e.g., 20 seconds). The server sends two DNS
queries for each recursive request that it receives during this The DNS (Domain Name Service) is a critical part of the
period. If the intersection of the RRs in the responses is Internet infrastructure; its main function is to map domain
nonempty (the common case), those RRs are cached and names to IP addresses. Thus an application is able to map a
returned to the requestor. Since an attacker has to guess the domain name (frequently entered by a user) into an IP address
transaction IDs and random ports for both of the requests, it which can be used to send packets to the application server.
is exponentially harder to successfully send a spoofed reply The DNS protocol was originally specified in [8], [9], but more
during the secure mode period. The attackers optimal strategy recent IETF RFCs specify additional functionality.
is to keep guessing, in which case the server keeps re-entering
DNS domain names consist of labels separated by periods.
the secure mode. We show that the attackers probability
Each label is a domain and the concatenation of the labels is a
of success is sufficiently low, given proper choices for the
fully qualified domain name (FQDN). The domains are nodes
parameters k and w where w is the number of seconds that the
in a tree structure. A zone consists of a collection of nodes and
server is in secure mode. (Stronger security is obtained with
is its own administrative unit. The root node for each zone is
larger values of k and w.) The set of k ports is also updated
called the Start of Authority (SOA). For each zone, there are
as packets are received on them to prevent the adversary from
DNS authority servers which maintain the Resource Records
identifying these ports in order to avoid them. Some DNS
(RRs) for the zone. There are several types of DNS RRs, but
techniques vary the A records for content distribution, load
the two of interest for this paper are A RRs and NS RRs.
balancing, and security. Our technique handles these cases
The A RRs give IP addresses corresponding to the domain
since a nonempty intersection usually occurs in the first two
names, and the NS RR gives the domain name of the DNS
responses. If not, an additional query can be sent.
authority server.
Most of the time, most DNS servers are not under at-
There are three main entities in typical (recursive) DNS
tack, and thus overall performance impact should be minimal
protocol exchanges, the stub resolver, the recursive server (also
(servers operate as they do currently when not under attack).
known as the recursive resolver or caching server), and the
Our solution has the following properties: authority server. The stub resolver sends DNS queries (usually
1) It can be implemented and deployed immediately to to obtain A RRs) to the recursive server. The recursive server
obtain immediate security benefits. The deploying or- attempts to locate the RR in the cache, otherwise it makes
ganization obtains the benefits. a series of recursive requests in order to locate the proper
2) It requires no changes to the DNS protocol or standards. authority server and obtain the requested RR.
3) It requires no changes to the authority servers or DNS We now give an example showing the operation of these
resolvers. three entities for a typical request. We will assume that no
4) It greatly increases resistance against DNS poisoning RRs are initially cached.
attacks. 1) The stub resolver makes a request for www.example.org
5) Performance impact is minimal. to the recursive server.
6) No additional management overhead or cost. 2) The recursive server initially sends a request to the root
The main contributions of this paper include the following: server (authority for .). The root servers would send a
reply indicating a delegation to .org by sending a NS
We propose a new countermeasure against DNS poison- RR and A RR for the .org nameserver.
ing attacks and we have implemented it using a proxy 3) Next, the recursive server would contact the nameserver
server. for .org and receive a delegation to example.org includ-
We have analyzed the security of our countermeasure ing the NS and A RRs for a nameserver in example.org.
given the natural model for DNS poisoning attacks. Our 4) The recursive server now contacts the nameserver in
countermeasure greatly increases resistance against DNS example.org which returns an A RR for the server
poisoning attacks over spr plus random TIDs. www.example.org.
We analyze the performance of the countermeasure given 5) Finally, the recursive server returns the A RR (which
our DPS (proxy) implementation, including the additional has the IP address for www.example.org) to the stub re-
latency for the DNS client. We also discuss the additional solver. All of the RRs that the recursive server obtained
load on the authority server and its network. are cached, up to the period indicated by the TTL (time
to live) in the RRs.
The paper is organized as follows: in Section II, we give
background on DNS operation and poisoning attacks. We also Some larger domains have multiple DNS servers. In our
chronicle the evolution of countermeasures. In Section III, testing (described below), we noticed that some DNS authority
we present our countermeasure and its operation. Section IV servers return 6 A RRs per DNS query, and that subsequent
analyzes both the security and the performance. We discuss queries may return distinct intersecting sets of A RRs (a set
our results in Section V, and we conclude in Section VI. of RRs is called a RRset).

