Efficient Authentication Mechanism for Defending Against Reflection-Based Attacks on Domain Name System

Abstract = 12 times | PDF = 9 times

Main Article Content

Dana Hasan https://orcid.org/0000-0002-7664-799X
Rebeen R. Hama Amin Masnida Hussin

Abstract

Domain Name System (DNS) is one of few services on the Internet which is allowed through every security barrier. It mostly depends on the User Datagram Protocol (UDP) as the transport protocol, which is a connectionless protocol with no built-in authentication mechanism. On top of that, DNS responses are substantially larger than their corresponding requests. These two key features made DNS a fabulous attacking tool for cybercriminals to reflect and amplify a huge volume of requests to consume their victim's resources. Recent incidents revealed how harsh DNS could be when it is abused with great complexity by attackers. Moreover, these events had proven that any defense mechanism with single point deployment couldn’t accurately and efficiently overcome an attack volume with high dynamicity. In this paper, we proposed the Efficient Distributed-based Defense Scheme (EDDS) to overcome the shortcomings of a centralized-based defense mechanism. By using an authentication message exchange, which is a Challenge-Handshake Authentication Protocol (CHAP)-based authentication mechanism. It is deployed on multiple nodes to determine the legitimacy of the DNS request. Moreover, it significantly reduces the impact of the amplification factor for the fake DNS requests without having any side effects on legitimate ones. Then, a Stateful Packet Inspection (SPI)-based packet filtering is proposed to distinguish legitimate requests from fake ones by considering the results of the authentication procedure. Both authentication-message exchange and SPI-based filtering are introduced to provide detection accuracy without reducing the quality of service for legitimate users. As the simulation results show, the proposed mechanism can efficiently and accurately detect, isolate, and discard the bogus traffic with minimal overhead on the system.

Keywords

DNS, Reflection/Amplification attacks, Amplification factor, CHAP, Source Authentication.

Downloads

Download data is not yet available.

Article Details

References

[1] M. Anagnostopoulos, G. Kambourakis, P. Kopanos, G. Louloudakis, and S. Gritzalis, “DNS Amplification Attack Revisited,” Comput. Secur., vol. 39, pp. 475–485, 2013.
[2] L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi, “EXPOSURE : Finding Malicious Domains Using Passive DNS Analysis,” in Network and Distributed System Security (NDSS), 2015, pp. 1–17, doi: https://doi.org/10.1145/2584679.
[3] X. Ye and Y. Ye, “A Practical Mechanism to Counteract DNS Amplification DDoS Attacks ⋆,” J. Comput. Inf. Syst., vol. 1, pp. 265–272, 2013.
[4] D. C. MacFarland and C. A. S. A. J. Jalafut, “Characterizing Optimal DNS Amplification Attacks and Effective Mitigation,” in International Conference on Passive and Active Network Measurement, 2015, vol. 1, pp. 15–27, doi: 10.1007/978-3-319-15509-8_2.
[5] S. T. Zargar, J. Joshi, and D. Tipper, “A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks,” IEEE Commun. Surv. Tutorials, vol. 15, no. 4, pp. 2046–2069, 2013.
[6] S. Di Paola and D. Lombardo, “Protecting against DNS Reflection Attacks with Bloom Filters,” in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 1–16, 2011.
[7] C. Marrison, “DNS as an attack vector – and how businesses can keep it secure,” Network Security, vol. 2014, no. 6, Elsevier Ltd, pp. 17–20, 2014.
[8] Y. Takano, R. Ando, and T. Takahashi, “A Measurement Study of Open Resolvers and DNS Server Version,” Internet Conf. IC2013, pp. 23–32, 2013.
[9] F. J. Ryba, Matthew Orlinski, M. W¨ahlisch, C. Rossow, and T. C. Schmidt, “Amplification and DRDoS Attack Defense – A Survey and New Perspectives,” arXiv Prepr. arXiv, p. 19, 2015.
[10] P. Gulihar and B. B. Gupta, “Cooperative Mechanisms for Defending Distributed Denial of Service (DDoS) Attacks,” in Handbook of Computer Networks and Cyber Security, Cham: Springer International Publishing, pp. 421–443, 2020.
[11] B. Liu et al., “SF-DRDoS : The store-and-flood distributed reflective denial of service attack,” Comput. Commun., vol. 69, pp. 107–115, 2015, doi: 10.1016/j.comcom.2015.06.008.
[12] G. Kambourakis, T. Moschos, D. Geneiatakis, and S. Gritzalis, “Detecting DNS Amplification Attacks,” in International workshop on critical information infrastructures security, 2007, pp. 185–196.
[13] T. Rozekrans, J. de Koning, and M. Mekking, “Defending against DNS reflection amplification attacks,” University of Amsterdam, 2013.
[14] X. Jing, J. Zhao, Q. Zheng, Z. Yan, and W. Pedrycz, “A reversible sketch-based method for detecting and mitigating amplification attacks,” J. Netw. Comput. Appl., vol. 142, no. June, pp. 15–24, 2019, doi: 10.1016/j.jnca.2019.06.007.
[15] C. Rossow and H. G¨ortz, “Amplification Hell : Revisiting Network Protocols for DDoS Abuse,” no. February, pp. 23–26, 2014.
[16] P. Vixie and V. Schryver, “DNS Response Rate Limiting (DNS RRL),” Internet System Consortium, 2012. https://ftp.isc.org/isc/pubs/tn/isc-tn-2012-1.txt.
[17] P. Vixie and Vernon Schryver, “Response Policy Zones,” Internet Engenieering Task Force, 2017. https://tools.ietf.org/html/draft-vixie-dns-rpz-00.
[18] K. Ozdincer and H. A. Mantar, “SDN-based Detection and Mitigation System for DNS Amplification Attacks,” 3rd Int. Symp. Multidiscip. Stud. Innov. Technol. ISMSIT 2019 - Proc., no. Figure 2, 2019, doi: 10.1109/ISMSIT.2019.8932809.
[19] M. Inamura, “Expansions of CHAP Modificationless on Its Structures ofPacket and Data Exchange,” in International Conference on Information Systems Security and Privacy, pp. 1–8,.2015.