Evgeny Sagatov,Samara Mayhoub,Andrei Sukhov,Prasad Calyam

DOI: https://doi.org/10.23919/jcin.2023.10173727

2023-07-08

Journal of Communications and Information Networks

Abstract:Domain name system (DNS) amplification distributed denial of service (DDoS) attacks are one of the popular types of intrusions that involve accessing DNS servers on behalf of the victim. In this case, the size of the response is many times greater than the size of the request, in which the source of the request is substituted for the address of the victim. This paper presents an original method for countering DNS amplification DDoS attacks. The novelty of our approach lies in the analysis of outgoing traffic from the victim's server. DNS servers used for amplification attacks are easily detected in Internet control message protocol (ICMP) packet headers (type 3, code 3) in outgoing traffic. ICMP packets of this type are generated when accessing closed user datagram protocol (UDP) ports of the victim, which are randomly assigned by the Saddam attack tool. To prevent such attacks, we used a Linux utility and a software-defined network (SDN) module that we previously developed to protect against port scanning. The Linux utility showed the highest efficiency of 99.8%, i.e., only two attack packets out of a thousand reached the victim server.

Changhua Sun,Bin Liu,Lei Shi

DOI: https://doi.org/10.1109/GLOCOM.2008.ECP.397

2008-01-01

Abstract:DNS amplification attacks utilize IP address spoofing and large numbers of open recursive DNS servers to perform the bandwidth consumption attack. During an attack, it ceaselessly fabricates DNS queries to the exploited open recursive DNS servers, and all the responses, often with larger size than the query messages, are reflected to the single victim due to the source IP address spoofing. While it is difficult to defend against this attack from the root causes by eliminating the open recursive DNS servers and IP spoofing for the whole Internet, in this paper, we take a different methodology to defend against it at the leaf router of victim's ISP or organization. We propose an efficient and low-cost hardware approach to first detect the DNS amplification attack accurately and responsively. Once the attack is confirmed, our approach is then activated to filter out all the illegitimate DNS responses by using a two-Bloom filter solution. We demonstrate that the memory cost of our approach is feasible for the hardware implementation even up to the OC-768 link. Through trace-driven simulations, it is shown that our approach is effective in both the detecting and filtering phases.

Yunwei Dai,Tao Huang,Shuo Wang

DOI: https://doi.org/10.1016/j.cose.2024.103718

IF: 5.105

2024-01-24

Computers & Security

Abstract:Domain Name System (DNS) amplification attacks exploit botnets and open recursive DNS servers to launch Distributed Denial of Service (DDoS) attacks. During an attack, the attacker leverages infected computers (bots) to perpetually send small spoofed DNS queries to numerous open recursive DNS servers. The servers, in turn, respond with lots of large DNS responses, which are reflected back to the victim. Such responses are usually several times larger than the original queries, and could exhaust the resources of CPUs, memory, and network bandwidth, rendering them unavailable for benign users. However, most in-network DDoS mitigation systems today inevitably cause normal DNS responses to be discarded while scrubbing traffic, as they do not distinguish between legitimate and malicious responses. To address this issue, some existing solutions employ Bloom filters to filter out unsolicited DNS responses, utilizing the "one-to-one mapping" relationship between DNS queries and responses. In this work, we present a framework called DAmpADF, designed to defend against DNS amplification attacks. The framework employs Bloom filters at the edge or core routers of Internet Service Providers (ISPs) or organizations to filter out malicious DNS responses. To reduce the false positives of the Bloom filters, we propose a novel data structure called the Non-amplifier Keeper (NAmpKeeper), which maintains the most frequently queried DNS servers that are not DNS amplifiers. By excluding queries to non-amplifiers from the Bloom filters, the false positives of Bloom filters are decreased significantly. Experimental results show that DAmpADF outperforms previous methods and achieves a superior filtration ratio of illegitimate DNS responses. Furthermore, the proposed approach incurs small, constant processing and memory overhead, enabling support for high line rates.

