DNS Congestion Control in Adversarial Settings
Pages 726 - 747
Abstract
We instigate the study of adversarial congestion in the context of the Domain Name System (DNS). By strategically choking inter-server channels, this new type of DoS attack can disrupt a large user group's access to target DNS servers at a low cost. In reminiscence of classic network congestion control, we propose a DNS congestion control (DCC) framework as a fundamental yet practical mitigation measure for such attacks. With an optimized fair-queuing message scheduler, DCC ensures benign clients fair access to inter-server channels regardless of an attacker's behavior; with a set of extensible anomaly detection and signaling mechanisms, it minimizes collateral damage to innocuous clients. We architect DCC in a non-invasive style so that it can readily augment existing DNS servers. Our prototype evaluation demonstrates that DCC effectively mitigates adversarial congestion while incurring minor performance overheads.
References
[1]
DCC Artefact. https://gitlab.ethz.ch/netsec/dcc-artefact.
[2]
DNS Nameserver Counts for Top Million Websites (2020-08). https://dnsinstitute.com/research/2020/top-million-202008.html.
[3]
Google Public DNS for ISPs. https://developers.google.com/speed/public-dns/docs/isp, 2024.
[4]
resolv.conf(5) --- linux manual page. https://man7.org/linux/man-pages/man5/resolv.conf.5.html, Janurary 2024.
[5]
TLD Zone File Statistics. https://www.statdns.com, Janurary 2024.
[6]
D. Eastlake 3rd and M. Andrews. Domain Name System (DNS) Cookies. RFC 7873, IETF, May 2016.
[7]
Yehuda Afek, Anat Bremler-Barr, and Lior Shafir. Nxnsarttack: Recursive DNS inefficiencies and vulnerabilities. In Proceedings of the USENIX Security Symposium, 2020.
[8]
Akamai. Whitepaper: DNS Reflection, Amplification, & DNS Water-torture. Technical report, 2019.
[9]
Rami Al-Dalky and Kyle Schomp. Characterization of Collaborative Resolution in Recursive DNS Resolvers. In Proceedings of the International Conference on Passive and Active Measurement (PAM), 2018.
[10]
Albert Gran Alcoz, Martin Strohmeier, Vincent Lenders, and Laurent Vanbever. Aggregate-based congestion control for pulse-wave ddos defense. In Proceedings of the ACM SIGCOMM Conference, 2022.
[11]
Josep M Blanquer and Banu Özden. Fair Queuing for Aggregated Multiple Links. ACM SIGCOMM Computer Communication Review, 31(4):189--197, 2001.
[12]
S. Bortzmeyer, R. Dolmans, and P. Hoffman. DNS Query Name Minimisation to Improve Privacy. RFC 9156, IETF, November 2021.
[13]
Randy Brown. Calendar queues: a fast 0 (1) priority queue implementation for the simulation event set problem. Communications of the ACM, 31(10):1220--1227, 1988.
[14]
Jonas Bushart and Christian Rossow. DNS unchained: Amplified application-layer dos attacks against DNS authoritatives. In Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), 2018.
[15]
Jonas Bushart and Christian Rossow. Anomaly-based filtering of application-layer ddos against dns authoritatives. In 2023 IEEE 8th European Symposium on Security and Privacy, 2023.
[16]
Jerry Chou, Bill Lin, Subhabrata Sen, and Oliver Spatscheck. Proactive surge protection: a defense mechanism for bandwidth-based attacks. In Proceedings of the 17th Conference on Security Symposium, SS'08, USA, 2008. USENIX Association.
[17]
Carlo Contavalli, Wilmer van der Gaast, David C Lawrence, and Warren "Ace" Kumari. Client Subnet in DNS Queries. RFC 7871, May 2016.
[18]
Joao da Silva Damas, Michael Graff, and Paul A. Vixie. Extension Mechanisms for DNS (EDNS(0)). RFC 6891, April 2013.
[19]
Casey Deccio, Derek Argueta, and Jonathan Demke. A Quantitative Study of the Deployment of DNS Rate Limiting. In 2019 International Conference on Computing, Networking and Communications (ICNC), 2019.
[20]
Alan Demers, Srinivasan Keshav, and Scott Shenker. Analysis and simulation of a fair queueing algorithm. ACM SIGCOMM Computer Communication Review, 19(4):1--12, 1989.
