Preventing DNS misuse for Reflection/Amplification attacks with minimal computational overhead on the Internet

Rebeen Rebwar Hama Amin; Dana Hassan; Masnida Hussin

doi:10.24017/science.2020.2.6

Authors

Rebeen Rebwar Hama Amin Network Department, Computer Science Institute, Sulaimani Polytechnic University, Sulaimani, Iraq https://orcid.org/0000-0002-9847-5543
Dana Hassan Computer Science Department, College of Science, University of Garmian, Sulaimani, Iraq https://orcid.org/0000-0002-7664-799X
Masnida Hussin Department of Communication Technology and Network,Faculty of Computer Science and Information Technology, Universiti Putra Malaysia , Serdang, Selangor, Malaysia

Abstract

DNS reflection/amplification attacks are types of Distributed Denial of Service (DDoS) attacks that take advantage of vulnerabilities in the Domain Name System (DNS) and use it as an attacking tool. This type of attack can quickly deplete the resources (i.e. computational and bandwidth) of the targeted system. Many defense mechanisms are proposed to mitigate the impact of this type of attack. However, these defense mechanisms are centralized-based and cannot deal with a distributed-based attack. Also, these defense mechanisms have a single point of deployment which leads to a lack of computational resources to handle an attack with a large magnitude. In this work, we presented a new distributed-based defense mechanism (DDM) to counter reflection/ amplification attacks. While operating, we calculated the CPU counters of the machines that we deployed our defense mechanism with which showed 19.9% computational improvement. On top of that, our defense mechanism showed that it can protect the attack path from exhaustion during reflection/amplification attacks without putting any significant traffic load on the network by eliminating every spoofed request from getting responses.

Keywords:

DNS, DDM, Reflection/amplification, DDoS, Amplification Factor.

References

[1] R. van Rijswijk-Deij, A. Sperotto, and A. Pras, "DNSSEC and its potential for DDoS attacks," in Proceedings of the 2014 Conference on Internet Measurement Conference - IMC '14, 2014, pp. 449-460, doi: 10.1145/2663716.2663731.
https://doi.org/10.1145/2663716.2663731
[2] J.-Y. Bisiaux, "DNS threats and mitigation strategies," Netw. Secur., vol. 2014, no. 7, pp. 5-9, Jul. 2014, doi: 10.1016/S1353-4858(14)70068-6.
https://doi.org/10.1016/S1353-4858(14)70068-6
[3] M. Anagnostopoulos, G. Kambourakis, P. Kopanos, G. Louloudakis, and S. Gritzalis, "DNS amplification attack revisited," Comput. Secur., vol. 39, pp. 475-485, Nov. 2013, doi: 10.1016/j.cose.2013.10.001.
https://doi.org/10.1016/j.cose.2013.10.001
[4] Y. Koç, A. Jamakovic, and B. Gijsen, "A global reference model of the domain name system," Int. J. Crit. Infrastruct. Prot., vol. 5, no. 3-4, pp. 108-117, Dec. 2012, doi: 10.1016/j.ijcip.2012.08.001.
https://doi.org/10.1016/j.ijcip.2012.08.001
[5] S. Abbasi, "Investigation of open resolvers in DNS reflection DDoS attacks," Université Laval, 2014.
[6] C. Marrison, "DNS as an attack vector - and how businesses can keep it secure," Netw. Secur., vol. 2014, no. 6, pp. 17-20, Jun. 2014, doi: 10.1016/S1353-4858(14)70061-3.
https://doi.org/10.1016/S1353-4858(14)70061-3
[7] X. Ye and Y. Ye, "A practical mechanism to counteract DNS amplification DDoS attacks," J. Comput. Inf. Syst., vol. 9, no. 1, pp. 265-272, 2013.
[8] S. T. Zargar, J. Joshi, and D. Tipper, "A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks," IEEE Commun. Surv. Tutorials, vol. 15, no. 4, pp. 2046-2069, 2013, doi: 10.1109/SURV.2013.031413.00127.
https://doi.org/10.1109/SURV.2013.031413.00127
[9] B. Liu et al., "SF-DRDoS: The store-and-flood distributed reflective denial of service attack," Comput. Commun., vol. 69, pp. 107-115, Sep. 2015, doi: 10.1016/j.comcom.2015.06.008.
https://doi.org/10.1016/j.comcom.2015.06.008
[10] V. Jacobson, D. K. Smetters, J. D. Thornton, M. F. Plass, N. H. Briggs, and R. L. Braynard, "Networking named content," in Proceedings of the 5th international conference on Emerging networking experiments and technologies - CoNEXT '09, 2009, p. 1, doi: 10.1145/1658939.1658941.
https://doi.org/10.1145/1658939.1658941
[11] C. Rossow, "Amplification Hell: Revisiting Network Protocols for DDoS Abuse," in Proceedings 2014 Network and Distributed System Security Symposium, 2014, doi: 10.14722/ndss.2014.23233.
https://doi.org/10.14722/ndss.2014.23233
[12] P. Vixie and V. Schryver, "Response Policy Zones," Internet Engenieering Task Force, p. 10, 2017.
[13] M. Kührer, T. Hupperich, C. Rossow, and T. Holz, "Exit from hell? Reducing the impact of amplification DDoS attacks," Proc. 23rd USENIX Secur. Symp., pp. 111-125, 2014.
[14] S. Di Paola and D. Lombardo, "Protecting against DNS Reflection Attacks with Bloom Filters," 2011, pp. 1-16.
https://doi.org/10.1007/978-3-642-22424-9_1
[15] X. Jing, J. Zhao, Q. Zheng, Z. Yan, and W. Pedrycz, "A reversible sketch-based method for detecting and mitigating amplification attacks," J. Netw. Comput. Appl., vol. 142, pp. 15-24, Sep. 2019, doi: 10.1016/j.jnca.2019.06.007.
https://doi.org/10.1016/j.jnca.2019.06.007
[16] K. Ozdincer and H. A. Mantar, "SDN-based Detection and Mitigation System for DNS Amplification Attacks," in 2019 3rd International Symposium on Multidisciplinary Studies and Innovative Technologies (ISMSIT), Oct. 2019, pp. 1-7, doi: 10.1109/ISMSIT.2019.8932809.
https://doi.org/10.1109/ISMSIT.2019.8932809
[17] A. Silberschatz, P. B. Galvin, and G. Gagne, Operating System Concepts Essentials. John Wiley & Sons, Inc., 2013.