HELP4DNS: Leveraging the programmable data plane for effective and robust defense against DDoS attacks on DNS

IF 8 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Journal of Network and Computer Applications Pub Date : 2025-04-29 DOI:10.1016/j.jnca.2025.104198

Mehmet Emin Şahin , Mehmet Demirci

{"title":"HELP4DNS: Leveraging the programmable data plane for effective and robust defense against DDoS attacks on DNS","authors":"Mehmet Emin Şahin , Mehmet Demirci","doi":"10.1016/j.jnca.2025.104198","DOIUrl":null,"url":null,"abstract":"<div><div>DNS is a critical component of the Internet infrastructure, and securing it has been an active research domain, with a particular emphasis on countering DDoS attacks. With the rise of programmable data planes, novel defensive strategies taking advantage of their flexibility and line-rate packet processing capabilities have been developed to counter a range of DDoS attacks. This study proposes two novel methodologies against DNS flood and DNS amplification attacks within programmable data planes using P4. The first approach involves constraining the concurrent active queries per client to mitigate DNS query flood attacks, thereby ensuring that clients generating a high volume of requests adhere to predetermined limits. The proposed method uses concurrent query limits per client by employing a modified token bucket algorithm within an updatable Bloom filter data structure to track and limit DNS queries. This approach effectively rate limits malicious client requests, preventing server overload and safeguarding benign users from any resulting disruptions. The second method is a DNS firewall implemented on the P4 switch situated on the victim’s side to prevent DNS amplification attacks. The proposed firewall utilizes an updatable Bloom filter on a P4 switch, enabling stateful processing of DNS queries at the application layer. Additionally, it supports stateful tracking of fragmented DNS responses resulting from the Extension Mechanisms for DNS. While IP fragmentation occurs at the IP layer, the proposed approach achieves stateful tracking of fragmented DNS responses at the application layer. In this manner, only the responses corresponding to legitimate requests are forwarded among the received DNS responses by the victim, while responses stemming from DNS amplification attacks are blocked. Evaluation results have demonstrated that the proposed approach effectively blocks high-volume DNS amplification attack packets with minimal memory space requirements.</div></div>","PeriodicalId":54784,"journal":{"name":"Journal of Network and Computer Applications","volume":"240 ","pages":"Article 104198"},"PeriodicalIF":8.0000,"publicationDate":"2025-04-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Network and Computer Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1084804525000955","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

DNS is a critical component of the Internet infrastructure, and securing it has been an active research domain, with a particular emphasis on countering DDoS attacks. With the rise of programmable data planes, novel defensive strategies taking advantage of their flexibility and line-rate packet processing capabilities have been developed to counter a range of DDoS attacks. This study proposes two novel methodologies against DNS flood and DNS amplification attacks within programmable data planes using P4. The first approach involves constraining the concurrent active queries per client to mitigate DNS query flood attacks, thereby ensuring that clients generating a high volume of requests adhere to predetermined limits. The proposed method uses concurrent query limits per client by employing a modified token bucket algorithm within an updatable Bloom filter data structure to track and limit DNS queries. This approach effectively rate limits malicious client requests, preventing server overload and safeguarding benign users from any resulting disruptions. The second method is a DNS firewall implemented on the P4 switch situated on the victim’s side to prevent DNS amplification attacks. The proposed firewall utilizes an updatable Bloom filter on a P4 switch, enabling stateful processing of DNS queries at the application layer. Additionally, it supports stateful tracking of fragmented DNS responses resulting from the Extension Mechanisms for DNS. While IP fragmentation occurs at the IP layer, the proposed approach achieves stateful tracking of fragmented DNS responses at the application layer. In this manner, only the responses corresponding to legitimate requests are forwarded among the received DNS responses by the victim, while responses stemming from DNS amplification attacks are blocked. Evaluation results have demonstrated that the proposed approach effectively blocks high-volume DNS amplification attack packets with minimal memory space requirements.

查看原文本刊更多论文

HELP4DNS：利用可编程数据平面，有效、稳健地防御针对DNS的DDoS攻击

DNS是互联网基础设施的重要组成部分，保护它一直是一个活跃的研究领域，特别强调对抗DDoS攻击。随着可编程数据平面的兴起，利用其灵活性和线速率数据包处理能力的新型防御策略已经被开发出来，以对抗一系列DDoS攻击。本研究提出了使用P4在可编程数据平面内对抗DNS洪水和DNS放大攻击的两种新方法。第一种方法包括约束每个客户端的并发活动查询，以减轻DNS查询洪水攻击，从而确保生成大量请求的客户端遵守预定的限制。该方法通过在可更新的Bloom过滤器数据结构中使用修改的令牌桶算法来跟踪和限制DNS查询，从而使用每个客户端的并发查询限制。这种方法有效地限制了恶意客户端请求，防止服务器过载，并保护良性用户免受任何由此导致的中断。第二种方法是在位于受害者一侧的P4交换机上实现DNS防火墙，以防止DNS放大攻击。提议的防火墙在P4交换机上使用可更新的Bloom过滤器，支持在应用层对DNS查询进行有状态处理。此外，它支持对由DNS扩展机制产生的碎片DNS响应进行有状态跟踪。当IP分片发生在IP层时，提出的方法在应用层实现了对分片DNS响应的有状态跟踪。这样，受害者接收到的DNS响应中，只转发与合法请求对应的响应，而阻断DNS放大攻击的响应。评估结果表明，该方法在最小的内存空间需求下有效地阻止了大容量的DNS放大攻击数据包。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Network and Computer Applications 工程技术-计算机：跨学科应用

CiteScore

21.50

自引率

3.40%

发文量

142

审稿时长

37 days

期刊介绍： The Journal of Network and Computer Applications welcomes research contributions, surveys, and notes in all areas relating to computer networks and applications thereof. Sample topics include new design techniques, interesting or novel applications, components or standards; computer networks with tools such as WWW; emerging standards for internet protocols; Wireless networks; Mobile Computing; emerging computing models such as cloud computing, grid computing; applications of networked systems for remote collaboration and telemedicine, etc. The journal is abstracted and indexed in Scopus, Engineering Index, Web of Science, Science Citation Index Expanded and INSPEC.