DNS Congestion Control in Adversarial Settings

Abstract

We instigate the study of adversarial congestion in the con text of the Domain Name System (DNS). By strategically choking inter-server channels, this new type of DoS attack can disrupt a large user group’s access to target DNS servers at a low cost. In reminiscence of classic network conges tion control, we propose a DNS congestion control (DCC) framework as a fundamental yet practical mitigation mea sure for such attacks. With an optimized fair-queuing mes sage scheduler, DCC ensures benign clients fair access to inter server channels regardless of an attacker’s behavior; with a set of extensible anomaly detection and signaling mecha nisms, it minimizes collateral damage to innocuous clients. We architect DCC in a non-invasive style so that it can read ily augment existing DNS servers. Our prototype evaluation demonstrates that DCC effectively mitigates adversarial con gestion while incurring minor performance overheads.