Protecting the DNS Root servers against DDoS attacks

Protecting the DNS Root servers against DDoS attacks


you might know there are 13 root DNS server (okay, actually server clusters with anycast routing, but let’s assume there are actually 13 physical servers). These serve as the backbone of the modern internet as any domain name at some point can be traced back to one of those. Obviously these servers are an interesting target for attackers.

This weeks paper describes a layered approach to protect the root servers (and any other applicable authoritative DNS server) against DDoS attacks. To achieve this the authors combine several detection algorithms in a “Swiss Cheese”-model. The paper proposes an offline detection approach, which actually would be able to scale with the traffic that the root servers have to handle.

Damn interesting paper to understand different ways to detect attackers on DNS servers. Give it a read, taught me a lot about the algorithms in use.


Distributed Denial-of-Service (DDoS) attacks exhaust resources, leaving a server unavailable to legitimate clients. The Domain Name System (DNS) is a frequent target of DDoS attacks. Since DNS is a critical infrastructure service, protecting it from DoS is imperative. Many prior approaches have focused on specific filters or anti-spoofing techniques to protect generic
services. DNS root nameservers are more challenging to protect, since they use fixed IP addresses, serve very diverse clients and requests, receive predominantly UDP traffic that can be spoofed, and must guarantee high quality of service. In this paper we propose a layered DDoS defense for DNS root nameservers. Our defense uses a library of defensive filters, which can be optimized for different attack types, with different levels of selectivity. We further propose a method that automatically and continuously evaluates and selects the best combination of filters throughout the attack. We show that this layered defense approach provides exceptional protection against all attack types using traces of ten real attacks from a DNS root nameserver. Our automated system can select the best defense within seconds and quickly reduces traffic to the server within a manageable range, while keeping collateral damage lower than 2%. We can handle millions of filtering rules without noticeable operational overhead.

Download Link:

Subscribe to the Weekly CS Paper Newsletter to get a computer science paper every weekend
No risk. One click unsubscribe.