Collaborative Defense Framework Using FQDN-Based Allowlist Filter Against DNS Water Torture Attack

In 2016, Dyn Inc., a managed Domain Name System (DNS) service provider, experienced a DNS water torture attack. The attackers created several unique and unresolvable fully qualified domain names (FQDNs) with random labels and sent malicious DNS queries to the authoritative DNS server via DNS cache servers. This attack eventually caused the authoritative DNS server to become unserviceable. We propose a collaborative defense framework that minimizes the damage by quickly detecting the attack on the victim side and effectively defending against it on the attack source side. In this framework, the DNS cache servers (attack source) create FQDN-based allowlist filters to eliminate malicious DNS queries; the attacked authoritative DNS server (victim) sends a signal to activate filters on cache servers upon detection. Trace-driven simulations show that the proposed framework effectively detects and protects against stealthy attacks circumventing conventional countermeasures. Further, we find that disposable domains, which are designed for one-time use to send signals from DNS clients to authoritative DNS servers, have similar characteristics to FQDNs created for the attack. Moreover, the operation of disposable domains is found to be a key vulnerability to such attacks.