[21]
Henri Maxime Demoulin, Isaac Pedisich, Nikos Vasilakis, Vincent Liu, Boon Thau Loo, and Linh Thi Xuan Phan. Detecting asymmetric application-layer Denial-of-Service attacks In-Flight with FineLame. In Proceedings of the USENIX Annual Technical Conference (ATC), 2019.
[22]
Huayi Duan, Marco Bearzi, Jodok Vieli, David Basin, Adrian Perrig, Si Liu, and Bernhard Tellenbach. CAMP: Compositional Amplification Attacks against DNS. In Proceedings of the USENIX Security Symposium, 2024.
[23]
P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827, IETF, May 2000.
[24]
K. Fujiwara, A. Kato, and W. Kumari. Aggressive Use of DNSSEC-Validated Cache. RFC 8198, IETF, July 2017.
[25]
Ali Ghodsi, Vyas Sekar, Matei Zaharia, and Ion Stoica. Multi-Resource Fair Queueing for Packet Processing. In Proceedings of the ACM SIGCOMM Conference, 2012.
[26]
Mohammad Hedayati, Kai Shen, Michael L Scott, and Mike Marty. Multi-Queue Fair Queuing. In Proceedings of the USENIX Annual Technical Conference (ATC), 2019.
[27]
P. Hoffman and P. McManus. DNS Queries over HTTPS (DoH). RFC 8484, IETF, October 2018.
[28]
C. Huitema, S. Dickinson, and A. Mankin. DNS over Dedicated QUIC Connections. RFC 9250, IETF, May 2022.
[29]
Min Suk Kang, Soo Bum Lee, and Virgil D. Gligor. The crossfire attack. In IEEE Symposium on Security and Privacy, 2013.
[30]
Aqsa Kashaf, Vyas Sekar, and Yuvraj Agarwal. Analyzing Third Party Service Dependencies in Modern Web Services: Have We Learned from the Mirai-Dyn Incident? In Proceedings of the ACM Internet Measurement Conference (IMC), 2020.
[31]
S. Kent. IP Authentication Header. RFC 4302, IETF, December 2005.
[32]
E. Kinnear, P. McManus, T. Pauly, T. Verma, and C.A. Wood. Oblivious DNS over HTTPS. RFC 9230, IETF, June 2022.
[33]
W. Kumari, E. Hunt, R. Arends, W. Hardaker, and D. Lawrence. Extended DNS Errors. RFC 8914, IETF, October 2020.
[34]
Yi-Hsuan Kung, Taeho Lee, Po-Ning Tseng, Hsu-Chun Hsiao, Tiffany Hyun-Jin Kim, Soo Bum Lee, Yue-Hsun Lin, and Adrian Perrig. A practical system for guaranteed access in the presence of ddos attacks and flash crowds. In 2015 IEEE 23rd International Conference on Network Protocols (ICNP), 2015.
[35]
Soo Bum Lee, Min Suk Kang, and Virgil D. Gligor. Codef: collaborative defense against large-scale link-flooding attacks. In Proceedings of the Ninth ACM Conference on Emerging Networking Experiments and Technologies, CoNEXT '13. Association for Computing Machinery, 2013.
[36]
E. Lewis. The Role of Wildcards in the Domain Name System. RFC 4592, IETF, July 2006.
[37]
Xiang Li, Dashuai Wu, Haixin Duan, and Qi Li. DNSBomb: A New Practical-and-Powerful Pulsing DoS Attack Exploiting DNS Queries-and-Responses. In Proceedings of the IEEE Symposium on Security and Privacy (S&P), 2024.
[38]
Yuanjie Li, Hewu Li, Zhizheng Lv, Xingkun Yao, Qianru Li, and Jianping Wu. Deterrence of intelligent ddos via multi-hop traffic divergence. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2021.
[39]
Si Liu, Huayi Duan, Lukas Heimes, Marco Bearzi, Jodok Vieli, David Basin, and Adrian Perrig. A Formal Framework for End-to-End DNS Resolution. In Proceedings of the ACM SIGCOMM Conference.
[40]
Zaoxing Liu, Hun Namkung, Georgios Nikolaidis, Jeongkeun Lee, Changhoon Kim, Xin Jin, Vladimir Braverman, Minlan Yu, and Vyas Sekar. Jaqen: A High-Performance Switch-Native Approach for Detecting and Mitigating Volumetric DDoS Attacks with Programmable Switches. In Proceedings of the USENIX Security Symposium, 2021.