26
A. DNS Poisoning to mount a successful poisoning attack. Although this raises
Here we briefly overview DNS poisoning attacks includ- the bar, as discussed earlier, an adversary can still successfully
ing their history. Figure 1 shows the three network entities mount a poisoning attack.
discussed above together with a typical poisoning scenario.
Here we assume the DNS recursive server does not have a III. C OUNTERMEASURE O PERATION
RR with the name www.example.org in its cache. In this case,
the stub resolver makes a request for www.example.org to the
recursive server. The recursive server then sends a DNS query
for www.example.org to the authority server (the nameserver
for example.org).

Fig. 2. Overview of DNS Proxy Countermeasure

Here we overview the operation of our DNS poisoning


attack countermeasure (see Figure 2). For ease of implemen-
tation, we have separated the new code into a separate process
(DNS Proxy Server or DPS) from the caching server.
Fig. 1. DNS Poisoning Attack 1) DPS initially listens on the standard DNS ports, UDP
53 and TCP 53, plus k additional randomly selected
In DNS poisoning the stub resolver is controlled by the ports (not low numbered reserved ports though). The
attacker. The attackers goal is to send the DNS query and purpose of listening on these additional ports is to detect
then answer the query with a RR containing the IP address spoofing attacks, as early as possible. The set of k
of a server that it controls. The DNS recursive server will randomly selected ports is secret and should be modified
accept the first answer that it receives where the transaction as spoofing is detected as an attacker can identify this set
ID of the DNS answer equals the transaction ID of the DNS over time. In particular, once a particular port receives a
query. Thus the attackers goal is to send DNS answer packets spoofed packet it becomes a candidate for removal from
in between the time the recursive server sends the DNS the set. If removed, it is replaced with another randomly
query to the authority server and when it receives the answer selected port.
from the authority server. This time window is the attackers Let P be the set of ports eligible to be amongst the k
opportunity to poison the DNS server. ports. When one of the k ports, a, receives a spoofed
The transaction ID field is a 16 bit field. Earlier DNS packet (most likely identified due to an incorrect ID
recursive resolvers simply incremented the transaction ID field. value), then with probability k/|P |, a remains in the
Thus it was very easy for an attacker to conduct a successful set of k ports. With probability (|P | k)/|P |, another
poisoning attack. Subsequently, DNS implementations ran- port is uniformly randomly selected from the remaining
domized the transaction ID in their queries. With the random unused ports in P to replace a. Thus a is likely to be
transaction ID, the attackers probability of poisoning a name a member of the k ports with the same probability both
is roughly n/216 if it can send n answers in response to its before and after the attacker learns that a was a member.
query within the time window (in some earlier implementa- In other words, the attacker gains no information about
tions it was easier for the attacker due to flaws in random which ports are in the set of k ports. This property is
number generation, and also birthday attacks [12], [13]). important for ensuring that the attacker does not achieve
In 2008, Kaminsky [7] demonstrated a more efficient attack. any advantage for evading detection during the spoofing
The attacker sends queries for random names and attempts to attack.
answer the queries during the time window as discussed above. 2) Normal Operation: DPS acts as a proxy between BIND
But the answers also include an update for the nameserver. and the set of external DNS clients. Note that BIND
When the attack succeeds, the nameserver is now a host configuration must be changed so that BIND listens on
controlled by the attacker. The key idea is that since the names a different port (other than 53).
are random, the attack can be mounted continuously since even 3) Suppose DPS receives a DNS answer on one of the k
if a name gets cached, the attack isnt affected. This attack ports. It assumes this packet is part of a spoofing attack.
only requires 5-10 seconds until success. Vendors responded It sets POISON DEFENSE to TRUE, and timer for w
by using spr (source port randomization) [1] which consists of seconds. It enters the DNS question (name, type, and
sending the query from a random source port. Thus an attacker class) into a data structure S. It sends a new request
must now match both the source port and the transaction ID out for the same DNS question (it uses a random source

