A Defence Mechanism: DNS based DDoS Attack

International Journal of Computer Trends and Technology (IJCTT)          
© 2016 by IJCTT Journal
Volume-33 Number-1
Year of Publication : 2016
Authors : Arpita Narayan, Upendra Kumar


Arpita Narayan, Upendra Kumar "A Defence Mechanism: DNS based DDoS Attack". International Journal of Computer Trends and Technology (IJCTT) V33(1):1-8, March 2016. ISSN:2231-2803. www.ijcttjournal.org. Published by Seventh Sense Research Group.

Abstract -
Distributed Denial of Service (DDoS) attacks pose one of the most serious security threats to the Internet. In this work, we aimed to develop a collaborative defence framework against DNS based DDoS reflection and amplification attacks in networks. We focus on two main phases, which are victim detection and filtering of malicious traffic, to achieve a successful defence against DNS reflection attack and prevention against amplification attack. We propose an efficient server level approach to identify victim IP accurately and responsively by using unusual request count. Once the victim IP is confirmed, our approach is then to use HOP count i.e. number of router packets passes to reach destination, to filter out the entire illegitimate request.

[1] J. Mirkovic and P. Reiher, "A taxonomy of DDoS attack and DDoS defense mechanisms," ACM SIGCOMM Computer Communication Review, vol. 34, pp. 39-53, 2004.
[2]Gibson, S., “DRDoS Distributed Reflection Denial of Service”,http://grc.com/dos/drdos.htm, 2002.
[3 ]Guo, F., Chen, J., and Chiueh, T., “Spoof Detection for Preventing DoS Attacks against DNS Servers”, In Proceedings of the 26th IEEE international Conference on Distributed Computing Systems , July 2006
[4 ]Chandramouli, R. and Rose, S. “An Integrity Verification Scheme for DNS Zone file based on Security Impact Analysis”, In Proceedings of the 21st Annual Computer Security [5] Atkins, D., Austein, R., “Threat Analysis of the Domain Name System (DNS)”, RFC 3833, Aug. 2004
[6] K. Lakshminarayanan, D. Adkins, A. Perrig, and I. Stoica. Taming IPPacket Flooding Attacks. In Proceedings of ACM HotNets-II, pages45– 50, November 2003.
[7] Vern Paxson. An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks. Computer Communication Review, 31(3):38–47, 2001.
[8] John Ioannidis and Steven M. Bellovin. Implementing Pushback: Router- Based Defense Against DDoS Attacks. InProceedings of the Symposium on Network and Distributed Systems Security (NDSS 2002), San Diego, CA, February 2002
[9] W. Chen and D.-Y. Yeung, “Defending Against SYN Flooding Attacks Under Different Types of IP Spoofing”, ICN/ICONS/MCL ’06, IEEE Computer Society, pp. 38-44, April 2006
[10] D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, andS. Savage, “Inferring internet denial-of-service activity,”ACM Transactions on Computer Systems (TOCS), 2006.
[11] Z. M. Fadlullah, T. Taleb, A. V. Vasilakos, M. Guizani, and N. Kato, “Dtrab: combating against attacks on encrypted protocols through traffic- feature analysis,” IEEE/ACM Transactions on Networking (TON), vol. 18, no. 4, pp. 1234–1247, 2010
[12] G. Yao, J. Bi, and Z. Zhou, “Passive ip traceback: capturingthe origin of anonymous traffic through network telescopes,” SIGCOMM Comput. Commun. Rev., vol. 41, no. 4, Aug. 2010.
[13] J. Bi, P. Hu, and P. Li, “Study on classification and characteristics of source address spoofing attacks in the internet,” in Proceedings of the 2010 Ninth International Conference on Networks. Washington, DC, USA: IEEE Computer Society, 2010
[14] E. Casalicchio, M Caselli, and A Coletta. Measuring the global domain name system. IEEE Network,27(1):25{31, January 2013
[15] T. Karagiannis, A. Broido, M. Faloutsos, and K. Claffy. Transport Layer Identification of P2P Traffic. In Proceedings of ACM Internet Measurement Conference (IMC ’04), Taormina, Italy, October 2004.