computer science, information systems

Kai Bu,Zhixin Sun

DOI: https://doi.org/10.1109/ICYCS.2008.324

2008-01-01

Abstract:The emergence of Distributed Denial of Service (DDoS) attack increases the destructive force of Denial of Service (DoS) attack drastically. Besides bringing more terrible threats, the attack from far and near and the employment of internet protocol (IP) spoofing make the abnormal traffic detection harder and harder. This paper proposes a mechanism defined as AMHI (Address Matching and Hash Inspection) and a method based on it for DDoS attacks detection and defense. Through the simulation experiment, the Address Matching and backup Hash Inspection operations to the suspicious traffic implemented on router interface for local subnet can detect and defend DDoS attacks effectively even when using IP Spoofing. In addition, this method can also decrease a mass of statistical work for the routers, and to some extent ease the pressure of heavy traffic caused by attacks.

Tasnuva Mahjabin,Yang Xiao,Tieshan Li,C. L. Philip Chen

DOI: https://doi.org/10.1109/jiot.2019.2947659

IF: 10.6

2020-01-01

IEEE Internet of Things Journal

Abstract:A domain name system (DNS) is one of the most important infrastructures of the Internet communication. It is also a crucial point which is subjected to attacks. The largest distributed denial-of-service (DDoS) attack on October 21, 2016 has targeted a major DNS infrastructure named dynDNS. It was actually the Internet of Things (IoT) DNS flood attack that made more than half of websites in the United States unreachable for a significant amount of time. As we are using the Internet for everything in our life, especially health care and transportation, an attack of this type may cause a major disruption. Therefore, in this article, we are going to analyze the DNS flood attacks and propose two mitigation methods. We propose a load distributed mitigation process which will work as a quick escape route of the legitimate traffic from the attack field. Our solution mainly involves service level changes which can be implemented with collaboration among service providers. Also, our proposed solution is very cost effective as compared to the cost of downtime of the domain names caused by a DNS flood attack. Furthermore, we propose a benign-bot mitigation method and a business model for the method. In the benign-bot mitigation method, a bot program is installed in customers’ DNS local servers to allow IP addresses of a list of paid businesses’ websites to maintain in the caches so that the websites can be accessed even when the DNS servers are down.

Marios Anagnostopoulos,Stavros Lagos,Georgios Kambourakis

DOI: https://doi.org/10.1016/j.jisa.2022.103168

IF: 4.96

2022-05-01

Journal of Information Security and Applications

Abstract:Reflection-based volumetric distributed denial-of-service (DDoS) attacks take advantage of the available to all (open) services to flood and possibly overpower a victim's server or network with an amplified amount of traffic. This work concentrates on two key protocols in the assailants' quiver regarding DoS attacks, namely domain name system (DNS) and simple service discovery protocol (SSDP). Our contribution spans three axes: (a) We perform countrywide IP address scans (probes) across three countries in two continents to locate devices that run open DNS or SSDP services, and thus can be effectively exploited in the context of amplification attacks, (b) we fingerprint the discovered devices to derive information about their type and operating system, and (c) we estimate the amplification factor of the discovered reflectors through a dozen of diverse, suitably crafted DNS queries and a couple of SSDP ones depending on the case. The conducted scans span fifteen months, therefore comparative conclusions regarding the evolution of the reflectors population over time, as well as indirect ones regarding the security measures in this field, can be deduced. For instance, for DNS, it was calculated that the third quartile of the amplification factor distribution remains more than 30 for customarily exploited queries across all the examined countries, while in the worst case this figure can reach up to 70. The same figures for SSDP range between roughly 41 and 73 for a specific type of query. To our knowledge, this work offers the first full-fledged mapping and assessment of DNS and SSDP amplifiers, and it is therefore anticipated to serve as a basis for further research in this ever-changing and high-stakes network security field.

