TL;DR: DDIDD will apply existing and develop new defenses against Distributed-Denial-of-Service attacks for operational DNS infrastructure, and make these tools available as open source.
Denial-of-Service (DoS) attacks and Distributed-Denial-of-Service (DDoS) attacks are a continuing problem—attackers Attackers employ spoofing, amplification, and the use of very large botnets. Their traffic can overwhelm even very well-provisioned services, as shown by the huge Mirai attacks on Dyn in 2016.
DNS is a critical service on the Internet that many other services depend on, and for DDIDD we are focused on better securing DNS infrastructure against DDoS attacks.
DDIDD proposes to develop and deploy a defense-in-depth approach to mitigate Distributed Denial-of-Service attacks for DNS servers. Consistent with NSF’s goal for making Research cyber-infrastructure more resilient, we seek to better protect operational DNS cyber infrastructure.
Our approach, Deep Layers, will integrate approaches to filter spoofed traffic, approaches to identify known-good traffic when possible, and adds a cloud-based scaling component to handle the largest attacks. These steps address an array of increasingly sophisticated attacks, ranging from those we see today to those that may be possible in the future. In the end, we hope to significantly increase the resilience of DNS servers to DDoS attacks.
We plan to deploy Deep Layers to protect critical infrastructure services, and to work with USC’s B-Root team as an initial case study. We will be making our resulting tools available to others as open source software.
DDIDD is supported by the NSF Directorate of Computer and Information Science and Engineering (CISE) as part of their Cybersecurity Innovation for Cyberinfrastructure (CICI) program as award number OAC-1739034.
For related publications, please see the ANT publications web page.
See also the see the ANT distribution web page.