Collaborative Defense Framework Using FQDN-Based Allowlist Filter Against DNS Water Torture Attack

In 2016, Dyn Inc., a managed Domain Name System (DNS) service provider, experienced a DNS water torture attack. The attackers created several unique and unresolvable fully qualified domain names (FQDNs) with random labels and sent malicious DNS queries to the authoritative DNS server via DNS cache s...

Full description

Saved in:
Bibliographic Details
Published inIEEE eTransactions on network and service management Vol. 20; no. 4; p. 1
Main Authors Hasegawa, Keita, Kondo, Daishi, Osumi, Masato, Tode, Hideki
Format Journal Article
LanguageEnglish
Published New York IEEE 01.12.2023
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects
Collaboration
Collaborative defense framework
Damage detection
distributed denial-of-service attack
Domain Name System
Domain Name System traffic measurements
Domain Name System water torture attack
Domain names
fully qualified domain name-based allowlist filter
Queries
Torture
Water purification
Online AccessGet full text

Cover

More Information
Summary:In 2016, Dyn Inc., a managed Domain Name System (DNS) service provider, experienced a DNS water torture attack. The attackers created several unique and unresolvable fully qualified domain names (FQDNs) with random labels and sent malicious DNS queries to the authoritative DNS server via DNS cache servers. This attack eventually caused the authoritative DNS server to become unserviceable. We propose a collaborative defense framework that minimizes the damage by quickly detecting the attack on the victim side and effectively defending against it on the attack source side. In this framework, the DNS cache servers (attack source) create FQDN-based allowlist filters to eliminate malicious DNS queries; the attacked authoritative DNS server (victim) sends a signal to activate filters on cache servers upon detection. Trace-driven simulations show that the proposed framework effectively detects and protects against stealthy attacks circumventing conventional countermeasures. Further, we find that disposable domains, which are designed for one-time use to send signals from DNS clients to authoritative DNS servers, have similar characteristics to FQDNs created for the attack. Moreover, the operation of disposable domains is found to be a key vulnerability to such attacks.
ISSN:1932-4537
1932-4537
DOI:10.1109/TNSM.2023.3277880