DocumentCode
2789476
Title
Formal Analysis of the DNS Bandwidth Amplification Attack and Its Countermeasures Using Probabilistic Model Checking
Author
Deshpande, Tushar ; Katsaros, Panagiotis ; Basagiannis, Stylianos ; Smolka, Scott A.
Author_Institution
Dept. of Comput. Sci., Stony Brook Univ., Stony Brook, NY, USA
fYear
2011
fDate
10-12 Nov. 2011
Firstpage
360
Lastpage
367
Abstract
The DNS Bandwidth Amplification Attack (BAA) is a distributed denial-of-service attack in which a network of computers floods a DNS server with responses to requests that have never been made. Amplification enters into the attack by virtue of the fact that a small 60-byte request can be answered by a substantially larger response of 4,000 bytes or more in size. We use the PRISM probabilistic model checker to introduce a Continuous Time Markov Chain model of the DNS BAA and three recently proposed countermeasures, and to perform an extensive cost-benefit analysis of the countermeasures. Our analysis, which is applicable to both DNS and DNSSec (a security extension of DNS), is based on objective metrics that weigh the benefits for a server in terms of the percentage increase in the processing of legitimate packets against the cost incurred by incorrectly dropping legitimate traffic. The results we obtain, gleaned from more than 450 PRISM runs, demonstrate significant differences between the countermeasures as reflected by their respective net benefits. Our results also reveal that DNSSec is more vulnerable than DNS to a BAA attack, and, relatedly, DNSSec derives significantly less benefit from the countermeasures.
Keywords
Markov processes; computer network security; formal verification; DNS bandwidth amplification attack; DNS server; DNSSec; PRISM probabilistic model checker; computers network; continuous time Markov chain model; cost-benefit analysis; distributed denial-of-service attack; formal analysis; objective metrics; Analytical models; Bandwidth; Computational modeling; Computer crime; Measurement; Probabilistic logic; Servers; DDoS; DNS; Probabilistic Model Checking;
fLanguage
English
Publisher
ieee
Conference_Titel
High-Assurance Systems Engineering (HASE), 2011 IEEE 13th International Symposium on
Conference_Location
Boca Raton, FL
ISSN
1530-2059
Print_ISBN
978-1-4673-0107-7
Type
conf
DOI
10.1109/HASE.2011.57
Filename
6113920
Link To Document