DDoS Defense In Depth for DNS (DDIDD)

Project Description

TL;DR: DDIDD will apply existing and develop new defenses against Distributed-Denial-of-Service attacks for operational DNS infrastructure, and make these tools available as open source.

Denial-of-Service (DoS) attacks and Distributed-Denial-of-Service (DDoS) attacks are a continuing problem—attackers Attackers employ spoofing, amplification, and the use of very large botnets. Their traffic can overwhelm even very well-provisioned services, as shown by the huge Mirai attacks on Dyn in 2016.

DNS is a critical service on the Internet that many other services depend on, and for DDIDD we are focused on better securing DNS infrastructure against DDoS attacks.

DDIDD proposes to develop and deploy a defense-in-depth approach to mitigate Distributed Denial-of-Service attacks for DNS servers. Consistent with NSF’s goal for making Research cyber-infrastructure more resilient, we seek to better protect operational DNS cyber infrastructure.

Our approach, Deep Layers, will integrate approaches to filter spoofed traffic, approaches to identify known-good traffic when possible, and adds a cloud-based scaling component to handle the largest attacks. These steps address an array of increasingly sophisticated attacks, ranging from those we see today to those that may be possible in the future. In the end, we hope to significantly increase the resilience of DNS servers to DDoS attacks.

We plan to deploy Deep Layers to protect critical infrastructure services, and to work with USC’s B-Root team as an initial case study. We will be making our resulting tools available to others as open source software.

DDIDD builds on prior work from the STEEL lab (FRADE and SENSS) and USC’s B-Root.

Support

DDIDD is supported by the NSF Directorate of Computer and Information Science and Engineering (CISE) as part of their Cybersecurity Innovation for Cyberinfrastructure (CICI) program as award number OAC-1739034.

People

• Wes Hardaker, co-PI on this project, researcher (USC/ISI)
• John Heidemann, PI on this project, project leader and professor (USC/ISI)
• Jelena Mirkovic, co-PI on this project, project leader and assistant professor (USC/ISI)
• A S M Rizvi, PhD student (USC CS Dept. and ISI)
• Robert Story, Computer Analyst (USC/ISI)

