LEVERAGING SDN AND NFV FOR DNS AMPLIFICATION OR REFLECTION ATTACK DETECTION AND MITIGATION

Nesary, Mohammad Mashud

01 August 2023

Domain Name System (DNS) is virtually the distributed directory of the Internet for obtaining the Internet Protocol (IP) addresses to access web resources. DNS has always been one of the prime targets for cyber attackers either to inundate different types of DNS servers with attack traffic and false records or to exploit the DNS protocol to perform targeted attacks to user machines. DNS amplification or reflection attacks are some of the most fundamental types of DNS specific Denial-of-Service (DoS) attacks. In this type of attack, users are denied service as the server needs to process spoofed DNS query from the attackers and victim machines receive unsolicited DNS response. Software Defined Networking (SDN) and Network Function Virtualization (NFV) are the technological breakthroughs which have brought transformational change in operating and maintaining network services. These have also opened new avenues to deal with those cyber-attacks along with introducing a whole new set of security threats or vulnerabilities that need to be taken care of. In this paper, we propose detection and mitigation strategies to combat DNS amplification or reflection attacks leveraging the functionalities of both SDN and NFV. We reviewed the existing literature of related approaches, incorporated Moving Target Defense (MTD) techniques into the security solutions, discussed the deployment options of vDNS (Virtual DNS) servers, and elaborated on the security issues involved with SDN and NFV. This work could potentially augment the security of the DNS infrastructure while improving the scalability and agility and provide future direction in research and practice.

DNS

DNS Amplification Attack

NFV

SDN

vDNS

Överbelastningsattacker genom öppna reläer / Denial of Service Attacks Through Open Relays

Göran, Gustafsson, Sebastian, Lundberg

January 2014

Detta arbete behandlar en specifik typ av överbelastningsattack som blir allt mer populär. Dessa attacker utförs genom öppna reläer med syftet att få ut en avsevärt mycket högre effekt än den som annars är uppnåbar. Granskning av attacker utförda genom tjänsterna DNS och NTP har utförts med syftet att ge en klar bild av hur allvarligt hotet är och även klargöra hur en systemadministratör kan säkra tjänsterna för att skydda både sina egna och andras resurser. Resultaten av undersökningar visar att en attack utförd genom en DNS-tjänst ger under optimala förhållanden en amplifikationsfaktor av "102.4" och en attack genom en NTP-tjänst ger under optimala förhållanden en amplifikationsfaktor av "229.16". Resultaten visar även att problemet kan lösas helt eller delvis genom att begränsa tillåtna nätverk eller stänga av rekursion i DNS och kommandon i NTP. / This work concerns a specific type of Denial of Service attack which is becoming increasingly popular. These attacks are carried out through open relays with the purpose of getting a significantly higher effect than otherwise achievable. Examination of attacks carried out through the services DNS and NTP have been conducted with the purpose of providing a clear picture of how serious the threat is and also clarify how a system administrator can secure the services to protect both their own and others resources. The results of our studies show that an attack performed through a DNS service gives under optimal conditions a amplification factor of "102.4" and an attack through a NTP service gives under optimal conditions a amplification factor of "229.16". The results also show that the problem can be solved in whole or in part by limiting the allowed network or disable recursion in DNS and commands in NTP.

DoS

DDoS

Amplification attack

DNS

NTP

DoS

DDoS

Överbelastningsattack

Amplifikationsattack

DNS

NTP