computer science, information systems

Ziming Zhao,Zhuotao Liu,Huan Chen,Fan Zhang,Zhuoxue Song,Zhaoxuan Li

DOI: https://doi.org/10.1109/tdsc.2023.3349180

2024-01-01

Abstract:Defending against Distributed Denial of Service (DDoS) attacks is a fundamental problem in the Internet. Over the past few decades, the research and industry communities have proposed a variety of solutions, from adding incremental capabilities to the existing Internet routing stack, to clean-slate future Internet architectures, and to widely deployed commercial DDoS prevention services. Yet a recent interview with over 100 security practitioners in multiple sectors reveals that existing solutions are still insufficient against , due to either unenforceable protocol deployment or non-comprehensive traffic filters. This seemingly endless arms race with attackers probably means that we need a fundamental paradigm shift. In this paper, we propose a new DDoS prevention paradigm named preference-driven and in-network enforced traffic shaping , aiming to explore the novel DDoS prevention norms that focus on delivering victim-preferred traffic rather than consistently chasing after the DDoS attacks. Towards this end, we propose DFNet, a novel DDoS prevention system that provides reliable delivery of victim-preferred traffic without full knowledge of DDoS attacks. At a very high level, the core innovative design of DFNet embraces the advances in Machine Learning (ML) and new network dataplane primitives, by encoding the victim's traffic preference (in the form of complex ML models) into dataplane packet scheduling algorithms such that the victim-preferred traffic is forwarded with priority at line-speed, regardless of the attacker strategy. We implement a prototype of DFNet in 11,560 lines of code, and extensively evaluate it on our testbed. The results show that a single instance of DFNet can forward 99.93% of victim-desired traffic when facing previously unseen attacks, while imposing less than 0.1% forwarding overhead on a dataplane with 80 Gbps upstream links and a 40 Gbps bottleneck.

Mohammed Abdulridha Hussain,Hai Jin,Zaid Alaa Hussien,Zaid Ameen Abduljabbar,Salah H. Abbdal,Ayad Ibrahim

DOI: https://doi.org/10.1109/icisce.2016.279

2016-01-01

Abstract:Domain name system is among the core part of TCP/IP protocol suite and the standard protocol used by the Internet. The domain name system consists of mapped website names with Internet protocol, which facilitates browsing by not requiring users to remember numeric notation addresses. The nature of the system, which involves transferring information in plain text, makes it vulnerable to security attacks. The domain name system suffers from spoofing and cache poisoning attacks that are intended to steal the private information of users. In this paper, a scheme is proposed to prevent the aforementioned attacks by using an asymmetric cipher to encrypt the important information in messages and to protect these messages from manipulation. The proposed scheme is examined and implemented using Linux platform and C programming language. The proposed scheme protects DNS against spoofing and poisoning attacks while the results show small fraction of delay in time comparing with the applied DNS. There are also additional commercial benefits since it does not result in additional costs.

Soyoung Kim,Sora Lee,Geumhwan Cho,Muhammad Ejaz Ahmed,Jaehoon (Paul) Jeong,Hyoungshick Kim,Jaehoon Jeong

DOI: https://doi.org/10.1007/978-3-319-66399-9_8

2017-01-01

Abstract:Domain Name System (DNS) amplification attack is a sophisticated Distributed Denial of Service (DDoS) attack by sending a huge volume of DNS name lookup requests to open DNS servers with the source address spoofed as a victim host. However, from the point of view of an individual network resource such as DNS server and switch, it is not easy to mitigate such attacks because a distributed attack could be performed with multiple DNS servers and/or switches. To overcome this limitation, we propose a novel security framework using Software-Defined Networking (SDN) to store the history of DNS queries as an evidence to distinguish normal DNS responses from attack packets. Our evaluation results demonstrate that the network traffic for DNS amplification attack can completely be blocked under various network conditions without incurring a significant communication overhead.