27
port). It has the proper destination IP address to send it successfully spoofing an answer to one of its queries, over a
to (it was the source IP address in the spoofed answer). given time period.
4) When POISON DEFENSE is TRUE, every received As above, we let k by the number of ports that the
DNS question is entered into S. DPS forwards the DNS recursive server listens on (or the DPS listens on for our
request to BIND and sends its own request as well, for implementation). We let w be the number of seconds that DPS
the same DNS question. stays in secure mode, once it enters secure mode. From [2],
5) When POISON DEFENSE is TRUE, DPS checks to the attacker has a certain time window to send answers to its
see that both DNS answers match (i.e., it checks for a own query to the recursive server, prior to when the authority
nonempty intersection between the two returned RRsets. server replies to the recursive server. The length of this time
Two IP addresses are considered equal if they are on window determines the number of packets that the attacker
the same subnet which we have conservatively selected can send. Once the authority server replies, the recursive server
as being determined by the first 24 bits. Therefore one will accept this answer and cache it for the TTL period (which
address can match multiple addresses in another DNS could range from 1-24 hours or even less see Section V).
response. We give a real example below.) If there is The attacker cannot spoof answers to a query for this domain
a match, the addresses in the intersection are cached name again until the TTL has expired. Let n be the number
(with a TTL equal to the minimum of the TTLs for of packets in the time window, and we let t be the length of
the associated RRsets) and forwarded to the client. In the time window in seconds.
any case, the first received answer is entered into S. Prior to the attack, the recursive server is not in secure mode
If there is no match (which is an event we havent (its in normal mode). Thus the attacker only needs to match
encountered in our testing), DPS sends an additional the transaction ID and source port number of its DNS request.
request in order to obtain another response for matching We let
purposes. DPS also contacts a special handler that we = 216 1024
have implemented in BIND, in order to remove the
relevant RRs from the cache (the RRs that arent in be the total number of possible ports that the random k ports
the intersection are removed). DPS will indicate which can be drawn from. The probability that the attacker sends
RRs should be removed. its spoofed reply to one of the k ports is k/. We expect to
6) When the timer expires, DPS sets POISON DEFENSE receive a packet on one of the k ports after the attacker has
is FALSE. DPS will still process through all the remain- sent /k packets.
ing DNS questions and answers in S. When S is empty, Now we assume that the recursive server is using spr plus
it resumes normal operation. random transaction IDs. Following [2], we also assume that
7) DPS only caches high level names (e.g., .com, .org, etc.) the authority server has three public IP addresses (this value
8) If an answer is returned immediately from BIND, then is common but may vary slightly); the attacker must also
it must be in the cache, and DPS will omit sending a guess the correct one of these addresses. Thus the attackers
2nd request. probability of matching these three fields in its spoofed reply
9) DPS does not send extra requests for PTR queries. is
1
DPS defers to DNSSEC/TSIG: if any returned RRset .
216 3
is signed, then that RRset is used without modification.
Since n is the number of packets that can be sent in the time
IV. A NALYSIS window, we have that the probability of obtaining a match is
We analyze our countermeasure with respect to security and bounded by
performance.
n
X i
A. Security Analysis P r[i packets sent bef ore match]
i=1
216 (3)
We analyze the effectiveness of our countermeasure against

poisoning attacks. In particular, the attacker will attempt to X i
< P r[i packets sent bef ore match]
reply to its own query by guessing the correct translation ID 216 (3)
i=1
and port number. If successful, the attackers DNS answer will
/k
be accepted and cached by the recursive server. =
216 3
The attacker is able to mount a Kaminsky-style attack by 1
requesting RRs for random domain names and also including =
216 (3k)
a NS (nameserver) update. Alternatively, the NS update can be
omitted if there are a significant number of names of interest where we have used the union bound, and since /k is the
to the attacker; the attacker can cycle through these names for expected number of packets sent before a match on one of the
its recursive DNS requests. Our goal is to identify the most k ports is obtained.
efficient attacker strategy and give a bound on its success rate. Once DPS enters secure mode, then the attacker must match
We will give an upper bound on the probability of the attacker the 3 fields in each of two queries. The probability of this

28
TABLE I
ATTACKER SUCCESS PROBABILITY BOUNDS , FOR VALUES OF k AND w,
GIVEN SUSTAINED 1 YEAR ATTACK

k w prob. bound
256 10 seconds 1/15.877
1024 10 seconds 1/62.531
8192 10 seconds 1/437.452
256 20 seconds 1/31.92
1024 20 seconds 1/122.524
8192 20 seconds 1/764.166

event, given n attacker reply packets for the single attacker


request, in the t second time window, is
Fig. 4. Probability bound as a function of k and w.
n

