摘要: This paper considers DoS attacks on DNS wherein attackers flood the nameservers of a zone to disrupt resolution resource records belonging and consequently, any its sub-zones. We propose minor change in caching behavior resolvers that can significantly alleviate impact such attacks. In our proposal, do not completely evict cached whose TTL has expired; rather, are stored separate "stale cache". If, during query, resolver does receive response from responsible for authoritatively answering it use information stale cache answer query. effect, is part global database been accessed by represents an insurance policy uses only when relevant servers unavailable. analyze 65-day trace quantify benefits under different attack scenarios. Further, while proposed also changes semantics, we argue adversely fundamental characteristics as autonomy operators hence, very simple practical candidate mitigating DNS.
acm.org
ucsc.edu
sci-hub.se 参考文章(23)
Daniel Jeremy Sorin, David A. Wood, Using lightweight checkpoint/recovery to improve the availability and designability of shared memory multiprocessors The University of Wisconsin - Madison. ,(2002)
Adam Greenhalgh, Mark Handley, Jon Postel, The Case for Pushing DNS ,(2005)
Russ Cox, Athicha Muthitacharoen, Robert T Morris, None, Serving DNS Using a Peer-to-Peer Lookup Service international workshop on peer to peer systems. pp. 155- 165 ,(2002) , 10.1007/3-540-45748-8_15
KyoungSoo Park, Larry Peterson, Vivek S. Pai, Zhe Wang, CoDNS: improving DNS performance and reliability via cooperative lookups operating systems design and implementation. pp. 14- 14 ,(2004)
Amin Vahdat, David Patterson, Alex C. Snoeren, Brent Chun, David Oppenheimer, Service placement in a shared wide-area platform usenix annual technical conference. pp. 26- 26 ,(2006)
T. Hardie, Distributing Authoritative Name Servers via Shared Unicast Addresses RFC. ,vol. 3258, pp. 1- 11 ,(2002)
Tim Deegan, Jon Crowcroft, Andrew Warfield, The main name system: an exercise in centralized computing acm special interest group on data communication. ,vol. 35, pp. 5- 14 ,(2005) , 10.1145/1096536.1096538
Venugopalan Ramasubramanian, Emin Gün Sirer, The design and implementation of a next generation name service for the internet Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications - SIGCOMM '04. ,vol. 34, pp. 331- 342 ,(2004) , 10.1145/1015467.1015504
J. Kangasharju, K.W. Ross, A replicated architecture for the Domain Name System international conference on computer communications. ,vol. 2, pp. 660- 669 ,(2000) , 10.1109/INFCOM.2000.832240
N. Brownlee, K.C. Claffy, E. Nemeth, DNS measurements at a root server global communications conference. ,vol. 3, pp. 1672- 1676 ,(2001) , 10.1109/GLOCOM.2001.965864