DNS water torture detection in the data plane

Alexander Kaplan, Shir Landau Feibish

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

DNS Water Torture (also known as Random Subdomain attack) has been gaining popularity since the severe impact of the 2016 Mirai attack on Dyn DNS servers, which caused a large number of sites to become unavailable. One existing solution is rate limiting, which is not effective in cases where the attack is highly distributed. A more robust solution is provided by DNSSEC, which enables a range of subdomains to be declared as non-existent following a single NXDOMAIN response. However, the deployment of DNSSEC has been limited and the resolver needs to explicitly support this feature. DNS resolver, meaning it does not require any resolver compatibility and can potentially react to the attack at an earlier stage and avoid much of the malicious traffic generated by the attack. We present WORD, a system for statistical detection of DNS Water Torture that is implemented directly in the data plane using the P4 language. WORD efficiently collects data about DNS requests and responses on a per-domain basis, and alerts the control plane if malicious traffic is detected. The solution we present succeeds in detecting the attack within the notably confined resources of the data plane, while reducing false positives by separately addressing domains which naturally have large amounts of subdomains (e.g. wordpress). In addition, our solution is easily expandable to further DNS related data plane processing, such as other types of DNS attacks, or collection of other DNS statistics in the data plane.

Original languageEnglish
Title of host publicationProceedings of the 2021 SIGCOMM 2021 Poster and Demo Sessions, Part of SIGCOMM 2021
Pages24-26
Number of pages3
ISBN (Electronic)9781450386296
DOIs
StatePublished - 23 Aug 2021
Event2021 SIGCOMM 2021 Poster and Demo Sessions, SIGCOMM 2021, Part of SIGCOMM 2021 - Virtual, Online, United States
Duration: 23 Aug 202127 Aug 2021

Publication series

NameProceedings of the 2021 SIGCOMM 2021 Poster and Demo Sessions, Part of SIGCOMM 2021

Conference

Conference2021 SIGCOMM 2021 Poster and Demo Sessions, SIGCOMM 2021, Part of SIGCOMM 2021
Country/TerritoryUnited States
CityVirtual, Online
Period23/08/2127/08/21

Keywords

  • DNS security
  • data plane
  • network measurement
  • programmable networks

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Hardware and Architecture
  • Software

Fingerprint

Dive into the research topics of 'DNS water torture detection in the data plane'. Together they form a unique fingerprint.

Cite this