2
p2 = (216 3)
 B. Implementation and Performance Analysis
2
For our prototype, we implemented DPS in Java 1.6. We
We have that consider overall latency to be the most accurate performance
q = (1 p2 )(w)(1/t) metric since it is most dependent on the network environment.
One hundred websites were selected randomly from the global
is the probability of attacker failure during the w second time 1,000 most-popular websites.
Each test was conducted about fifteen to twenty minutes
window (see Fig. 3).
apart to allow cached results to expire in recursive DNS servers
upstream. While the proxy increased latency by an average of
150ms from the control, there is little extra latency introduced
when in poison mode. We believe that the 150ms figure can
be substantially reduced by improving the design of the proxy,
or by integrating the proxy to be a part of BIND. Table II and
figure 5 provide performance metrics for each of the three
tests.
Fig. 3. Relationship between parameters w, n, and t.

Thus 1 q is the probability of attacker success during the


w second time window. Using the union bound, we have that
the total attacker probability of success, prior to secure mode
and during the w second secure mode period is bounded by

1
(1 q) +
3k216
For a period consisting of lw seconds, using the union bound,
we can therefore bound the attacker probability of success by

1
l[(1 q) + ].
3k216 Fig. 5. The distribution of DNS query latency, in seconds, for each of three
modes. n = 100 samples.
We may use the values from [2] where t = 1/10, and
n = 13000 (the attacker has a 100Mb/sec. connection). Table I
gives some success probabilities, given lw equal to one year.
If we consider the bound above, we see that as k increases, Our testing indicates that about 10% of the DNS servers
the amount of reduction in the probability bound caused by returned different (but intersecting sets) across multiple DNS
increasing w decreases. Each doubling of w leads to almost a queries. If there was no intersection between two requests, we
1/2 reduction in the probability bound as long as w isnt too would send an additional request (but this did not occur during
large. When k is small, then the reduction is by more than our tests). Table III provides an example of a DNS server
1/2. The probability bound function (of k and w) is depicted providing three different responses for the same request.
in Fig. 4.

