Formal Analysis of the DNS Bandwidth Amplification Attack and Its Countermeasures Using Probabilistic Model Checking

The DNS Bandwidth Amplification Attack (BAA) is a distributed denial-of-service attack in which a network of computers floods a DNS server with responses to requests that have never been made. Amplification enters into the attack by virtue of the fact that a small 60-byte request can be answered by a substantially larger response of 4,000 bytes or more in size. We use the PRISM probabilistic model checker to introduce a Continuous Time Markov Chain model of the DNS BAA and three recently proposed countermeasures, and to perform an extensive cost-benefit analysis of the countermeasures. Our analysis, which is applicable to both DNS and DNSSec (a security extension of DNS), is based on objective metrics that weigh the benefits for a server in terms of the percentage increase in the processing of legitimate packets against the cost incurred by incorrectly dropping legitimate traffic. The results we obtain, gleaned from more than 450 PRISM runs, demonstrate significant differences between the countermeasures as reflected by their respective net benefits. Our results also reveal that DNSSec is more vulnerable than DNS to a BAA attack, and, relatedly, DNSSec derives significantly less benefit from the countermeasures.