[dns-operations] DNS challenge+response paper
Mark Allman
mallman at icir.org
Thu Jun 21 17:14:08 UTC 2018
I think the last time I flogged a paper on here, it was me who ended
up getting flogged. But, I apparently don't learn, so here is
another one ... :-)
Comments appreciated!
allman
Rami Al-Dalky, Michael Rabinovich, Mark Allman. Practical
Challenge-Response for DNS. ACM Computer Communication Review,
48(3), July 2018. To appear.
https://www.icir.org/mallman/pubs/ARA18/
Abstract:
Authoritative DNS servers are susceptible to being leveraged in
denial of service attacks in which the attacker sends DNS queries
while masquerading as a victim---and hence causing the DNS server
to send the responses to the victim. This reflection off innocent
DNS servers hides the attackers identity and often allows the
attackers to amplify their traffic by employing small requests to
elicit large responses. Several challenge-response techniques have
been proposed to establish a requester's identity before sending a
full answer. However, none of these are practical in that they do
not work in the face of "resolver pools"---or groups of DNS
resolvers that work in concert to lookup records in the DNS. In
these cases a challenge transmitted to some resolver R1 may be
handled by a resolver R2, hence leaving an authoritative DNS
server wondering whether R2 is in fact another resolver in the
pool or a victim. We offer a practical challenge-response
mechanism that uses challenge chains to establish identity in the
face of resolver pools. We illustrate that the practical cost of
our scheme in terms of added delay is small.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 220 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180621/1b242bb7/attachment.sig>
More information about the dns-operations
mailing list