Publications

• A S M Rizvi, Jelena Mirkovic, John Heidemann, Wes Hardaker and Robert Story 2023. Defending Root DNS Servers Against DDoS Using Layered Defenses (Extended). Ad Hoc Networks Journal. 151, (Dec. 2023). [DOI] [PDF] Details
• A S M Rizvi, Jelena Mirkovic, John Heidemann, Wes Hardaker and Robert Story 2023. Defending Root DNS Servers Against DDoS Using Layered Defenses. Proceedings of the IEEE International Conference on Communications Systems and Networks (COMSNETS) (Bengaluru, India, Jan. 2023), to appear. [PDF] Details
• A S M Rizvi, Leandro Bertholdo, João Ceron and John Heidemann 2022. Anycast Agility: Network Playbooks to Fight DDoS. Proceedings of the 31st USENIX Security Symposium (Aug. 2022), 4201–4218. [DOI] [PDF] Details
• A S M Rizvi and John Heidemann 2022. Chhoyhopper: A Moving Target Defense with IPv6. Proceedings of the IEEE Workshop on Measurements, Attacks, and Defenses for the Web (MADWeb) (San Diego, California, USA, Apr. 2022), to appear. [DOI] [PDF] Details
• Giovane C. M. Moura, John Heidemann, Wes Hardaker, Pithayuth Charnsethikul, Jeroen Bulten, João M. Ceron and Cristian Hesselman 2022. Old but Gold: Prospecting TCP to Engineer and Live Monitor DNS Anycast. Proceedings of the Passive and Active Measurement Workshop (virtual, Mar. 2022), to appear. [DOI] [PDF] Details
• John Heidemann, Giovane C. M. Moura and Wes Hardaker 2021. Do You Really Like Me? Anycast Latency and Root DNS Popularity. Presentation at DINR, Workshop on DNS and Internet Naming Research Directions. [PDF] Details
• Giovane C. M. Moura, Sebastian Castro, John Heidemann and Wes Hardaker 2021. TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS. Proceedings of the ACM Internet Measurement Conference (Virtual, Nov. 2021), 398–418. [DOI] [PDF] Details
• Thomas Koch, Ke Li, Calvin Ardi, Ethan Katz-Bassett, Matt Calder and John Heidemann 2021. Anycast in Context: A Tale of Two Systems. Proceedings of the ACM SIGCOMM Conference (Virtual, Aug. 2021). [DOI] [PDF] Details
• Giovane C. M. Moura, John Heidemann, Wes Hardaker, Jeroen Bulten, Joao Ceron and Christian Hesselman 2020. Old but Gold: Prospecting TCP to Engineer DNS Anycast (extended). Technical Report ISI-TR-739b. USC/Information Sciences Institute. [PDF] Details
• ASM Rizvi, Joao Ceron, Leandro Bertholdo and John Heidemann 2020. Anycast Agility: Adaptive Routing to Manage DDoS. Technical Report arxiv:2006.14058v1. arXiv. [PDF] Details
• Lan Wei, Marcel Flores, Harkeerat Bedi and John Heidemann 2020. Bidirectional Anycast/Unicast Probing (BAUP): Optimizing CDN Anycast. Proceedings of the IEEE Network Traffic Monitoring and Analysis Conference (Berlin, Germany, Jun. 2020). [PDF] Details
• Giovane C. M. Moura, Sebastian Castro, John Heidemann and Wes Hardaker 2021. TsuNAME vulnerability and DDoS against DNS. Technical Report ISI-TR-740. USC/Information Sciences Institute. [PDF] Details
• John Heidemann, Wes Hardaker, Jelena Mirkovic, ASM Rizvi and Robert Story 2019. DDoS Defense in Depth for DNS (DDIDD). Invited talk at the Trusted CI Webinar. [PDF] Details
• ASM Rizvi, John Heidemann and Jelena Mirkovic 2019. Dynamically Selecting Defenses to DDoS for DNS (extended). Technical Report ISI-TR-736. USC/Information Sciences Institute. [PDF] Details
• Giovane C. M. Moura, John Heidemann, Ricardo de O. Schmidt and Wes Hardaker 2019. Cache Me If You Can: Effects of DNS Time-to-Live. Proceedings of the ACM Internet Measurement Conference (Amsterdam, the Netherlands, Oct. 2019), to appear. [DOI] [PDF] Details
• Giovane C. M. Moura, John Heidemann, Moritz Müller, Ricardo de O. Schmidt and Marco Davids 2018. When the Dike Breaks: Dissecting DNS Defenses During DDoS. Proceedings of the ACM Internet Measurement Conference (Oct. 2018). [DOI] [PDF] Details
• Giovane C. M. Moura, John Heidemann, Ricardo de O. Schmidt and Wes Hardaker 2019. Cache Me If You Can: Effects of DNS Time-to-Live (extended). Technical Report ISI-TR-734b. USC/Information Sciences Institute. [PDF] Details

For related publications, please see the ANT publications web page.

Software

• anygility/anygility-peering Tools to build a playbook in peering testbed, parse captured anycast catchment data, and attack traffic
• anygility/anygility-system Tools for offered load estimation and policy selection using a BGP playbook
• anygility/anygility-tangled Tools for anycast experiments in Tangled testbed
• ddidd This repository contains DDiDD software, which decides what filter to activate and deactivate depending on the perceived load on the server. (Please see the enclosed README for instructions.)
• dnsroot-xtables The dnsroot filter for xtables filters for valid top level domains (TLDs).
• rejwreply rejwreply is a linux kernel patch set that adds echo-reply as a new feedback type in iptable REJECT rule.
• verfploeter/packetcapr A pinger for active measurement of anycast catchements.
• verfploeter/pingextract A ping analyzer for active measurement of anycast catchements.

See also the see the ANT distribution web page.

DDoS Filters for DNS Servers

We have developed and documented several DDoS defenses to assist during an attack on a DNS server:

• The response-code filter
• Documenting a Query name filter
• in-kernel handling of NXDDOMAIN for non-TLDs with dnsroot-xtables

In addition, we have experimented with the following filters (not yet released):

• in-kernel handling of NXDDOMAIN for non-TLDs with DPDK
• a known-host list that accepts traffic from prior known-good hosts while rejecting other traffic

Datasets

We make all datasets and specifically our network outage datasets public through the LACREND project.

Related Links:

• ANT: the Analysis of Network Traffic research group
• STEEL: Security Research Lab