Protecting DNS from reflection amplification attacks using distributed defense scheme
Domain Name System (DNS) is based-on distributed, hierarchical, client-server architecture that translates domain names into Internet Protocol (IP) addresses and vice versa. It relies on User Datagram Protocol (UDP) to transport its data and uses IP in the network layer protocol. Normally, DNS re...
Saved in:
| Main Author: | |
|---|---|
| Format: | Thesis |
| Language: | English |
| Published: |
2017
|
| Online Access: | http://psasir.upm.edu.my/id/eprint/68735/1/FSKTM%202018%204%20IR.pdf http://psasir.upm.edu.my/id/eprint/68735/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| id |
my.upm.eprints.68735 |
|---|---|
| record_format |
eprints |
| spelling |
my.upm.eprints.687352019-05-30T02:46:21Z http://psasir.upm.edu.my/id/eprint/68735/ Protecting DNS from reflection amplification attacks using distributed defense scheme Ahmed, Dana Hasan Domain Name System (DNS) is based-on distributed, hierarchical, client-server architecture that translates domain names into Internet Protocol (IP) addresses and vice versa. It relies on User Datagram Protocol (UDP) to transport its data and uses IP in the network layer protocol. Normally, DNS receives requests from its source and sends back the substantially larger responses without inspecting the source address. Lack of source inspection is due to the fact that UDP is a connectionless protocol and IP address does not provide authentication mechanism. Furthermore, DNS is designed for naming efficiency, not security. Such scenarios make DNS a tempting target for cybercriminals to perform massive Distributed Reflection Denial of Service (DRDoS) attacks which are called Reflection/Amplification and hassles the communication traffic towards connected network nodes. There are several defense mechanisms that proposed to tackle DNS Reflection/Amplification attack. They depend on centralized-based approaches where their functionalities degrade against large and complex traffic. In this research, Distributed-based Defense Scheme (DDS) is proposed to monitor incoming DNS requests for handling DNS Reflection/Amplification attacks and a filtration mechanism to distinguish legitimate requests from fake ones. It utilizes an authentication mechanism called DNS Checkpoint which is based on Challenge-Handshake Authentication Protocol (CHAP) to provide authentication for detecting any Reflection/Amplification attacks. The DNS Disinfector is used for filtering mechanism that based-on Stateful Packet Inspection (SPI). It is used to distinguish legitimate requests and discard the fake ones. The experiment results show that DDS remarkably overcome the singlepoint deployment defense mechanism in terms of defense strength, minimizing amplification factor and less bandwidth usage. The results analysis also shows that DDS able to better protect upstream networks from depletion than other defense mechanisms with minimum overhead. 2017-11 Thesis NonPeerReviewed text en http://psasir.upm.edu.my/id/eprint/68735/1/FSKTM%202018%204%20IR.pdf Ahmed, Dana Hasan (2017) Protecting DNS from reflection amplification attacks using distributed defense scheme. Masters thesis, Universiti Putra Malaysia. |
| institution |
Universiti Putra Malaysia |
| building |
UPM Library |
| collection |
Institutional Repository |
| continent |
Asia |
| country |
Malaysia |
| content_provider |
Universiti Putra Malaysia |
| content_source |
UPM Institutional Repository |
| url_provider |
http://psasir.upm.edu.my/ |
| language |
English |
| description |
Domain Name System (DNS) is based-on distributed, hierarchical, client-server
architecture that translates domain names into Internet Protocol (IP) addresses and
vice versa. It relies on User Datagram Protocol (UDP) to transport its data and uses
IP in the network layer protocol. Normally, DNS receives requests from its source
and sends back the substantially larger responses without inspecting the source
address. Lack of source inspection is due to the fact that UDP is a connectionless
protocol and IP address does not provide authentication mechanism. Furthermore,
DNS is designed for naming efficiency, not security. Such scenarios make DNS a
tempting target for cybercriminals to perform massive Distributed Reflection Denial
of Service (DRDoS) attacks which are called Reflection/Amplification and hassles
the communication traffic towards connected network nodes. There are several
defense mechanisms that proposed to tackle DNS Reflection/Amplification attack.
They depend on centralized-based approaches where their functionalities degrade
against large and complex traffic. In this research, Distributed-based Defense
Scheme (DDS) is proposed to monitor incoming DNS requests for handling DNS
Reflection/Amplification attacks and a filtration mechanism to distinguish legitimate
requests from fake ones. It utilizes an authentication mechanism called DNS
Checkpoint which is based on Challenge-Handshake Authentication Protocol
(CHAP) to provide authentication for detecting any Reflection/Amplification
attacks. The DNS Disinfector is used for filtering mechanism that based-on Stateful
Packet Inspection (SPI). It is used to distinguish legitimate requests and discard the
fake ones. The experiment results show that DDS remarkably overcome the singlepoint
deployment defense mechanism in terms of defense strength, minimizing
amplification factor and less bandwidth usage. The results analysis also shows that
DDS able to better protect upstream networks from depletion than other defense
mechanisms with minimum overhead. |
| format |
Thesis |
| author |
Ahmed, Dana Hasan |
| spellingShingle |
Ahmed, Dana Hasan Protecting DNS from reflection amplification attacks using distributed defense scheme |
| author_facet |
Ahmed, Dana Hasan |
| author_sort |
Ahmed, Dana Hasan |
| title |
Protecting DNS from reflection amplification attacks using distributed defense scheme |
| title_short |
Protecting DNS from reflection amplification attacks using distributed defense scheme |
| title_full |
Protecting DNS from reflection amplification attacks using distributed defense scheme |
| title_fullStr |
Protecting DNS from reflection amplification attacks using distributed defense scheme |
| title_full_unstemmed |
Protecting DNS from reflection amplification attacks using distributed defense scheme |
| title_sort |
protecting dns from reflection amplification attacks using distributed defense scheme |
| publishDate |
2017 |
| url |
http://psasir.upm.edu.my/id/eprint/68735/1/FSKTM%202018%204%20IR.pdf http://psasir.upm.edu.my/id/eprint/68735/ |
| _version_ |
1643839290633879552 |
| score |
13.211869 |