29
TABLE II
DNS Q UERY L ATENCIES ( SEC .) defense. (3) DDoS attacks against DNS are harder given the
BIND BIND+DPS BIND+DPS poison mode
use of anycast for authority servers. (4) DNS poisoning attacks
average 0.0571 0.2086 0.2148 are a persistent threat, and there is a need for a defense.
median 0.0310 0.1510 0.1630
std dev 0.0698 0.1713 0.1849 VI. S UMMARY
min 0.0140 0.0200 0.077 DNS is vulnerable to cache poisoning attacks, whereby an
max 0.3640 1.0890 1.4300
attacker sends a spoofed reply to its own query. The Kaminsky
TABLE III attack [7] led vendors to utilize source port randomization
R ESPONSE TO THREE DNS QUERIES FOR TWITTER . COM (spr) together with random transaction IDs. This combination
;; ANSWER SECTION: eliminates the poisoning attacks that take less than 10 seconds,
twitter.com. 16 IN A 168.143.162.52 but slower poisoning attacks are still possible. As network
twitter.com. 16 IN A 128.242.245.84 speeds increase, the threat from these attacks will grow.
twitter.com. 16 IN A 128.242.245.116
twitter.com. 16 IN A 128.242.240.20 DNSSEC [3] will provide a strong countermeasure to poison-
twitter.com. 16 IN A 128.242.240.52 ing as well as other attacks against the DNS. However, until
twitter.com. 16 IN A 128.242.240.148 DNSSEC is actually deployed, there is a need for additional
;; ANSWER SECTION:
twitter.com. 18 IN A 128.242.240.148 countermeasures that can be deployed in the near term.
twitter.com. 18 IN A 128.242.245.116 We have presented a new countermeasure against DNS
twitter.com. 18 IN A 128.242.240.84 poisoning attacks which is based on detecting a poisoning
twitter.com. 18 IN A 128.242.240.20
twitter.com. 18 IN A 128.242.245.20 attack, then sending an additional request for the same DNS
twitter.com. 18 IN A 168.143.162.52 RR. Since the defense is only activated when attacks occur,
;; ANSWER SECTION: the performance impact is minimal. The countermeasure re-
twitter.com. 5 IN A 128.242.245.148
twitter.com. 5 IN A 168.143.162.116 quires no changes to the DNS standards and only requires
twitter.com. 5 IN A 128.242.240.148 modifications to the caching server. Thus it can be deployed
twitter.com. 5 IN A 128.242.240.84 incrementally in order to obtain immediate security benefits.
twitter.com. 5 IN A 128.121.146.228
twitter.com. 5 IN A 168.143.162.52 We have implemented the countermeasure using a local proxy
for the BIND caching server, and our tests show that the
performance impact is minimal. Our analysis shows that we
V. D ISCUSSION significantly increase resistance against poisoning attacks.
Recent studies (e.g., [10]) indicate that DNS caching servers R EFERENCES
may cache RRs for less than the advertised time period. Some [1] D. J. Bernstein. The dns random Library Interface.
CDN (Content Distribution Network) servers cache RRs for http://cr.yp.to/djbdns/dns random.html. 2008.
only 20 seconds. Given a 20 second TTL. [2] D. Dagon, M. Antonakakis, P. Vixie, T. Jinmei, W. Lee. Increased DNS
Forgery Resistance Through 0x20-Bit Encoding. In Proceedings of the
Then we can mount a poison attack against a small set ACM CCS 2008 Conference October, 2008.
of names, more efficiently. Suppose the target set has 200 [3] D. Eastlake 3rd. Domain Name System Security Extensions. RFC 2535,
names. Then we can guess against each of the 200 names Internet Engineering Task Force, March 1999.
[4] D. Eastlake 3rd. Secret Key Establishment for DNS (TKEY RR).
during every 20 second period. Given 13000 guesses per 100 http://tools.ietf.org/html/rfc2930. September 2000.
millisecond time window per the description in Section IV. We [5] E. W. Felten, D. Balfanz, D. Dean, and D. S. Wallach. Web Spoofing:
obtain 13000 guesses against each name during the 20 second An Internet Con Game. 20th National Information Systems Security
Conference, October, 1997.
period. Given 200 names, we need on average 232 /27 = 225 [6] T. Hardie. Distributing Authoritative Name Servers via Shared Unicast
guesses against one of the names. We have 225 /13000 < 212 Addresses. http://tools.ietf.org/html/rfc3258. April 2002.
so 4000(20) = 80000 seconds or 22 hours will be sufficient. [7] D. Kaminsky. Its the End of the Cache As We Know It.
http://www.doxpara.com/DMK BO2K8.ppt. 2008.
Here we are not using the Kaminsky attack of updating the [8] P. Mockapetris. Domain Names - Concepts and Facilities.
nameserver RR cache entry. Thus, if we used our counter- http://www.faqs.org/rfcs/rfc1034. November 1987.
measure to only check high level names and NS (nameserver) [9] P. Mockapetris. Domain Names - Implementation and Specification.
http://www.faqs.org/rfcs/rfc1035. November 1987.
updates, the poison problem would still remain. [10] M. A. Rajab, F. Monrose, A. Terzis, and N. Provos. Peeking Through the
Our countermeasure does make Distributed Denial of Ser- Cloud: DNS-based Estimation and its Applications. In Proceedings of
vice (DDoS) attacks easier. In particular, since an extra DNS the Conference on Applied Cryptography and Network Security (ACNS
2008), New York, NY, USA, June 2008.
request is sent for each request received by the recursive server [11] J. Rosenberg et. al. SIP: Session Initiation Protocol.
during the secure mode, there is an amplification by almost http://www.faqs.org/rfcs/rfc3261. June 2002.
a factor of 2 during the secure mode. DDoS attacks against [12] V. Sacramento. Vulnerability in the sending requests control of BIND
versions 4 and 8 allows DNS spoofing. 19 Nov. 2002. 15 Dec. 2002
DNS are mitigated through the use of anycast [6]. http://www.rnp.br/cais/alertas/2002/caisALR19112002a.html
In summary, we believe the amplification of DDoS attacks [13] J. Stewart. DNS cache poisoning - the next generation.
is acceptable since (1) there are other protocols that can also be http://www.secureworks.com/research/articles/dns-cache-poisoning/,
2003.
used for amplification (e.g., SIP [11], or overlay network based [14] P. Vixie, O. Gudmondsson, D. Eastlake 3rd, and B. Welling-
protocols). (2) Successful DDoS attacks are fully realizable ton. Secret Key Transaction Authentication for DNS (TSIG).
(for services that dont use anycast) without our poisoning http://tools.ietf.org/html/rfc2845. May 2000.

30

You might also like