Go to DBLP homepageDNSGuard: In-Network Defense Against DNS Attacks
Abstract: The Domain Name System (DNS) is a growing center of cyber attacks, including both volumetric and non-volumetric attacks. Programmable switches provide a new opportunity for more efficient defense against DNS attacks since they can offer better cost, performance, and flexibility trade-offs compared to traditional defense systems. However, programmable switches have strict limitations on the operations and storage space supported to ensure line-speed packet processing. In this paper, we propose DNSGuard, an intelligent in-network defense framework that can handle volumetric and non-volumetric DNS attacks on programmable switches. We propose a recursive incremental parsing algorithm that can effectively extract variable-length domain names. To achieve real-time and accurate detection against two types of DNS attacks, we design a switch-optimized and resource-efficient algorithm to extract both independent features of each packet and domain-based cumulative features. Then, we propose a multi-phase hybrid model architecture to perform dynamic packet analysis at different time phases of a domain. Further, we design efficient model representation mechanisms to deploy tree-based ensemble models in the data plane. Experimental results show that DNSGuard can defend against diverse DNS attacks at the line rate. In addition, DNSGuard introduces a minimal nanosecond latency to normal traffic in heavily loaded networks.
Loading