Preventing DNS Amplification Attacks Using the History of DNS Queries with SDN

  • Soyoung Kim
  • Sora Lee
  • Geumhwan Cho
  • Muhammad Ejaz Ahmed
  • Jaehoon (Paul) Jeong
  • Hyoungshick KimEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10493)


Domain Name System (DNS) amplification attack is a sophisticated Distributed Denial of Service (DDoS) attack by sending a huge volume of DNS name lookup requests to open DNS servers with the source address spoofed as a victim host. However, from the point of view of an individual network resource such as DNS server and switch, it is not easy to mitigate such attacks because a distributed attack could be performed with multiple DNS servers and/or switches. To overcome this limitation, we propose a novel security framework using Software-Defined Networking (SDN) to store the history of DNS queries as an evidence to distinguish normal DNS responses from attack packets. Our evaluation results demonstrate that the network traffic for DNS amplification attack can completely be blocked under various network conditions without incurring a significant communication overhead.


Software-Defined Networking (SDN) Distributed Denial of Service (DDoS) Domain Name System (DNS) DNS amplification attack 



This work was supported in part by the MSIP/IITP (No. 2016-0-00078) and the ITRC (IITP-2017-2012-0-00646). Authors would like to thank all the anonymous reviewers for their valuable feedback.


  1. 1.
  2. 2.
  3. 3.
    Anagnostopoulos, M., Kambourakis, G., Kopanos, P., Louloudakis, G., Gritzalis, S.: DNS amplification attack revisited. Comput. Secur. 39, 475–485 (2013)CrossRefGoogle Scholar
  4. 4.
    Beverly, R., Bauer, S.: The Spoofer project: inferring the extent of source address filtering on the Internet. In: Proceedings of the 1st USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet (2005)Google Scholar
  5. 5.
    Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13, 422–426 (1970)CrossRefzbMATHGoogle Scholar
  6. 6.
    Bremler-Barr, A., Levy, H.: Spoofing prevention method. In: Proceedings of the 24th IEEE International Conference on Computer Communications (2005)Google Scholar
  7. 7.
    Deshpande, T., Katsaros, P., Basagiannis, S., Smolka, S.A.: Formal analysis of the DNS bandwidth amplification attack and its countermeasures using probabilistic model checking. In: Proceedings of the 13rd IEEE Conference on High-Assurance Systems Engineering (2011)Google Scholar
  8. 8.
    Di Paola, S., Lombardo, D.: Protecting against DNS reflection attacks with bloom filters. In: Holz, T., Bos, H. (eds.) DIMVA 2011. LNCS, vol. 6739, pp. 1–16. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22424-9_1CrossRefGoogle Scholar
  9. 9.
    Gallagher, S.: How Spamhaus’ attackers turned DNS into a weapon of mass destruction (2013).
  10. 10.
    Guo, F., Chen, J., Chiueh, T.C.: Spoof detection for preventing DoS attacks against DNS servers. In: Proceedings of the 26th IEEE International Conference on Distributed Computing Systems (2006)Google Scholar
  11. 11.
    Kambourakis, G., Moschos, T., Geneiatakis, D., Gritzalis, S.: Detecting DNS amplification attacks. In: Lopez, J., Hämmerli, B.M. (eds.) CRITIS 2007. LNCS, vol. 5141, pp. 185–196. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-89173-4_16CrossRefGoogle Scholar
  12. 12.
    Katsurai, Y., Nakamura, Y., Takahashi, O.: A proposal of a countermeasure method against DNS amplification attacks using distributed filtering by traffic route changing. In: Proceedings of the 9th International Workshop on Informatics (2015)Google Scholar
  13. 13.
    Kim, H., Feamster, N.: Improving network management with software defined networking. IEEE Commun. Mag. 51, 114–119 (2013)CrossRefGoogle Scholar
  14. 14.
    Kloti, R., Kotronis, V., Smith, P.: Openflow: a security analysis. In: Proceedings of the 21st IEEE International Conference on Network Protocols (2013)Google Scholar
  15. 15.
    Kreutz, D., Ramos, F.M., Verissimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103, 14–76 (2015)CrossRefGoogle Scholar
  16. 16.
    Lara, A., Kolasani, A., Ramamurthy, B.: Network innovation using openflow: a survey. IEEE Commun. Surv. Tutor. 16, 493–512 (2014)CrossRefGoogle Scholar
  17. 17.
    Lexis, P., Mekking, M.: Identifying patterns in DNS traffic. Technical report, University of Amsterdam (2013)Google Scholar
  18. 18.
    Rastegari, S., Saripan, M.I., Rasid, M.F.A.: Detection of denial of service attacks against domain name system using machine learning classifiers. In: Proceedings of the 18th World Congress on Engineering (2010)Google Scholar
  19. 19.
    Senie, D., Ferguson, P.: Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. IETF RFC 2827 (1998)Google Scholar
  20. 20.
    Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Kent, S.T., Strayer, W.T.: Hash-based IP traceback. In: Proceedings of the 15th ACM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (2001)Google Scholar
  21. 21.
    Sun, C., Liu, B., Shi, L.: Efficient and low-cost hardware defense against DNS amplification attacks. In: Proceedings of the 24th IEEE Global Communications Conference (2008)Google Scholar
  22. 22.
    US-Cert: Alert (TA13-088A) DNS Amplification Attacks. (2013)
  23. 23.
    Vaughn, R., Evron, G.: DNS amplification attacks (2006).
  24. 24.
    Verma, S., Hamieh, A., Huh, J.H., Holm, H., Rajagopalan, S.R., Korczynski, M., Fefferman, N.: Stopping amplified DNS DDoS attacks through distributed query rate sharing. In: Proceedings of the 11st International Conference on Availability, Reliability and Security (2016)Google Scholar
  25. 25.
    Vixie, P.: Extension mechanisms for DNS (EDNS0). IETF RFC 2671 (1999)Google Scholar
  26. 26.
    Vixie, P.: DNS Response Rate Limiting (DNS RRL). ISC-TN-2012-1-Draft1 (2012)Google Scholar
  27. 27.
    Zhao, Y., Iannone, L., Riguidel, M.: On the performance of SDN controllers: a reality check. In: Proceedings of the 1st IEEE Conference on Network Function Virtualization and Software Defined Network (2015)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Soyoung Kim
    • 1
  • Sora Lee
    • 1
  • Geumhwan Cho
    • 1
  • Muhammad Ejaz Ahmed
    • 1
  • Jaehoon (Paul) Jeong
    • 1
  • Hyoungshick Kim
    • 1
    Email author
  1. 1.Sungkyunkwan UniversitySuwonSouth Korea

Personalised recommendations