[16] T. Karagiannis, K. Papagiannaki, and M. Faloutsos. BLINC: Multilevel Traffic Classication in the Dark. In Proceedings of ACM SIGCOMM ’05, Philadelphia, PA, August 2005.
[17] “UltrDNS DDoS Attack, Washington Post,” May 2005, http://blog.washingtonpost.com/securityfix/2006/05/ blue security surrenders but s.html.
[18] J. Erman, M. Arlitt, and A. Mahanti. Traffic Classification Using Clustering Algorithms. In Proceedings of ACM SIGCOMM Workshop on Mining Network Data (MineNet ’06), Pisa, Italy, September 2006.
[19] A. McGregor, M. Hall, P. Lorier, and J. Brunskill. Flow Clustering Using Machine Learning Techniques.
[20] Choi, H., Lee, H.: Identifying botnets by capturing group activities in dns traffic. Comput. Netw. 56(1), 20–33 (Jan 2012)
[21] Marchal, S., Francois, J.,Wagner, C., State, R., Dulaunoy, A., Engel, T., Festor, O.: DNSSM: A Large Scale Passive DNS Security Monitoring Framework. In: Network Operations and Management Symposium (NOMS), 2012 IEEE. pp. 988–993 (Apr 2012)
[22] Ellens, W., Żuraniewski, P., Sperotto, A., Schotanus, H., Mandjes, M., Meeuwissen, E.: FlowBbased Detection of DNS Tunnels. In: Emerging Management Mechanisms for the Future Internet, pp. 124–135. Springer (2013)
[23]E. Wustrow, M. Karir, M. Bailey, F. Jahanian, and G. Huston, “Internet background radiation revisited,” in Proceedings of the 10th annual conference on Internet measurement. ACM, 2010, pp. 62–74
[24] M. Geva, A. Herzberg, and Y. Gev. Bandwidth Distributed Denial of Service: Attacks and Defenses. IEEE Security & Privacy, 2013.
[25] S.T. Zargar, J. Joshi, and D. Tipper. A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks. IEEE Communications Surveys & Tutorials,
[26] T. Peng, C. Leckie and K. Rammamohanarao, “Survey of Network- Based Defense Mechanisms Countering the DoS and DDoS Problems”, ACM Computing Surveys, Vol. 39, Issue 1. 2007.
[27] L. Garber. Denial-of-service attacks rip the Internet.Computer, 33(4):12{17, April 2000.[10] R. Vaughn and G. Evron, “DNS amplification attacks,” 2006. [Online].Available: http://www.isotf.org/news/DNS-Amplification-Attacks.pdf
[28] Xin Liu, Xiaowei Yang, and Yanbin Lu. To filter or to authorize: Network-layer DoS defense against multimillion-node botnets. In Proceedings of ACM SIGCOMM, 2008.
[29] W. T. Strayer, D. E. Lapsley, R. Walsh, and C. Livadas, “Botnet detection based on network behavior,” in Botnet Detection, ser. Advances in Information Security, W. Lee, C. Wang, and D. Dagon, Eds. Springer, 2008
[30] Karasaridis, A., Meier-Hellstern, K., Hoeflin, D.: Detection of DNS Anomaliesusing Flow Data Analysis. In: Global Telecommunications Conference, 2006.GLOBECOM’06. IEEE. pp. 1–6. IEEE (2006)
[31] Haining ,Cheng Jin, and Kang G. Shin” Defense Against Spoofed IP Traffic Using Hop-Count Filtering” IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 15, NO. 1, FEBRUARY 2007
[32] L. Garber. Denial-of-service attacks rip the Internet. In IEEE Computer, volume 33, April 2000.
[33] D. Moore, G. Voelker, and S. Savage, “Inferring internet denial-ofservice activity,” in In Proceedings of the 10thUsenix Security Symposium, 2001
[34] B. Irwin and N. Pilkington, “High level internet scaletraffic visualization using hilbert curve mapping,” inVizSEC 2007. Springer, 2008.
[35] Perdisci, R., Corona, I., Giacinto, G.: Early Detection of Malicious Flux Networks via Large-Scale Passive DNS Traffic Aanalysis. Dependable and Secure Computing, IEEE Transactions on 9(5), 714–726 (2012)
[36] V. K. cek. Inspecting DNS Flow Tra_c for Purposes of Botnet Detection. GEANT3 JRA2 T4 Interal Deliverable, 2011
[37] B. Claise. Cisco Systems NetFlow Services Export Version 9. RFC 3954, IETF, October 2004.

Distributed Denial of Service attacks (DDoS), Domain Name System (DNS), DNS message sequence, HOP count, Reflection attack, Amplification attack.