DNS DoS Vulnerabilities and Defenses: A Modern and Systematic View

A flurry of DoS vulnerabilities have been recently disclosed in DNS, many of which enable an attacker to overload victim DNS servers by sending only modest volumes of requests that trigger large amplification effects. This talk starts with our systematic investigation of such vulnerabilities. By establishing a taxonomy of amplification primitives intrinsic to DNS and a framework to analyze their composability, we discovered an entire family of compositional amplification (CAMP) vulnerabilities that can bypass patches for individual DoS vectors and result in significantly larger amplification effects. In addition to these protocol-level vulnerabilities, I will also present our recent findings on a potentially more concerning class of DoS vulnerabilities rooted in modern DNS resolution architectures. Attacks can exploit these architectural vulnerabilities to paralyze DNS infrastructures via inter-server congestion, using substantially fewer resources than overwhelming the servers themselves. To mitigate such attacks fundamentally yet practically, we propose a DNS congestion control (DCC) framework reminiscent of classic network congestion control. I will go over DCC's design principles, explain how its complementary components interact to counter adversarial congestion and other types of attacks, and discuss why it is indispensable for enhancing the resilience of DNS infrastructure at large.