A Multi-Path Approach to Protect DNS Against DDoS Attacks
DOI:
https://doi.org/10.13052/jcsm2245-1439.1246Keywords:
DNS, DoS, multipath routing, security, MPLSAbstract
Domain Name System (DNS) is considered a vital service for the internet and networks operations, and practically this service is configured and accessible across networks’ firewall. Therefore, attackers take advantage of this open configuration to attack a network’s DNS server in order to use it as a reflector to achieve Denial of Service (DoS) attacks. Most of protection methods such as intrusion prevention and detection systems use blended tactics such as blocked-lists for suspicious sources, and thresholds for traffic volumes to detect and defend against DoS flooding attacks. However, these protection methods are not often successful. In this paper, we propose a new method to sense and protect DNS systems from DoS and Distributed DoS (DDoS) attacks. The main idea in our approach is to distribute the DNS request mapping into more than one DNS resolver such that an attack on one server should not affect the entire DNS services. Our approach uses the Multi-Protocol Label Switching (MPLS) along with multi-path routing to achieve this goal. Also, we use threshold secret sharing to code the distributed DNS requests. Our findings and results show that this approach performs better when compared with the traditional DNS structure.
Downloads
References
Y. Wanga, A. Zhoua, S. Liaoa, R. Zhengb, R. Huc, L. Zhang, “A comprehensive survey on DNS tunnel detection”, Computer Networks, Vol. 197, 9 October 2021.
Li Li; Liu Jiayong; Jia-Peng; Zheng-Rongfeng; “PSPAB:Privacy preserving average procurement bidding system with double spending checking” PloS One, (10) Vol. 15, 2020.
IDC: Elevating Network Security with DNS, News Report Analysis, Journal of Network Security, Volume 2021, Issue 9, 2021, Page 4, ISSN 1353-4858.
Liguo Chen; Yuedong Zhang; Qi Zhao, Guanggang Geng;ZhiWei Yan, “Detection of DNS DDoS Attacks with Random Forest Algorithm on Spark”, Procedia Comp Sci, 2018, Volume 134, pp. 310–315.
Angelo Furfaro, Pasquale Pace, Andrea Parise, Facing DDoS bandwidth flooding attacks, Simulation Modelling Practice and Theory, Vol. 98, 2020.
Kupreev O., Badovskaya E.; Gutnikov A., “DDoS Attacks in Q1, Q2, Q3, Q4 2021”, Tech. rep, Kaspersky (2021).
Zheng J; Li Q; Gu G., Cao J.; Yau D, Wu J; “Realtime ddos defense using cots sdn switches via adaptive correlation analysis”, IEEE Transaction. Information. Forensics Security, (7) 13 (2018), pp. 1838–1853.
Verma S., Hamieh A, Huh J, Holm H; Rajagopalan S; Korczynski M, Fefferman N, “Stopping amplified DNS ddos attacks through distributed query rate sharing”, Proceedings of the 11th International Conference on Availability, Reliability and Security ARES, 2016, pp. 69–78.
Hao S, and Wang H, “Exploring domain name based features on the effectiveness of DNS caching”, Computer Communication Review, (1) 47, 2017, pp. 36–42.
Wu H, Dang X, Zhang L, Wang L, Kalman, “filter based DNS cache poisoning attack detection”, Proceedings of the IEEE International Conference on Automation Science and Engineering CASE2015, 2015, pp. 1594–1600.
Truong D., Cheng G. “Detecting domain-flux botnet based on DNS traffic features in managed network”, Secur. Commun. Netw., (14) 9 (2016), pp. 2338–2347.
Plohmann D, Yakdan K, Klatt M, Bader J, Gerhards-Padilla E, “A comprehensive measurement study of domain generating malware”, Proceedings of the 25th USENIX Security Symposium, Austin, TX, 2016, pp. 263–278.
Trevisan M, Drago I, Mellia M, Munafo M, “Automatic detection of DNS manipulations”, Proceedings of the IEEE International Conference on Big Data, 2017, pp. 4010–4015.
Pearce P, Jones B, Ensafi F, Feamster N, Weaver N, Paxson V, “Global measurement of DNS manipulation”, Proceedings of the 26th USENIX Security Symposium, Vancouver, Canada, 2017, pp. 307–323.
Kintis P, Miramirkhani N, Lever C, Chen Y, Gomez R, Pitropakis R, Nikiforakis N, Antonakakis M, “Hiding in plain sight: A longitudinal study of combosquatting abuse”, Proceedings of the 24th ACM Conference on Comp and Comm Security (CCS), Dallas, USA 2017, pp. 569–586.
Singh J., “Mitigating DoS and DDoS based Attacks: An Artificial Intelligence Approach”, International Journal of Innovative Science and Research Technology, Vol. 5, Issue 5, 2020.
Zhang Y., Cheng Y., “An Amplification DDoS Attack Defence Mechanism using Reinforcement Learning”, IEEE SmartWorld, Leicester, UK, 2019, pp. 634–639.
Lee S, and Shong C, “A K -Best Paths Algorithm for Highly Reliable Communication Networks”, IEICE Trans. Commun., Vol. E82-B, No. 4., April 1999, pp. 586–590.
Ridwan M., Radzi N., Wan W., Abdullah F., Jamaludin M., Zakaria M., “Recent trends in MPLS networks: Technologies, applications and challenges”, 2020, IET Communications, 14 (2), pp. 177–185.
Zhang Y, Fang Z, and Xu Z, “An optimal design of multiprotocol label switching networks achieving reliability requirements”, Reliability Engineering and System Safety journal, 182, 2019, pp. 133–141.
Shamir A., “How to Share a Secret”, Communications of ACM, Vol. 22, Issue. 11, 1979.
Z. Wang, H. Hu, G. Cheng, “Design and Implementation of an SDN-Enabled DNS Security Framework”, Networks & Security, china comm., pp. 223–245, 2019.
A. Niakanlahijia, S. Orlowskib, A. Vahidc, J. HaadiJafarianc, “Toward practical defense against traffic analysis attacks on encrypted DNS traffic”, Computers & Security, Volume 124, 103001, January 2023.
J. Quab, X. Maab. W. Liu, “Who is DNS serving for? A human-software perspective of modeling DNS services”, Knowledge-Based Systems, Volume 263, 110279, 5 March 2023.
Published
How to Cite
Issue
Section
License
Copyright (c) 2023 Journal of Cyber Security and Mobility
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
