Protecting the DNS Root servers against DDoS attacks

Protecting the DNS Root servers against DDoS attacks


you might know there are 13 root DNS server (okay, actually server clusters with anycast routing, but let’s assume there are actually 13 physical servers). These serve as the backbone of the modern internet as any domain name at some point can be traced back to one of those. Obviously these servers are an interesting target for attackers.

This weeks paper describes a layered approach to protect the root servers (and any other applicable authoritative DNS server) against DDoS attacks. To achieve this the authors combine several detection algorithms in a “Swiss Cheese”-model. The paper proposes an offline detection approach, which actually would be able to scale with the traffic that the root servers have to handle.

Damn interesting paper to understand different ways to detect attackers on DNS servers. Give it a read, taught me a lot about the algorithms in use.

Software exists to create business value

I am Simon Frey, the author of the Weekly CS Paper Newsletter. And I have great news: You can work with me

As CTO as a Service, I will help you choose the right technology for your company, build up your team and be a deeply technical sparring partner for your product development strategy.

Checkout my website to learn more or directly contact me via the button below.

Simon Frey Header image
Let’s work together!


Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients. The Domain Name System (DNS) is a frequent target of DDoS attacks. Since DNS is a critical infrastructure service, protecting it from DoS is imperative. Many prior approaches have focused on specific filters or anti-spoofing techniques to protect generic
services. DNS root nameservers are more challenging to protect, since they use fixed IP addresses, serve very diverse clients and requests, receive predominantly UDP traffic that can be spoofed, and must guarantee high quality of service. In this paper we propose a layered DDoS defense for DNS root nameservers. Our defense uses a library of defensive filters, which can be optimized for different attack types, with different levels of selectivity. We further propose a method that automatically and continuously evaluates and selects the best combination of filters throughout the attack. We show that this layered defense approach provides exceptional protection against all attack types using traces of ten real attacks from a DNS root nameserver. Our automated system can select the best defense within seconds and quickly reduces traffic to the server within a manageable range, while keeping collateral damage lower than 2%. We can handle millions of filtering rules without noticeable operational overhead.

Download Link:

Weekly in-depth computer science knowledge to become a better programmer. For free!
Over 2000 subcribers. One click unsubscribe.