Protecting DNS from reflection amplification attacks using distributed defense scheme
Domain Name System (DNS) is based-on distributed, hierarchical, client-server architecture that translates domain names into Internet Protocol (IP) addresses and vice versa. It relies on User Datagram Protocol (UDP) to transport its data and uses IP in the network layer protocol. Normally, DNS re...
Saved in:
| Main Author: | |
|---|---|
| Format: | Thesis |
| Language: | English |
| Published: |
2017
|
| Subjects: | |
| Online Access: | http://psasir.upm.edu.my/id/eprint/68735/1/FSKTM%202018%204%20IR.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | Domain Name System (DNS) is based-on distributed, hierarchical, client-server
architecture that translates domain names into Internet Protocol (IP) addresses and
vice versa. It relies on User Datagram Protocol (UDP) to transport its data and uses
IP in the network layer protocol. Normally, DNS receives requests from its source
and sends back the substantially larger responses without inspecting the source
address. Lack of source inspection is due to the fact that UDP is a connectionless
protocol and IP address does not provide authentication mechanism. Furthermore,
DNS is designed for naming efficiency, not security. Such scenarios make DNS a
tempting target for cybercriminals to perform massive Distributed Reflection Denial
of Service (DRDoS) attacks which are called Reflection/Amplification and hassles
the communication traffic towards connected network nodes. There are several
defense mechanisms that proposed to tackle DNS Reflection/Amplification attack.
They depend on centralized-based approaches where their functionalities degrade
against large and complex traffic. In this research, Distributed-based Defense
Scheme (DDS) is proposed to monitor incoming DNS requests for handling DNS
Reflection/Amplification attacks and a filtration mechanism to distinguish legitimate
requests from fake ones. It utilizes an authentication mechanism called DNS
Checkpoint which is based on Challenge-Handshake Authentication Protocol
(CHAP) to provide authentication for detecting any Reflection/Amplification
attacks. The DNS Disinfector is used for filtering mechanism that based-on Stateful
Packet Inspection (SPI). It is used to distinguish legitimate requests and discard the
fake ones. The experiment results show that DDS remarkably overcome the singlepoint
deployment defense mechanism in terms of defense strength, minimizing
amplification factor and less bandwidth usage. The results analysis also shows that
DDS able to better protect upstream networks from depletion than other defense
mechanisms with minimum overhead. |
|---|