Mitigation of DNS Water Torture Attacks within the Data Plane via XDP-Based Naive Bayes Classifiers

Abstract

Water Torture is a DDoS attack vector that exhausts the processing resources of victim Authoritative DNS Servers. By crafting DNS requests involving names that appear once and are unknown to the victim, attackers bypass the DNS caches of intermediary Recursive DNS Servers (Resolvers), hence forwarding the entire attack traffic to the victim. As a countermeasure, machine learning algorithms have been proposed to filter attack traffic on Resolvers.Our proposed schema implements via programmable data plane methods efficient machine learning algorithms that differentiate between legitimate and DDoS attack traffic within cloud infrastructures. Specifically, we leverage on XDP to implement data plane Naive Bayes Classifier inference and effectively mitigate Water Torture attacks within data center Resolvers. DNS requests regarded as invalid by the Naive Bayes Classifier are dropped within the Linux kernel before any resources are allocated to them, while valid ones are forwarded to the user space to be resolved.Our schema was assessed via a proof of concept setup within a virtualized environment, with learning and testing performed via legitimate and malicious DNS data records with statistical properties consistent with datasets widely reported in the literature. Our experiments mainly focused on evaluating the filtering throughput of the proposed mitigation schema given the constraints imposed by XDP. We conclude that our XDP-based Naive Bayes Classifier significantly decreases the volume of attack traffic within the data plane, thus efficiently safeguarding Resolvers.