Formal Analysis of DNS Attacks and Their Countermeasures Using Probabilistic Model Checking.

摘要

The Domain Name System (DNS) is an internet-wide, hierarchical naming system used to translate domain names into physical IP addresses. Any disruption of the service DNS provides can have serious consequences. We present a formal analysis of two notable threats to DNS, namely cache poisoning and bandwidth amplification, and the countermeasures designed to prevent their occurrence. Our analysis of these attacks and their countermeasures is given in the form of a cost-benefit analysis, and is based on probabilistic model checking of Continuous-Time Markov Chains. We use CTMCs to model the race between legitimate and malicious traffic in a DNS server under attack, i.e., the victim. Countermeasure benefits and costs are quantified in terms of probabilistic reachability and reward properties, which are evaluated over all possible execution paths.;The results of our analysis support substantive conclusions about the relative effectiveness of the different countermeasures under varying operating conditions. We also validate the criticism that the DNS security extensions devised to eliminate cache poisoning render DNS more vulnerable to bandwidth amplification attacks (BAAs).;We also model the DNS BAA as a two-player, turn-based, zero-sum stochastic game between an attacker and a defender. The attacker attempts to flood the victim's bandwidth with malicious traffic by choosing an appropriate number of zombies to attack. In response, the defender nondeterministically chooses among five basic BAA countermeasures, so that the victim can process as much legitimate traffic as possible. We use our game-based model of DNS BAA to generate optimal attack strategies that vary the number of zombies and the optimal defense strategies that combine the basic BAA countermeasures to optimize the attacker's and the defender's payoffs. Such payoffs are defined using probabilistic reward-based properties, and are measured in terms of the attack strategy's ability to minimize the volume of legitimate traffic that is eventually processed and the defense strategy's ability to maximize the volume of legitimate traffic that is eventually processed.