TY - GEN
T1 - Formal analysis of the DNS Bandwidth Amplification Attack and its countermeasures using probabilistic model checking
AU - Deshpande, Tushar
AU - Katsaros, Panagiotis
AU - Basagiannis, Stylianos
AU - Smolka, Scott A.
PY - 2011
Y1 - 2011
N2 - The DNS Bandwidth Amplification Attack (BAA) is a distributed denial-of-service attack in which a network of computers floods a DNS server with responses to requests that have never been made. Amplification enters into the attack by virtue of the fact that a small 60-byte request can be answered by a substantially larger response of 4,000 bytes or more in size. We use the PRISM probabilistic model checker to introduce a Continuous Time Markov Chain model of the DNS BAA and three recently proposed countermeasures, and to perform an extensive cost-benefit analysis of the countermeasures. Our analysis, which is applicable to both DNS and DNSSec (a security extension of DNS), is based on objective metrics that weigh the benefits for a server in terms of the percentage increase in the processing of legitimate packets against the cost incurred by incorrectly dropping legitimate traffic. The results we obtain, gleaned from more than 450 PRISM runs, demonstrate significant differences between the countermeasures as reflected by their respective net benefits. Our results also reveal that DNSSec is more vulnerable than DNS to a BAA attack, and, relatedly, DNSSec derives significantly less benefit from the countermeasures.
AB - The DNS Bandwidth Amplification Attack (BAA) is a distributed denial-of-service attack in which a network of computers floods a DNS server with responses to requests that have never been made. Amplification enters into the attack by virtue of the fact that a small 60-byte request can be answered by a substantially larger response of 4,000 bytes or more in size. We use the PRISM probabilistic model checker to introduce a Continuous Time Markov Chain model of the DNS BAA and three recently proposed countermeasures, and to perform an extensive cost-benefit analysis of the countermeasures. Our analysis, which is applicable to both DNS and DNSSec (a security extension of DNS), is based on objective metrics that weigh the benefits for a server in terms of the percentage increase in the processing of legitimate packets against the cost incurred by incorrectly dropping legitimate traffic. The results we obtain, gleaned from more than 450 PRISM runs, demonstrate significant differences between the countermeasures as reflected by their respective net benefits. Our results also reveal that DNSSec is more vulnerable than DNS to a BAA attack, and, relatedly, DNSSec derives significantly less benefit from the countermeasures.
KW - DDoS
KW - DNS
KW - Probabilistic model checking
UR - https://www.scopus.com/pages/publications/84856537894
U2 - 10.1109/HASE.2011.57
DO - 10.1109/HASE.2011.57
M3 - Conference contribution
AN - SCOPUS:84856537894
SN - 9780769546155
T3 - Proceedings of IEEE International Symposium on High Assurance Systems Engineering
SP - 360
EP - 367
BT - Proceedings - 2011 IEEE 13th International Symposium on High-Assurance Systems Engineering, HASE 2011
T2 - 13th IEEE International Symposium on High Assurance Systems Engineering, HASE 2011
Y2 - 10 November 2011 through 12 November 2011
ER -