TY - GEN
T1 - DNS water torture detection in the data plane
AU - Kaplan, Alexander
AU - Landau Feibish, Shir
N1 - Publisher Copyright: © 2021 Owner/Author.
PY - 2021/8/23
Y1 - 2021/8/23
N2 - DNS Water Torture (also known as Random Subdomain attack) has been gaining popularity since the severe impact of the 2016 Mirai attack on Dyn DNS servers, which caused a large number of sites to become unavailable. One existing solution is rate limiting, which is not effective in cases where the attack is highly distributed. A more robust solution is provided by DNSSEC, which enables a range of subdomains to be declared as non-existent following a single NXDOMAIN response. However, the deployment of DNSSEC has been limited and the resolver needs to explicitly support this feature. DNS resolver, meaning it does not require any resolver compatibility and can potentially react to the attack at an earlier stage and avoid much of the malicious traffic generated by the attack. We present WORD, a system for statistical detection of DNS Water Torture that is implemented directly in the data plane using the P4 language. WORD efficiently collects data about DNS requests and responses on a per-domain basis, and alerts the control plane if malicious traffic is detected. The solution we present succeeds in detecting the attack within the notably confined resources of the data plane, while reducing false positives by separately addressing domains which naturally have large amounts of subdomains (e.g. wordpress). In addition, our solution is easily expandable to further DNS related data plane processing, such as other types of DNS attacks, or collection of other DNS statistics in the data plane.
AB - DNS Water Torture (also known as Random Subdomain attack) has been gaining popularity since the severe impact of the 2016 Mirai attack on Dyn DNS servers, which caused a large number of sites to become unavailable. One existing solution is rate limiting, which is not effective in cases where the attack is highly distributed. A more robust solution is provided by DNSSEC, which enables a range of subdomains to be declared as non-existent following a single NXDOMAIN response. However, the deployment of DNSSEC has been limited and the resolver needs to explicitly support this feature. DNS resolver, meaning it does not require any resolver compatibility and can potentially react to the attack at an earlier stage and avoid much of the malicious traffic generated by the attack. We present WORD, a system for statistical detection of DNS Water Torture that is implemented directly in the data plane using the P4 language. WORD efficiently collects data about DNS requests and responses on a per-domain basis, and alerts the control plane if malicious traffic is detected. The solution we present succeeds in detecting the attack within the notably confined resources of the data plane, while reducing false positives by separately addressing domains which naturally have large amounts of subdomains (e.g. wordpress). In addition, our solution is easily expandable to further DNS related data plane processing, such as other types of DNS attacks, or collection of other DNS statistics in the data plane.
KW - DNS security
KW - data plane
KW - network measurement
KW - programmable networks
UR - http://www.scopus.com/inward/record.url?scp=85113730289&partnerID=8YFLogxK
U2 - https://doi.org/10.1145/3472716.3472854
DO - https://doi.org/10.1145/3472716.3472854
M3 - منشور من مؤتمر
T3 - Proceedings of the 2021 SIGCOMM 2021 Poster and Demo Sessions, Part of SIGCOMM 2021
SP - 24
EP - 26
BT - Proceedings of the 2021 SIGCOMM 2021 Poster and Demo Sessions, Part of SIGCOMM 2021
T2 - 2021 SIGCOMM 2021 Poster and Demo Sessions, SIGCOMM 2021, Part of SIGCOMM 2021
Y2 - 23 August 2021 through 27 August 2021
ER -