UPM Institutional Repository

Protecting DNS from reflection amplification attacks using distributed defense scheme


Citation

Ahmed, Dana Hasan (2017) Protecting DNS from reflection amplification attacks using distributed defense scheme. Masters thesis, Universiti Putra Malaysia.

Abstract

Domain Name System (DNS) is based-on distributed, hierarchical, client-server architecture that translates domain names into Internet Protocol (IP) addresses and vice versa. It relies on User Datagram Protocol (UDP) to transport its data and uses IP in the network layer protocol. Normally, DNS receives requests from its source and sends back the substantially larger responses without inspecting the source address. Lack of source inspection is due to the fact that UDP is a connectionless protocol and IP address does not provide authentication mechanism. Furthermore, DNS is designed for naming efficiency, not security. Such scenarios make DNS a tempting target for cybercriminals to perform massive Distributed Reflection Denial of Service (DRDoS) attacks which are called Reflection/Amplification and hassles the communication traffic towards connected network nodes. There are several defense mechanisms that proposed to tackle DNS Reflection/Amplification attack. They depend on centralized-based approaches where their functionalities degrade against large and complex traffic. In this research, Distributed-based Defense Scheme (DDS) is proposed to monitor incoming DNS requests for handling DNS Reflection/Amplification attacks and a filtration mechanism to distinguish legitimate requests from fake ones. It utilizes an authentication mechanism called DNS Checkpoint which is based on Challenge-Handshake Authentication Protocol (CHAP) to provide authentication for detecting any Reflection/Amplification attacks. The DNS Disinfector is used for filtering mechanism that based-on Stateful Packet Inspection (SPI). It is used to distinguish legitimate requests and discard the fake ones. The experiment results show that DDS remarkably overcome the singlepoint deployment defense mechanism in terms of defense strength, minimizing amplification factor and less bandwidth usage. The results analysis also shows that DDS able to better protect upstream networks from depletion than other defense mechanisms with minimum overhead.


Download File

[img]
Preview
Text
FSKTM 2018 4 IR.pdf

Download (1MB) | Preview

Additional Metadata

Item Type: Thesis (Masters)
Subject: Internet domain names
Subject: Internet addresses
Call Number: FSKTM 2018 4
Chairman Supervisor: Masnida Hussin, PhD
Divisions: Faculty of Computer Science and Information Technology
Depositing User: Ms. Nur Faseha Mohd Kadim
Date Deposited: 30 May 2019 02:46
Last Modified: 30 May 2019 02:46
URI: http://psasir.upm.edu.my/id/eprint/68735
Statistic Details: View Download Statistic

Actions (login required)

View Item View Item