A Privacy-Preserving Schema for the Detection and Collaborative Mitigation of DNS Water Torture Attacks in Cloud Infrastructures

This paper presents a privacy-preserving schema between Authoritative and Recursive DNS Servers for the efficient detection and collaborative mitigation of DNS Water Torture attacks in cloud environments. Monitoring data are harvested from the victim premises (Authoritative DNS Server and Data Center switches) to detect anomalies with DNS requester IPs classified as legitimate or suspicious. Subsequently, requests are forwarded or redirected for refined inspection to a filtering mechanism. Mitigation may be offered as a service either on-premises or via cloud scrubbing infrastructures. The proposed schema leverages on probabilistic data structures (Bloom Filters, Count-Min Sketches) and related algorithms (SymSpell) to meet time, space and privacy constraints required by cloud services. Notably, Bloom Filters are employed to map Resource Records of large DNS zones in a memory efficient manner; rapid name lookups are possible with zero false negatives and tolerable false positives. Our approach is tested via a proof of concept setup based on traces generated from publicly available DNS traffic datasets.