[41]
Florian Maury. The "indefinitely" delegating name servers (idns) attack. https://indico.dns-oarc.net/event/21/contributions/301/attachments/272/492/slides.pdf, 2015. Accessed 2022-04-30.
[42]
Andrew McGregor, Phillipa Gill, and Nicholas Weaver. Cache Me Outside: A New Look at DNS Cache Probing. In Proceedings of the International Conference on Passive and Active Measurement (PAM), 2021.
[43]
G. Moura, W. Hardaker, J. Heidemann, and M. Davids. Considerations for Large Authoritative DNS Server Operators. RFC 9199, IETF, March 2022.
[44]
Giovane C. M. Moura, Sebastian Castro, John S. Heidemann, and Wes Hardaker. Tsuname: exploiting misconfiguration and vulnerability to ddos DNS. In Proceedings of the ACM Internet Measurement Conference (IMC), 2021.
[45]
J. Nagle. On Packet Switches With Infinite Storage. RFC 970, IETF, December 1985.
[46]
Marcin Nawrocki, Maynard Koch, Thomas C Schmidt, and Matthias Wählisch. Transparent Forwarders: An Unnoticed Component of The Open DNS Infrastructure. In Proceedings of the International Conference on Emerging Networking Experiments and Technologies (CoNEXT), 2021.
[47]
S. Proust. Additional WebRTC Audio Codecs for Interoperability. RFC 7875, IETF, May 2016.
[48]
Bozidar Radunovic and Jean-Yves Le Boudec. A Unified Framework for Max-Min and Min-Max Fairness With Applications. IEEE/ACM Transactions on Networking, 15(5):1073--1083, 2007.
[49]
K. Ramakrishnan, S. Floyd, and D. Black. The Addition of Explicit Congestion Notification (ECN) to IP. RFC 3168, IETF, September 2001.
[50]
Sivaramakrishnan Ramanathan, Jelena Mirkovic, Minlan Yu, and Ying Zhang. Senss against volumetric ddos attacks. In Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC '18, 2018.
[51]
Audrey Randall, Enze Liu, Gautam Akiwate, Ramakrishna Padmanabhan, Geoffrey M Voelker, Stefan Savage, and Aaron Schulman. Trufflehunter: Cache Snooping Rare Domains at Large Public DNS Resolvers. In Proceedings of the ACM Internet Measurement Conference (IMC), 2020.
[52]
Benjamin Rothenberger, Dominik Roos, Markus Legner, and Adrian Perrig. PISKES: Pragmatic Internet-scale key-establishment system. In Proceedings of the ACM Asia Conference on Computer and Communications Security (ASIACCS), 2020.
[53]
Paul Schmitt, Anne Edmundson, Allison Mankin, and Nick Feamster. Oblivious DNS: practical privacy for DNS queries. In Proceedings on Privacy Enhancing Technologies, 2019.
[54]
Kyle Schomp, Onkar Bhardwaj, Eymen Kurdoglu, Mashooq Muhaimen, and Ramesh K Sitaraman. Akamai DNS: Providing Authoritative Answers to the World's Queries. In Proceedings of the ACM SIGCOMM Conference, 2020.
[55]
Kyle Schomp, Tom Callahan, Michael Rabinovich, and Mark Allman. On Measuring The Client-Side DNS Infrastructure. In Proceedings of the ACM Internet Measurement Conference (IMC), 2013.
[56]
Jared M Smith and Max Schuchard. Routing around congestion: Defeating ddos attacks and adverse network conditions via reactive bgp routing. In 2018 IEEE Symposium on Security and Privacy (SP), 2018.
[57]
Brent Stephens, Arjun Singhvi, Aditya Akella, and Michael Swift. Titan: Fair Packet Scheduling for Commodity Multiqueue NICs. In Proceedings of the USENIX Annual Technical Conference (ATC), 2017.
[58]
Ion Stoica, Scott Shenker, and Hui Zhang. Core-stateless fair queueing: Achieving approximately fair bandwidth allocations in high speed networks. In Proceedings of the ACM SIGCOMM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, 1998.
[59]
Ahren Studer and Adrian Perrig. The coremelt attack. In Computer Security - ESORICS, 2009.
[60]
Ammar Tahir and Radhika Mittal. Enabling users to control their internet. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2023.
