Efficient Authentication Mechanism For Defending Against Reflection-Based Attacks on Domain Name System
Domain Name System (DNS) is one of few services on the Internet which is allowed through every security barrier. It mostly depends on the User Datagram Protocol (UDP) as the transport protocol, which is a connectionless protocol with no built-in authentication mechanism. On top of that, DNS response...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Sulaimani Polytechnic University
2020-06-01
|
| Series: | Kurdistan Journal of Applied Research |
| Subjects: | |
| Online Access: | https://www.kjar.spu.edu.iq/index.php/kjar/article/view/479 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1823857425396006912 |
|---|---|
| author | Dana Hasan Rebeen R. Hama Amin Masnida Hussin |
| author_facet | Dana Hasan Rebeen R. Hama Amin Masnida Hussin |
| author_sort | Dana Hasan |
| collection | DOAJ |
| description | Domain Name System (DNS) is one of few services on the Internet which is allowed through every security barrier. It mostly depends on the User Datagram Protocol (UDP) as the transport protocol, which is a connectionless protocol with no built-in authentication mechanism. On top of that, DNS responses are substantially larger than their corresponding requests. These two key features made DNS a fabulous attacking tool for cybercriminals to reflect and amplify a huge volume of requests to consume their victim's resources. Recent incidents revealed how harsh DNS could be when it is abused with great complexity by attackers. Moreover, these events had proven that any defense mechanism with single point deployment couldn’t accurately and efficiently overcome an attack volume with high dynamicity. In this paper, we proposed the Efficient Distributed-based Defense Scheme (EDDS) to overcome the shortcomings of a centralized-based defense mechanism. By using an authentication message exchange, which is a Challenge-Handshake Authentication Protocol (CHAP)-based authentication mechanism. It is deployed on multiple nodes to determine the legitimacy of the DNS request. Moreover, it significantly reduces the impact of the amplification factor for the fake DNS requests without having any side effects on legitimate ones. Then, a Stateful Packet Inspection (SPI)-based packet filtering is proposed to distinguish legitimate requests from fake ones by considering the results of the authentication procedure. Both authentication-message exchange and SPI-based filtering are introduced to provide detection accuracy without reducing the quality of service for legitimate users. As the simulation results show, the proposed mechanism can efficiently and accurately detect, isolate, and discard the bogus traffic with minimal overhead on the system.
|
| format | Article |
| id | doaj-art-69f9b1a53a6949b8bc2c50a2c4f874e0 |
| institution | Kabale University |
| issn | 2411-7684 2411-7706 |
| language | English |
| publishDate | 2020-06-01 |
| publisher | Sulaimani Polytechnic University |
| record_format | Article |
| series | Kurdistan Journal of Applied Research |
| spelling | doaj-art-69f9b1a53a6949b8bc2c50a2c4f874e02025-02-11T21:00:42ZengSulaimani Polytechnic UniversityKurdistan Journal of Applied Research2411-76842411-77062020-06-015110.24017/science.2020.1.12479Efficient Authentication Mechanism For Defending Against Reflection-Based Attacks on Domain Name SystemDana Hasan0https://orcid.org/0000-0002-7664-799XRebeen R. Hama Amin1Masnida Hussin2Computer Science Department, College of Science, University of Garmian, Kalar, IraqNetwork Department, Computer Science Institute, Sulaimani Polytechnique University, Sulaymania, IraqDepartment of Communication Technology and Network, Faculty of Computer Science and Information Technology, Universiti Putra Malaysia, Serdang, Selangor, MalaysiaDomain Name System (DNS) is one of few services on the Internet which is allowed through every security barrier. It mostly depends on the User Datagram Protocol (UDP) as the transport protocol, which is a connectionless protocol with no built-in authentication mechanism. On top of that, DNS responses are substantially larger than their corresponding requests. These two key features made DNS a fabulous attacking tool for cybercriminals to reflect and amplify a huge volume of requests to consume their victim's resources. Recent incidents revealed how harsh DNS could be when it is abused with great complexity by attackers. Moreover, these events had proven that any defense mechanism with single point deployment couldn’t accurately and efficiently overcome an attack volume with high dynamicity. In this paper, we proposed the Efficient Distributed-based Defense Scheme (EDDS) to overcome the shortcomings of a centralized-based defense mechanism. By using an authentication message exchange, which is a Challenge-Handshake Authentication Protocol (CHAP)-based authentication mechanism. It is deployed on multiple nodes to determine the legitimacy of the DNS request. Moreover, it significantly reduces the impact of the amplification factor for the fake DNS requests without having any side effects on legitimate ones. Then, a Stateful Packet Inspection (SPI)-based packet filtering is proposed to distinguish legitimate requests from fake ones by considering the results of the authentication procedure. Both authentication-message exchange and SPI-based filtering are introduced to provide detection accuracy without reducing the quality of service for legitimate users. As the simulation results show, the proposed mechanism can efficiently and accurately detect, isolate, and discard the bogus traffic with minimal overhead on the system. https://www.kjar.spu.edu.iq/index.php/kjar/article/view/479DNS, Reflection/Amplification attacks, Amplification factor, CHAP, Source Authentication. |
| spellingShingle | Dana Hasan Rebeen R. Hama Amin Masnida Hussin Efficient Authentication Mechanism For Defending Against Reflection-Based Attacks on Domain Name System Kurdistan Journal of Applied Research DNS, Reflection/Amplification attacks, Amplification factor, CHAP, Source Authentication. |
| title | Efficient Authentication Mechanism For Defending Against Reflection-Based Attacks on Domain Name System |
| title_full | Efficient Authentication Mechanism For Defending Against Reflection-Based Attacks on Domain Name System |
| title_fullStr | Efficient Authentication Mechanism For Defending Against Reflection-Based Attacks on Domain Name System |
| title_full_unstemmed | Efficient Authentication Mechanism For Defending Against Reflection-Based Attacks on Domain Name System |
| title_short | Efficient Authentication Mechanism For Defending Against Reflection-Based Attacks on Domain Name System |
| title_sort | efficient authentication mechanism for defending against reflection based attacks on domain name system |
| topic | DNS, Reflection/Amplification attacks, Amplification factor, CHAP, Source Authentication. |
| url | https://www.kjar.spu.edu.iq/index.php/kjar/article/view/479 |
| work_keys_str_mv | AT danahasan efficientauthenticationmechanismfordefendingagainstreflectionbasedattacksondomainnamesystem AT rebeenrhamaamin efficientauthenticationmechanismfordefendingagainstreflectionbasedattacksondomainnamesystem AT masnidahussin efficientauthenticationmechanismfordefendingagainstreflectionbasedattacksondomainnamesystem |