Mitigating DDoS Attack Based on DNS Response Value Assessment

doi:10.3969/j.issn.1671-1122.2019.09.012

Abstract

Abstract:

The prevalent defense mechanisms against DDoS focus on detecting and filtering the attack traffic before it can reach the target host based on the traffic patterns. However, this strategy overlooks the impact of attack traffic on the outbound bandwidth of name servers. In this paper, we proposed a method for assessing DNS response value based on analytic hierarchy process. The authoritative servers can be protected by discarding low-value traffic and prioritizing to serve high-value responses, thereby improving the quality of DNS service.

Key words: DNS response value, amplification attack, DDoS defense

CLC Number:

TP309

Qiaoli YUE, Wanbo LV, Weihong HU, Haikuo ZHANG. Mitigating DDoS Attack Based on DNS Response Value Assessment[J]. Netinfo Security, 2019, 19(9): 56-60.

Figures/Tables 1

References 17

[1]	YUAN Pengpeng, WANG Changqing.Research on DNS Security Threats and Countermeasures[J]. Information Security and Technology, 2018, 9(5): 50-54.
	苑朋朋,王常青. DNS安全威胁及应对措施研究[J].网络空间安全,2018,9(5):50-54.
[2]	THOMAS D R, CLAYTON R, BERESFORD A R.1000 Days of UDP Amplification DDoS Attacks[C]//IEEE. 2017 APWG Symposium on Electronic Crime Research, April 25-27, 2017, Scottsdale, AZ, USA. New York: IEEE, 2017: 79-84.
[3]	ALIEYAN K, KADHUM M M, ANBAR M, et al.An Overview of DDoS Attacks Based on DNS[C]//IEEE. 7th International Conference on Information and Communication Technology Convergence, October 19-21, 2016, Jeju, South Korea. New York: IEEE, 2016: 276-280.
[4]	ANAGNOSTOPOULOS M, KAMBOURAKIS G, GRITZALIS S, et al.Never Say Never: Authoritative TLD Nameserver-powered DNS Amplification[C]//IEEE. 16th IEEE/IFIP Network Operations and Management Symposium, April 23-27, 2018, Taipei, China. New York: IEEE, 2018: 1-9.
[5]	LI Heng, SHEN Huawei, CHENG Xueqi, et al.Review of Network High Flow Distributed Denial of Service Attack and Defense Mechanisms[J]. Netinfo Security, 2017, 17(5): 37-43.
	李恒,沈华伟,程学旗,等.网络高流量分布式拒绝服务攻击防御机制研究综述[J].信息网络安全,2017,17(5): 37-43.
[6]	VIXIE P. Extension Mechanisms for DNS (EDNS0)[EB/OL]. , 1999-8-1.
[7]	MA Xinlei, CHEN Yonghong.DDoS Detection Method Based on Chaos Analysis of Network Traffic Entropy[J]. IEEE Communications Letters, 2013, 18(1): 114-117.
[8]	LIU C, ALBITZ P.DNS and Bind (5th Edition)[M]. Sebastopol, CA, USA: O’Reilly Media, 2006.
[9]	DONNERHACKE L. DNS Dampening[EB/OL]. , 2012-9-23.
[10]	GUO Fanglu, CHEN Jiawu, CHIUEH T.Spoof Detection for Preventing DoS Attacks against DNS Servers[C]//IEEE. 26th IEEE International Conference on Distributed Computing Systems, July 4-7, 2006, Lisboa, Portugal. New York: IEEE, 2006: 37-37.
[11]	ARENDS R, AUSTEIN R, LARSON M, et al. Protocol Modifications for the DNS Security Extensions[EB/OL]. , 2005-3-1.
[12]	ARENDS R, AUSTEIN R, LARSON M, et al. Resource Records for the DNS Security Extensions[EB/OL]. , 2005-3-1.
[13]	VAN RIJSWIJK-DEIJ R, SPEROTTO A, PRAS A. DNSSEC and its Potential for DDoS Attacks: A Comprehensive Measurement Study[C]//ACM. The 2014 Internet Measurement Conference, November 5-7, 2014, Vancouver, BC, Canada. New York: ACM, 2014: 449-460.
[14]	VAUGHN R, EVRON G. DNS Amplification Attacks (Preliminary Release)[EB/OL]., 2006-3-17.
[15]	LIAN W, RESCORLA E, SHACHAM H, et al.Measuring the Practical Impact of DNSSEC Deployment[C]//USENIX. 22nd USENIX Conference on Security, August 14-16, 2013, Washington, DC. Berkeley, CA, USA: USENIX Association, 2013: 573-588.
[16]	BLACKA D, LAURIE B, SISSON G, et al. DNS Security (DNSSEC) Hashed Authenticated Denial of Existence[EB/OL]. , 2008-3-1.
[17]	SAATY T L.How to Make a Decision: The Analytic Hierarchy Process[J]. European Journal of Operational Research, 1990, 48(1): 9-26.

影响因素	评价分数	解释说明
用户影响X	0,1,2	0：终止类、其他类型 1：指向类;2：确定类
带宽成本Y	Y=100-AF	放大因子（AF）越大分数越低, AF>100时评价分数为0
计算成本Z	0,1	0：需要NSEC3计算 1：不需要NSEC3计算
系统资源W	0,1	0：利用TCP回应 1：利用UDP回应