CICI: RSARC: DDoS Defense In Depth for DNS

CICI：RSARC：DNS 深度 DDoS 防御

• 批准号: 1739034
• 负责人: John Heidemann
• 金额: $ 99.72万
• 依托单位: University of Southern California
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-10-01 至 2021-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1739034&HistoricalAwards=false
• 关键词: CICI; RSARC; DDoS; Defense; Depth

Distributed Denial-of-Service (DDoS) attacks continue to plague the Internet. Attacks have significant effects on social media, content and many other Internet services. Malicious actors are becoming increasingly sophisticated and are employing methods to hide their attack origins, amplify the size of their attacks, and use huge botnets that simply overwhelm their targets. This project directly addresses these advanced attacks by developing and deploying a defense in depth approach, called Deep Layers, to mitigate the types of DDoS attacks seen most recently. Deep Layers will be deployed to protect B-Root, the critical infrastructure that is one of thirteen providers of the Domain Name System (DNS) service for the top level (root) of Internet names that begin with www.The Deep Layers solution to DDoS attacks integrates two approaches to filter spoofed traffic, two approaches to identify known-good traffic (hop-count filtering and prioritization of known-good clients), with the addition of a cloud-based scaling component to handle the largest attacks. The combination of these steps address an array of increasingly sophisticated attacks, ranging from those seen today to those that would be possible in the future, significantly increasing DNS resilience to DDoS attacks. The project integrates and extends several recent successful research approaches to DDoS defense and demonstrates their effectiveness on the B-root critical infrastructure. The project demonstrates Deep layers on the B-Root DNS server, and makes it available to other DNS operations as open source software. The work vastly improves the reliability of the DNS critical infrastructure, benefiting all Internet users.

分布式拒绝服务（DDOS）攻击继续困扰着互联网。攻击对社交媒体，内容和许多其他互联网服务有重大影响。恶意演员正在变得越来越复杂，并采用方法来隐藏其攻击起源，扩大其攻击的大小，并使用巨大的僵尸网络，使他们的目标不堪重负。该项目通过开发和部署一种称为深层的防御方法来直接解决这些高级攻击，以减轻最近看到的DDOS攻击类型。将部署深层以保护B-Root，这是域名系统（DNS）的13个提供商之一，用于互联网名称的顶级服务（DNS）服务，以www. www. www. www.ddos的深层解决方案。DDOS解决DDOS的解决方案DDOS攻击的两种方法可与已知的交通相结合，以确定已知的交通型号，并在交通型号中（预先设置过过滤器），并构成了过滤量的杂货，并构成了杂货的杂货。缩放组件以处理最大的攻击。这些步骤的结合解决了一系列越来越复杂的攻击，从今天看到的攻击到将来可能的攻击，大大提高了DNS对DDOS攻击的弹性。该项目整合并扩展了最近成功的DDOS防御研究方法，并证明了它们对B根临界基础设施的有效性。该项目在B-Root DNS服务器上演示了深层层，并将其作为开源软件提供给其他DNS操作。这项工作大大提高了DNS关键基础架构的可靠性，从而使所有互联网用户受益。

项目成果

TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS

TsuNAME：利用 DDoS DNS 的错误配置和漏洞

• DOI: 10.1145/3487552.3487824
• 发表时间: 2021
• 期刊: ACM Internet Measurements Conference
• 作者: Moura, Giovane C.;Castro, Sebastian;Heidemann, John;Hardaker, Wes
• 通讯作者: Hardaker, Wes

Anycast In context: a tale of two systems

任播上下文：两个系统的故事

• DOI: 10.1145/3452296.3472891
• 发表时间: 2021
• 期刊: ACM SIGCOMM
• 作者: Koch, Thomas;Katz-Bassett, Ethan;Heidemann, John;Calder, Matt;Ardi, Calvin;Li, Ke
• 通讯作者: Li, Ke

Cache Me If You Can: Effects of DNS Time-to-Live

如果可以的话缓存我：DNS 生存时间的影响

• DOI: 10.1145/3355369.3355568
• 发表时间: 2019
• 期刊: ACM Interent Measurements Conference
• 作者: Moura, Giovane C.;Heidemann, John;Schmidt, Ricardo de;Hardaker, Wes
• 通讯作者: Hardaker, Wes

When the Dike Breaks: Dissecting DNS Defenses During DDoS

当堤坝决堤时：剖析 DDoS 期间的 DNS 防御

• DOI: 10.1145/3278532.3278534
• 发表时间: 2018
• 期刊: ACM Interent Measurements Conference
• 作者: Moura, Giovane C.;Heidemann, John;Müller, Moritz;de O. Schmidt, Ricardo;Davids, Marco
• 通讯作者: Davids, Marco