Protecting DNS from Routing Attacks: A Comparison of Two Alternative Anycast Implementations
نویسندگان
چکیده
DNS is a critical piece of the Internet supporting the majority of Internet applications. Because it is organized in a hierarchy, its correct operation is dependent on the availability of a small number of servers at the upper levels of the hierarchy. These backbone servers are vulnerable to routing attacks in which adversaries controlling part of the routing system try to hijack the server address space. Using routing attacks in this way, an adversary can compromise the Internet’s availability and integrity at a global scale. In this article, we evaluate the relative resilience to routing attacks of two alternative anycast implementations of DNS, the first operating at the network layer and the second operating at the application layer. Our evaluation informs fundamental DNS design decisions and an important debate on the routing architecture of the Internet.
منابع مشابه
Comparing the Security Performance of Network-Layer and Application-Layer Anycast
We provide a theoretical analysis of the security performance of two anycast techniques that could be used as a countermeasure against DNS attacks exploiting vulnerabilities in the interdomain routing system. We argue that that the performance of the two techniques – network and ideal application layer anycast – does not differ in practice. This is achieved by showing that the performance can o...
متن کاملTwo Days in the Life of the DNS Anycast Root Servers
The DNS root nameservers routinely use anycast in order to improve their service to clients and increase their resilience against various types of failures. We study DNS traffic collected over a two-day period in January 2006 at anycast instances for the C, F and K root nameservers. We analyze how anycast DNS service affects the worldwide population of Internet users. To determine whether clien...
متن کاملLongitudinal Analysis of Root Server Anycast Inefficiencies
Anycast is widely used in critical Internet infrastructures, including root DNS servers, to improve their scalability, resilience, and geographic proximity to clients. In practice, anycast depends on interdomain routing to direct clients to their “closest” sites. As a result, anycast’s performance is largely a result of available BGP routes. We provide what we believe to be the first longitudin...
متن کاملThe Case for Pushing DNS
The Domain Name System (DNS, [2]) has long been a critical part of the Internet infrastructure. The successful Denial-of-Service (DoS) attacks against Microsoft’s DNS servers in 2001 and the unsuccessful DoS attacks on the root name servers in 2002 have raised concerns about the vulnerability of the DNS. Operators responded by hardening the infrastructure, and using BGP anycast to replicate the...
متن کاملAnycast Latency: How Many Sites Are Enough?
Anycast is widely used today to provide important services including naming and content, with DNS and Content Delivery Networks (CDNs). An anycast service uses multiple sites to provide high availability, capacity and redundancy, with BGP routing associating users to nearby anycast sites. Routing defines the catchment of the users that each site serves. Although prior work has studied how users...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2009