Muhammad Aamir,Mustafa Ali Zaidi

DOI: https://doi.org/10.48550/arXiv.1401.6317

2014-03-22

Abstract:Distributed Denial of Service (DDoS) attacks exhaust victim's bandwidth or services. Traditional architecture of Internet is vulnerable to DDoS attacks and an ongoing cycle of attack & defense is observed. In this paper, different types and techniques of DDoS attacks and their countermeasures are reviewed. The significance of this paper is the coverage of many aspects of countering DDoS attacks including new research on the topic. We survey different papers describing methods of defense against DDoS attacks based on entropy variations, traffic anomaly parameters, neural networks, device level defense, botnet flux identifications and application layer DDoS defense. We also discuss some traditional methods of defense such as traceback and packet filtering techniques so that readers can identify major differences between traditional and current techniques of defense against DDoS attacks. Before the discussion on countermeasures, we mention different attack types under DDoS with traditional and advanced schemes while some information on DDoS trends in the year 2012 Quarter-1 is also provided. We identify that application layer DDoS attacks possess the ability to produce greater impact on the victim as they are driven by legitimate-like traffic making it quite difficult to identify and distinguish from legitimate requests. The need of improved defense against such attacks is therefore more demanding in research. The study conducted in this paper can be helpful for readers and researchers to recognize better techniques of defense in current times against DDoS attacks and contribute with more research on the topic in the light of future challenges identified in this paper.

Cryptography and Security

Douglas C. MacFarland,Craig A. Shue,Andrew J. Kalafut

DOI: https://doi.org/10.1016/j.comnet.2017.02.007

IF: 5.493

2017-04-01

Computer Networks

Abstract:DNS amplification has been instrumental in over 34% of high-volume network DDoS attacks, with some floods exceeding 300 Gbps. Today’s best practices require Internet-wide cooperation and have been unable to prevent these attacks. In this work, we investigate whether these best practices can eliminate DNS amplification attacks and characterize what threats remain. In particular, we study roughly 130 million DNS domains and their associated servers to determine the DNS amplification potential associated with each. We find attackers can easily use these servers to create crippling floods and that few servers employ any protection measures to deter attackers.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Haider Salim Hmood,Zhitang Li,Hasan Khalaf Abdulwahid,Yang Zhang

DOI: https://doi.org/10.1093/comjnl/bxu023

2014-01-01

The Computer Journal

Abstract:It is well known that the domain name system (DNS) is responsible for translating domain names to the corresponding IP addresses. It plays a fundamental role in running efficiently all Internet application, such as web browsing, email, multimedia applications and other projects. However, using the technique of the DNS cache poisoning attack, an attacker can effectively introduce forged DNS information to the cache memory of the domain name resolvers, with the goal of manipulating the resolver data so as to make then unavailable or divert traffic to the wrong destination, which is considered a real threat to Internet users today. Thus, in this paper, we present a new prevention methodology called Adaptive-Cache of DNS (ACDNS). Our proposed solution relies on a caching mechanism to prevent these kinds of attacks. Conversely, domain name system security extension has been presented as a conclusive solution to overcome weaknesses in the DNS protocol, but from that time up to now it still has not been deployed on a large scale. ACDNS is designed to be backward compatible with the current standards of DNS and completely appropriate with the basic protocol processes and infrastructure. In particular, our modifications are only in caching-timing in case of the need to store a new mapping. To this end, we design and implement a novel protocol for extensively simulating our approach. At the same time, we compare the performance of the ACDNS with the DNS. We show that our methodology completely protects domain name resolvers against cache-poisoning attacks.

