Improving DNS cache to alleviate the impact of DNS DDoS attack

Abstract

In recent years, adversaries have been launching distributed denial of service (DDoS) attacks aimed at DNS (Domain Name System) servers in various levels, and since t he DNS is a most critical fundamental service of the Internet that provides mapping between domain names and IP addresses and a prerequisite for many other services, DDoS attacks successfully causing the unavailability of DNS could bring huge losses. In this paper, we present a n easily implemented and practical scheme that can significantly alleviate the impact of the DNS DDoS attacks. Firstly, we propose interactive communications among DNS servers to obtain status information of others and with the premise we support that nameservers should not clean-up TTL-expired domain-name records in the cache when they detected that relevant nameservers are unavailable . Secondly, an evaluation based on the data of 511 , 781 , 146 DNS queries collected from four different DNS servers on the Internet shows that the DNS could still work s well in the duration of a DDoS attack by applying our approach . And further, a long term DNS analysis of about 173 days proves the prerequisite for the validity of our project on the Internet today.