Countering DNS Amplification Attacks Based on Analysis of Outgoing Traffic

Journal of Communications and Information Networks Pub Date : 2023-06-01 DOI:10.23919/JCIN.2023.10173727

Evgeny Sagatov;Samara Mayhoub;Andrei Sukhov;Prasad Calyam

{"title":"Countering DNS Amplification Attacks Based on Analysis of Outgoing Traffic","authors":"Evgeny Sagatov;Samara Mayhoub;Andrei Sukhov;Prasad Calyam","doi":"10.23919/JCIN.2023.10173727","DOIUrl":null,"url":null,"abstract":"Domain name system (DNS) amplification distributed denial of service (DDoS) attacks are one of the popular types of intrusions that involve accessing DNS servers on behalf of the victim. In this case, the size of the response is many times greater than the size of the request, in which the source of the request is substituted for the address of the victim. This paper presents an original method for countering DNS amplification DDoS attacks. The novelty of our approach lies in the analysis of outgoing traffic from the victim's server. DNS servers used for amplification attacks are easily detected in Internet control message protocol (ICMP) packet headers (type 3, code 3) in outgoing traffic. ICMP packets of this type are generated when accessing closed user datagram protocol (UDP) ports of the victim, which are randomly assigned by the Saddam attack tool. To prevent such attacks, we used a Linux utility and a software-defined network (SDN) module that we previously developed to protect against port scanning. The Linux utility showed the highest efficiency of 99.8%, i.e., only two attack packets out of a thousand reached the victim server.","PeriodicalId":100766,"journal":{"name":"Journal of Communications and Information Networks","volume":"8 2","pages":"111-121"},"PeriodicalIF":0.0000,"publicationDate":"2023-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Communications and Information Networks","FirstCategoryId":"1085","ListUrlMain":"https://ieeexplore.ieee.org/document/10173727/","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Domain name system (DNS) amplification distributed denial of service (DDoS) attacks are one of the popular types of intrusions that involve accessing DNS servers on behalf of the victim. In this case, the size of the response is many times greater than the size of the request, in which the source of the request is substituted for the address of the victim. This paper presents an original method for countering DNS amplification DDoS attacks. The novelty of our approach lies in the analysis of outgoing traffic from the victim's server. DNS servers used for amplification attacks are easily detected in Internet control message protocol (ICMP) packet headers (type 3, code 3) in outgoing traffic. ICMP packets of this type are generated when accessing closed user datagram protocol (UDP) ports of the victim, which are randomly assigned by the Saddam attack tool. To prevent such attacks, we used a Linux utility and a software-defined network (SDN) module that we previously developed to protect against port scanning. The Linux utility showed the highest efficiency of 99.8%, i.e., only two attack packets out of a thousand reached the victim server.

查看原文本刊更多论文

基于出流量分析的DNS放大攻击防范

域名系统(DNS)放大分布式拒绝服务(DDoS)攻击是一种常见的入侵类型，它涉及代表受害者访问DNS服务器。在这种情况下，响应的大小比请求的大小大很多倍，其中请求的来源取代了受害者的地址。本文提出了一种对抗DNS放大DDoS攻击的新颖方法。我们方法的新颖之处在于分析来自受害者服务器的传出流量。用于放大攻击的DNS服务器很容易在出流量的ICMP (Internet control message protocol)报文头(类型3，码3)中检测到。ICMP报文是在访问萨达姆攻击工具随机分配的受害者关闭的UDP端口时产生的报文。为了防止这种攻击，我们使用了一个Linux实用程序和一个软件定义网络(SDN)模块，该模块是我们之前开发的，用于防止端口扫描。Linux实用程序显示了99.8%的最高效率，也就是说，每一千个攻击包中只有两个到达受害者服务器。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Communications and Information Networks

自引率

0.00%

发文量