Brij B. Gupta,Anshuman Singh

DOI: https://doi.org/10.4018/ijswis.297143

2022-01-01

Abstract:The demand for Internet security has escalated in the last two decades because the rapid proliferation in the number of Internet users has presented attackers with new detrimental opportunities. One of the simple yet powerful attack, lurking around the Internet today, is the Distributed Denial-of-Service (DDoS) attack. The expeditious surge in the collaborative environments, like IoT, cloud computing and SDN, have provided attackers with countless new avenues to benefit from the distributed nature of DDoS attacks. The attackers protect their anonymity by infecting distributed devices and utilizing them to create a bot army to constitute a large-scale attack. Thus, the development of an effective as well as efficient DDoS defense mechanism becomes an immediate goal. In this exposition, we present a DDoS threat analysis along with a few novel ground-breaking defense mechanisms proposed by various researchers for numerous domains. Further, we talk about popular performance metrics that evaluate the defense schemes. In the end, we list prevalent DDoS attack tools and open challenges.

Computer Science,Engineering

Mohit Kolli -

DOI: https://doi.org/10.36948/ijfmr.2024.v06i05.27130

2024-09-06

International Journal For Multidisciplinary Research

Abstract:DNS Amplification attacks are a specific flavor of cybersecurity attack. These exploit the current implementation of the internet architecture. DNS amplification attacks allow for bad actors to take down the servers of a victim by overloading them with network traffic. My research intends to analyze the DNS amplification attack and see whether they are still something to be actively looked at as a dangerous threat to high profile targets. This will be done by looking into the history of DNS amplification attacks, seeing how the attack works from a network perspective, looking at real world utilizations of the attack, approaches to detection, and possible ways the attack may be modified in the future with improvements in AI.

Gang Liu,Wei Quan,Nan Cheng,Hongke Zhang,Shui Yu

DOI: https://doi.org/10.1016/j.jnca.2019.01.006

IF: 7.574

2019-01-01

Journal of Network and Computer Applications

Abstract:Stateful forwarding plane is fully considered as a novel forwarding paradigm, which is proven to be beneficial to delivery efficiency and resilient to certain types of attacks. However, this fresh attempt also introduces "varietal" Denial-of-Service attack due to complicated forwarding state operations, which may cause long-term memory exhaustion of forwarding nodes, especially for resource-limited IoT nodes. This new distributed exhaustion attack is extremely hidden and there is currently no effective defense against it. In this paper, we first establish a game model to analyze the attack benefit between attacker and defender. To further make the defender obtain more utility, it is significative to make the defender manage expired state-entries during stateful forwarding. To this end, we propose an enhanced distributed low-rate attack mitigating (eDLAM) mechanism. Particularly, eDLAM maintains a lightweight malicious request table (MRT), which is very small, to offload burden of practical forwarding state table. When a packet request is matched in MRT, it will be marked and dropped directly without any impact on forwarding state table. Based on this, eDLAM adopts an optimal threshold update method for MRT to achieve a maximum defender utility. We evaluate the eDLAM performance in terms of false negatives rate (FNR) and false positives rate (FPR). Extensive experimental results show that eDLAM can reduce FNR by 10.5% and FPR by 44% on average compared with state-of-the-art mechanisms.

Christian Bassey,Francis Jeremiah,Rustem Iuzlibaev,Opeyemi Oloruntola,Success Imakuh

DOI: https://doi.org/10.30574/wjarr.2024.22.3.1716

2024-06-30

World Journal of Advanced Research and Reviews

Abstract:These days, quite a large number of application servers are being considered to be easily spoofed. Even though technologies like DNSSec, DNS over HTTPS/TLS, and DNSCurve have always been suitable for this type of problem, many developers need help to exercise the complete chain of trust. Implementing the mentioned protocols might be a matter of time, inexperience, or impossibility. In this paper, some workarounds that rely on BGP Autonomous System numbers (AS) are shown, and protocols therein are described by way of Unicast Reverse Path Forwarding (uRPF), its benefits and drawbacks from an analytical standpoint, as well as the primary flow to defend end systems, are presented. Our approach focuses on filtering malicious traffic closer to the source by identifying anomalies in BGP AS path information. The methodology is implemented and tested using Snort as an Intrusion Detection System (IDS) to capture and analyze DNS request patterns, then MikroTik router configurations are used for strict uRPF and ingress filtering, demonstrating the practical application of this solution proposed solution in real-world network environments.

