Efficient authentication mechanism for defending against reflection-based attacks on domain name system

Domain Name System (DNS) is one of few services on the Internet which is allowed through every security barrier. It mostly depends on the User Datagram Protocol (UDP) as the transport protocol, which is a connectionless protocol with no built-in authentication mechanism. On top of that, DNS response...

Full description

Saved in:
Bibliographic Details
Main Authors: Hasan, Dana, Hama Amin, Rebeen R., Hussin, Masnida
Format: Article
Language:English
Published: Sulaimani Polytechnic University 2020
Online Access:http://psasir.upm.edu.my/id/eprint/88752/1/DNS.pdf
http://psasir.upm.edu.my/id/eprint/88752/
http://kjar.spu.edu.iq/index.php/kjar/article/view/479
Tags: Add Tag
No Tags, Be the first to tag this record!
id my.upm.eprints.88752
record_format eprints
spelling my.upm.eprints.887522021-10-06T08:43:03Z http://psasir.upm.edu.my/id/eprint/88752/ Efficient authentication mechanism for defending against reflection-based attacks on domain name system Hasan, Dana Hama Amin, Rebeen R. Hussin, Masnida Domain Name System (DNS) is one of few services on the Internet which is allowed through every security barrier. It mostly depends on the User Datagram Protocol (UDP) as the transport protocol, which is a connectionless protocol with no built-in authentication mechanism. On top of that, DNS responses are substantially larger than their corresponding requests. These two key features made DNS a fabulous attacking tool for cybercriminals to reflect and amplify a huge volume of requests to consume their victim's resources. Recent incidents revealed how harsh DNS could be when it is abused with great complexity by attackers. Moreover, these events had proven that any defense mechanism with single point deployment couldn’t accurately and efficiently overcome an attack volume with high dynamicity. In this paper, we proposed the Efficient Distributed-based Defense Scheme (EDDS) to overcome the shortcomings of a centralized-based defense mechanism. By using an authentication message exchange, which is a Challenge-Handshake Authentication Protocol (CHAP)-based authentication mechanism. It is deployed on multiple nodes to determine the legitimacy of the DNS request. Moreover, it significantly reduces the impact of the amplification factor for the fake DNS requests without having any side effects on legitimate ones. Then, a Stateful Packet Inspection (SPI)-based packet filtering is proposed to distinguish legitimate requests from fake ones by considering the results of the authentication procedure. Both authentication-message exchange and SPI-based filtering are introduced to provide detection accuracy without reducing the quality of service for legitimate users. As the simulation results show, the proposed mechanism can efficiently and accurately detect, isolate, and discard the bogus traffic with minimal overhead on the system. Sulaimani Polytechnic University 2020 Article PeerReviewed text en http://psasir.upm.edu.my/id/eprint/88752/1/DNS.pdf Hasan, Dana and Hama Amin, Rebeen R. and Hussin, Masnida (2020) Efficient authentication mechanism for defending against reflection-based attacks on domain name system. Kurdistan Journal of Applied Research, 5 (1). 164 - 174. ISSN 2411-7684; ESSN: 2411-7706 http://kjar.spu.edu.iq/index.php/kjar/article/view/479 10.24017/science.2020.1.12
institution Universiti Putra Malaysia
building UPM Library
collection Institutional Repository
continent Asia
country Malaysia
content_provider Universiti Putra Malaysia
content_source UPM Institutional Repository
url_provider http://psasir.upm.edu.my/
language English
description Domain Name System (DNS) is one of few services on the Internet which is allowed through every security barrier. It mostly depends on the User Datagram Protocol (UDP) as the transport protocol, which is a connectionless protocol with no built-in authentication mechanism. On top of that, DNS responses are substantially larger than their corresponding requests. These two key features made DNS a fabulous attacking tool for cybercriminals to reflect and amplify a huge volume of requests to consume their victim's resources. Recent incidents revealed how harsh DNS could be when it is abused with great complexity by attackers. Moreover, these events had proven that any defense mechanism with single point deployment couldn’t accurately and efficiently overcome an attack volume with high dynamicity. In this paper, we proposed the Efficient Distributed-based Defense Scheme (EDDS) to overcome the shortcomings of a centralized-based defense mechanism. By using an authentication message exchange, which is a Challenge-Handshake Authentication Protocol (CHAP)-based authentication mechanism. It is deployed on multiple nodes to determine the legitimacy of the DNS request. Moreover, it significantly reduces the impact of the amplification factor for the fake DNS requests without having any side effects on legitimate ones. Then, a Stateful Packet Inspection (SPI)-based packet filtering is proposed to distinguish legitimate requests from fake ones by considering the results of the authentication procedure. Both authentication-message exchange and SPI-based filtering are introduced to provide detection accuracy without reducing the quality of service for legitimate users. As the simulation results show, the proposed mechanism can efficiently and accurately detect, isolate, and discard the bogus traffic with minimal overhead on the system.
format Article
author Hasan, Dana
Hama Amin, Rebeen R.
Hussin, Masnida
spellingShingle Hasan, Dana
Hama Amin, Rebeen R.
Hussin, Masnida
Efficient authentication mechanism for defending against reflection-based attacks on domain name system
author_facet Hasan, Dana
Hama Amin, Rebeen R.
Hussin, Masnida
author_sort Hasan, Dana
title Efficient authentication mechanism for defending against reflection-based attacks on domain name system
title_short Efficient authentication mechanism for defending against reflection-based attacks on domain name system
title_full Efficient authentication mechanism for defending against reflection-based attacks on domain name system
title_fullStr Efficient authentication mechanism for defending against reflection-based attacks on domain name system
title_full_unstemmed Efficient authentication mechanism for defending against reflection-based attacks on domain name system
title_sort efficient authentication mechanism for defending against reflection-based attacks on domain name system
publisher Sulaimani Polytechnic University
publishDate 2020
url http://psasir.upm.edu.my/id/eprint/88752/1/DNS.pdf
http://psasir.upm.edu.my/id/eprint/88752/
http://kjar.spu.edu.iq/index.php/kjar/article/view/479
_version_ 1713201302087925760
score 13.211869