paper presentation – cap 6135. page 2 outline review - dns proposed solution simulation results /...
TRANSCRIPT
Paper Presentation – CAP 6135
Page 2
Outline
Review - DNS Proposed Solution Simulation Results / Evaluation Discussion
Page 3
Domain Name System - DNS
DNS is a name resolution service which resolves host names into IP address
DNS is a distributed database application with a hierarchical structure
DNS Benefits–Convenience: names are easier to remember
–Consistency: IP address can change but server names can remain constant
–Simplicity: One naming convention
Page 4
Domain Name System - DNS
Key Components of DNS–DNS name space
–Name servers
–DNS Zones
–Resource Records
Page 5
DNS Namespace
Page 6
Step 1: Your PC sends a resolution request to its configured DNS Server, typically at your
ISP.
Your PC
ISP “Recursive” DNS server
Tell me the Address of “www.google.com”
Page 7
ISP “Recursive” DNS serverRoot Servers
Step 2: Your ISPs recursive name server starts by asking one of the root servers
predefined in its “hints” file.
Tell me the Address of “www.google.com”
I don’t know the address but I know who’s authoritative for the
”com” domain ask them
Page 8
ISP “Recursive” DNS server“com” DNS servers
Step 3: Your ISPs recursive name server then asks one of the “com” name servers as
directed.
Tell me the Address of “www.google.com”
I don’t know the address but I know who’s authoritative for the ”google.com” domain ask them
Page 9
ISP “Recursive” DNS server google.com DNS server
Step 4: Your ISPs recursive name server then asks one of the “google.com” name
servers as directed.
Tell me the Address of “www.google.com”
The Address of www.google.com is 216.239.53.99
Page 10
Step 5: ISP DNS server then send the answer back to your PC. The DNS server will
“remember” the answer for a period of time.
Your PC
ISP “Recursive” DNS server
The Address of www.google.com is 216.239.53.99
Page 11
Step 6: Your PC can then make the actual HTTP request to the web server.
Your PC
www.google.com web server
Here it is!
Send me the www.google.com.au web page
Page 12
Summary
ISP “Recursive” DNS server “com” DNS servers
“root” DNS servers
google.com DNS server
3
2
4
Your PC
5
1
google.com.au Web Server
WEB (HTTP)Request
DNS requests
6
The actual web request
DNS
Page 13
Caching
Huge volume of request DNS resolution process allows for caching for a
given period of time after a successful answer Determined by a value called the time to live (TTL) TTL is set by the administrator of the DNS server
Page 14
Summary
ISP “Recursive” DNS server “com” DNS servers
“root” DNS servers
google.com DNS server
3
2
4
Your PC
5
1
google.com.au Web Server
WEB (HTTP) Request
DNS requests
6
The actual web request
DNS
Caching
Page 15
Proposed Solution
DNS resolvers cache responses to improve lookup performance and reduce lookup overhead
A resolver can use cached responses upto the time-to-live (TTL) value associated with the response
Modify resolvers - do not expunge cached records with TTL value expired
Expired records evicted from cache and stored “stale cache” Resolvers use stale cache to answer queries for unavailable
zone Allows the resolution process to continue
Page 16
Proposed Solution
Page 17
Proposed Solution
Page 18
Evaluation
DNS traffic–Cornell Computer Science Dept – Internet
–~1300 hosts
–65 days
–84,580,513 DNS queries
–53,848,115 DNS responses
–4,478,731 unique names Stale cache size: 1 to 30 days Attack duration: 3, 6, 12 and 24 hours.
Page 19
Fraction of Queries Answered
Page 20
Fraction of Accurate Records in responses
Page 21
Fraction of Queries (for two-level names) Answered and Accurate Records
Page 22
Fraction of Queries (for three-level names) Answered and Accurate Records
Page 23
Stale cache memory footprint
Page 24
Discussion
Pros–DNS Robustness
–Simplicity. Does not change the basic protocol operation and infrastructure Does not impose any load on DNS Does not impact the latency of query resolution
– Incremental Deployment
–Motivation for Deployment
Page 25
Discussion
Objections–DNS caching semantics and the possibility of inaccurate
information being used
–Autonomy for zone operators
–Attackers attempting to force the use of inaccurate information
–Resolution latency in the face of an attack
Page 26
References
Mitigating DNS DoS Attacks, Hitesh Ballani, Paul Francis, CCS 2008
Wikipedia Amplified DNS DDoS Attacks and Mitigation,
www.cert-in.org.in www.cs.rpi.edu/~hollingd/netprog/notes/dns www.aptld.org