[61]
Rajat Tandon, Haoda Wang, Nicolaas Weideman, Shushan Arakelyan, Genevieve Bartlertt, Christophe Hauser, and Jelena Mirkovic. Leader: Defense against exploit-based denial-of-service attacks on web applications. 2023.
[62]
Chenxu Wang, Tony T. N. Miu, Xiapu Luo, and Jinhe Wang. Skyshield: A sketch-based defense system against application layer ddos attacks. IEEE Transactions on Information Forensics and Security, 2018.
[63]
Jiarong Xing, Wenqing Wu, and Ang Chen. Ripple: A Programmable, Decentralized Link-Flooding Defense Against Adaptive Adversaries. In Proceedings of the USENIX Security Symposium, 2021.
[64]
Wei Xu, Xiang Li, Chaoyi Lu, Baojun Liu, Haixin Duan, Jia Zhang, Jianjun Chen, and Tao Wan. TsuKing: Coordinating DNS Resolvers and Queries into Potent DoS Amplifiers. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2023.
[65]
Zhiying Xu, Sivaramakrishnan Ramanathan, Alexander Rush, Jelena Mirkovic, and Minlan Yu. Xatu: boosting existing ddos detection systems using auxiliary signals. In Proceedings of the 18th International Conference on Emerging Networking EXperiments and Technologies, CoNEXT '22, 2022.
[66]
Kok-Kiong Yap, Te-Yuan Huang, Yiannis Yiakoumis, Sandeep Chinchali, Nick McKeown, and Sachin Katti. Scheduling packets over multiple interfaces while respecting user preferences. In Proceedings of the International Conference on Emerging Networking Experiments and Technologies (CoNEXT), 2013.
[67]
Liangcheng Yu, John Sonchack, and Vincent Liu. Cebinae: Scalable in-network fairness augmentation. In Proceedings of the ACM SIGCOMM Conference, 2022.
[68]
Z. Yu, J. Wu, V. Braverman, I. Stoica, and X. Jin. Twenty years after: Hierarchical core-stateless fair queueing. In USENIX Symposium on Networked Systems Design and Implementation (NSDI), 2021.
[69]
Menghao Zhang, Guanyu Li, Shicheng Wang, Chang Liu, Ang Chen, Hongxin Hu, Guofei Gu, Qianqian Li, Mingwei Xu, and Jianping Wu. Poseidon: Mitigating volumetric ddos attacks with programmable switches. In Proceedings of the Symposium on Network and Distributed Systems Security (NDSS), 2020.
Index Terms
- DNS Congestion Control in Adversarial Settings
Recommendations
Practical Challenge-Response for DNS
ANRW '18: Proceedings of the 2018 Applied Networking Research WorkshopAuthoritative DNS nameservers are vulnerable to being used in denial of service attacks whereby an attacker sends DNS queries while masquerading as a victim---hence coaxing the DNS server to send the responses to the victim. Reflecting off innocent DNS ...
Practical challenge-response for DNS
Authoritative DNS servers are susceptible to being leveraged in denial of service attacks in which the attacker sends DNS queries while masquerading as a victim---and hence causing the DNS server to send the responses to the victim. This reflection off ...
Defending Root DNS Servers against DDoS Using Layered Defenses (Extended)
AbstractDistributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients. The Domain Name System (DNS) is a frequent target of DDoS attacks. Since DNS is a critical infrastructure service, protecting it ...
Comments
Information & Contributors
Information
Published In
November 2024
765 pages
ISBN:9798400712517
DOI:10.1145/3694715
- Chair:
- Emmett Witchel,
- Co-chair:
- Christopher J Rossbach,
- Program Chair:
- Andrea Arpaci-Dusseau,
- Program Co-chair:
- Kimberly Keeton
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
- USENIX
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 15 November 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- SNSF
- Hasler Stiftung
Conference
SOSP '24
Sponsor:
SOSP '24: ACM SIGOPS 30th Symposium on Operating Systems Principles
November 4 - 6, 2024
TX, Austin, USA
Acceptance Rates
SOSP '24 Paper Acceptance Rate 43 of 245 submissions, 18%;
Overall Acceptance Rate 174 of 961 submissions, 18%
Upcoming Conference
SOSP '25
- Sponsor:
- sigops
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 173Total Downloads
- Downloads (Last 12 months)173
- Downloads (Last 6 weeks)73
Reflects downloads up to 25 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in