{"id":1192,"date":"2018-06-04T08:48:35","date_gmt":"2018-06-04T15:48:35","guid":{"rendered":"https:\/\/ant.isi.edu\/blog\/?p=1192"},"modified":"2020-10-14T15:36:59","modified_gmt":"2020-10-14T22:36:59","slug":"new-technical-report-when-the-dike-breaks-dissecting-dns-defenses-during-ddos-extended","status":"publish","type":"post","link":"https:\/\/ant.isi.edu\/blog\/?p=1192","title":{"rendered":"new technical report \u201cWhen the Dike Breaks: Dissecting DNS Defenses During DDoS (extended)&#8221;"},"content":{"rendered":"<p>We released a new technical report \u201c<strong>When the Dike Breaks: Dissecting DNS Defenses During DDoS (extended)<\/strong>\u201d, ISI-TR-725, available at&nbsp;<a href=\"https:\/\/www.isi.edu\/~johnh\/PAPERS\/Moura18a.pdf\">https:\/\/www.isi.edu\/~johnh\/PAPERS\/Moura18a.pdf<\/a>.<\/p>\n<figure id=\"attachment_1193\" aria-describedby=\"caption-attachment-1193\" style=\"width: 300px\" class=\"wp-caption alignright\"><a href=\"https:\/\/ant.isi.edu\/blog\/wp-content\/uploads\/2018\/06\/Moura18a_icon.png\"><img loading=\"lazy\" decoding=\"async\" class=\"size-medium wp-image-1193\" src=\"https:\/\/ant.isi.edu\/blog\/wp-content\/uploads\/2018\/06\/Moura18a_icon-300x147.png\" alt=\"\" width=\"300\" height=\"147\" srcset=\"https:\/\/ant.isi.edu\/blog\/wp-content\/uploads\/2018\/06\/Moura18a_icon-300x147.png 300w, https:\/\/ant.isi.edu\/blog\/wp-content\/uploads\/2018\/06\/Moura18a_icon-768x376.png 768w, https:\/\/ant.isi.edu\/blog\/wp-content\/uploads\/2018\/06\/Moura18a_icon.png 983w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><figcaption id=\"caption-attachment-1193\" class=\"wp-caption-text\">Moura18a Figure 6a, Answers received during a DDoS attack causing 100% packet loss with pre-loaded caches.<\/figcaption><\/figure>\n<p>From the abstract:<\/p>\n<blockquote><p><span style=\"font-style: italic;\">The Internet\u2019s Domain Name System (DNS) is a frequent target of Distributed Denial-of-Service (DDoS) attacks, but such attacks have had very different outcomes\u2014some attacks have disabled major public websites, while the external effects of other attacks have been minimal. While on one hand the DNS protocol is a relatively simple, the <\/span><em>system<\/em><span style=\"font-style: italic;\"> has many moving parts, with multiple levels of caching and retries and replicated servers. This paper uses controlled experiments to examine how these mechanisms affect DNS resilience and latency, exploring both the client side\u2019s DNS <\/span><em>user experience<\/em><span style=\"font-style: italic;\">, and server-side traffic. We find that, for about about 30% of clients, caching is not effective. However, when caches are full they allow about half of clients to ride out server outages, and caching and retries allow up to half of the clients to tolerate DDoS attacks that result in 90% query loss, and almost all clients to tolerate attacks resulting in 50% packet loss. The cost of such attacks to clients are greater median latency. For servers, retries during DDoS attacks increase normal traffic up to 8x. Our findings about caching and retries can explain why some real-world DDoS cause service outages for users while other large attacks have minimal visible effects.<\/span><\/p><\/blockquote>\n<p>Datasets from this paper are available at no cost and are listed at <a href=\"https:\/\/ant.isi.edu\/datasets\/dns\/#Moura18a_data\">https:\/\/ant.isi.edu\/datasets\/dns\/#Moura18a_data<\/a>.<\/p>\n<blockquote><p>&nbsp;<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>We released a new technical report \u201cWhen the Dike Breaks: Dissecting DNS Defenses During DDoS (extended)\u201d, ISI-TR-725, available at&nbsp;https:\/\/www.isi.edu\/~johnh\/PAPERS\/Moura18a.pdf. From the abstract: The Internet\u2019s Domain Name System (DNS) is a frequent target of Distributed Denial-of-Service (DDoS) attacks, but such attacks have had very different outcomes\u2014some attacks have disabled major public websites, while the external effects [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[282,283],"tags":[185,71,154,63,58,191,74,10,5,45,18,153,26,198,57],"class_list":["post-1192","post","type-post","status-publish","format-standard","hentry","category-publications","category-technical-report","tag-caching","tag-datasets","tag-ddos","tag-dns","tag-isi","tag-lacanic","tag-modeling","tag-network-datasets","tag-papers","tag-reliability","tag-security","tag-sidn-labs","tag-tech-report","tag-ubf","tag-usc"],"_links":{"self":[{"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1192","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1192"}],"version-history":[{"count":2,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1192\/revisions"}],"predecessor-version":[{"id":1562,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1192\/revisions\/1562"}],"wp:attachment":[{"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ant.isi.edu\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}