Hassnain ul hassan,Rizal Mohd Nor,Md Amiruzzaman,Sharyar Wani,Md. Rajibul Islam

DOI: https://doi.org/10.48550/arXiv.2106.04575

2021-08-29

Abstract:The Domain Name System (DNS) is essential for the Internet, giving a mechanism to resolve hostnames into Internet Protocol (IP) addresses. DNS is known as the world's largest distributed database that manages hostnames and Internet Protocol. By having the DNS, only simple names that can be easily memorized will be used and then the domain name system will map it into the numeric Internet Protocol addresses that are used by computers to communicate. This research aims to propose a model for the development of a private cloud infrastructure to host DNS. The cloud infrastructure will be created using the OpenStack software platform where each server will be hosted separately in a different virtual machine. Virtual network architecture will be created using the Software Defined Networking (SDN) approach and it will be secured using Firewall as a Service (FWaaS). By hosting DNS in private cloud infrastructure, the DNS servers will be out of reach by attackers which will prevent DNS attacks. Besides, available research had proven that the cloud is the best choice for DNS. A prototype had been implemented and evaluated for its efficiencies. The findings from the evaluation carried out shown a positive result.

Cryptography and Security

B. B. Gupta,R. C. Joshi,Manoj Misra

DOI: https://doi.org/10.1145/1523103.1523203

2012-04-25

Abstract:In this paper, an analytical model for DDoS attacks detection is proposed, in which propagation of abrupt traffic changes inside public domain is monitored to detect a wide range of DDoS attacks. Although, various statistical measures can be used to construct profile of the traffic normally seen in the network to identify anomalies whenever traffic goes out of profile, we have selected volume and flow measure. Consideration of varying tolerance factors make proposed detection system scalable to the varying network conditions and attack loads in real time. NS-2 network simulator on Linux platform is used as simulation testbed. Simulation results show that our proposed solution gives a drastic improvement in terms of detection rate and false positive rate. However, the mammoth volume generated by DDoS attacks pose the biggest challenge in terms of memory and computational overheads as far as monitoring and analysis of traffic at single point connecting victim is concerned. To address this problem, a distributed cooperative technique is proposed that distributes memory and computational overheads to all edge routers for detecting a wide range of DDoS attacks at early stage.

Cryptography and Security

pingping lin,xiaosong zhang

DOI: https://doi.org/10.1142/9789812799524_0074

2008-01-01

Abstract:Give a simple but practical scheme for detecting and defending against Distributed Denial of Service (DDoS), especially for Highly Distributed Denial of Service (HDDoS) attacks by monitoring the increase of new IP addresses. Unlike previous proposals, this proposal includes three modules: detecting, filtering, and illegal-packets analyzing. To improve the detection accuracy, we also proposed a simple but robust algorithm: sliding window algorithm. In the filtering module, a filter performs its tasks only during attacks. While the attack-packets-analyzing module uses a trap to analyze attack packets, perfects the defense system. Simulation results demonstrate the effectiveness of the proposed scheme under varieties of DDoS attack scenarios.

Masoumeh Zareapoor,Pourya Shamsolmoali,M. Afshar Alam

DOI: https://doi.org/10.1504/ijcse.2018.10012837

2018-01-01

International Journal of Computational Science and Engineering

Abstract:Distributed denial of service (DDoS) attacks have become a serious attack on internet security and cloud computing. This kind of attacks is the most complex form of denial of service (DoS) attacks. This type of attack can simply duplicate its source address, such as spoofing attack, which disguises the real location of the attack. Therefore, DDoS attack is the most significant challenge for network security. In this paper, we present a model to detect and mitigate DDoS attacks in cloud computing. The proposed model requires very small storage and has the ability of fast detection. The experimental results show that the system is able to mitigate most of the attacks. Detection accuracy and processing time were the metrics used to evaluate the performance of proposed model. From the results, it is evident that the system achieved high detection accuracy (97%) with some minor false alarms.