Detecting DNS Amplification Attacks

Kambourakis, Georgios; Moschos, Tassos; Geneiatakis, Dimitris; Gritzalis, Stefanos

doi:10.1007/978-3-540-89173-4_16

Georgios Kambourakis¹⁸,
Tassos Moschos¹⁸,
Dimitris Geneiatakis¹⁸ &
…
Stefanos Gritzalis¹⁸

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5141))

Included in the following conference series:

International Workshop on Critical Information Infrastructures Security

1633 Accesses
38 Citations

Abstract

DNS amplification attacks massively exploit open recursive DNS servers mainly for performing bandwidth consumption DDoS attacks. The amplification effect lies in the fact that DNS response messages may be substantially larger than DNS query messages. In this paper, we present and evaluate a novel and practical method that is able to distinguish between authentic and bogus DNS replies. The proposed scheme can effectively protect local DNS servers acting both proactively and reactively. Our analysis and the corresponding real-usage experimental results demonstrate that the proposed scheme offers a flexible, robust and effective solution.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Cert Advisory CA-1996-26, Denial of Service Attack via ping (December 1997), http://www.cert.org/advisories/CA-1996-26.html
Gibson, S.: DRDoS Distributed Reflection Denial of Service (2002), http://grc.com/dos/drdos.htm
Glenn, C., Kesidis, G., Brooks, R.R.: Denial-of-Service Attack-Detection Techniques. IEEE Internet computing (2006)
Google Scholar
Peng, T., Leckie, C., Kotagiri, R.: Survey of Network-based Defense Mechanisms Countering the DoS and DDoS Problems. ACM Computing Surveys (to appear)
Google Scholar
Mirkovic, J., et al.: Internet Denial of Service: Attack and Defense Mechanism
Google Scholar
Security and Stability Advisory Committee, DNS Distributed Denial of Service (DDoS) Attacks (March 2006), http://www.icann.org/committees/security/dns-ddos-advisory-31mar06.pdf
Mockapetris, P.: Domain Names – Concepts and Facilities, RFC 1034 (November 1987)
Google Scholar
Mockapetris, P.: Domain Names – Implementation and Specification, RFC 1035 (November 1987)
Google Scholar
Vixie, P.: Extension Mechanisms for DNS, RFC 2671 (August 1999)
Google Scholar
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: DNS Security Introduction and Requirements, RFC 4033 (March 2005)
Google Scholar
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Resource Records for the DNS Security Extensions, RFC 4034 (March 2005)
Google Scholar
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Protocol Modifications for the DNS Security Extensions, RFC 4035 (March 2005)
Google Scholar
Guo, F., Chen, J., Chiueh, T.: Spoof Detection for Preventing DoS Attacks against DNS Servers. In: Proceedings of the 26th IEEE international Conference on Distributed Computing Systems (July 2006)
Google Scholar
Chandramouli, R., Rose, S.: An Integrity Verification Scheme for DNS Zone file based on Security Impact Analysis. In: Proceedings of the 21st Annual Computer Security Applications Conference (December 2005)
Google Scholar
Atkins, D., Austein, R.: Threat Analysis of the Domain Name System (DNS), RFC 3833 (August 2004)
Google Scholar
IPTraf - An IP Network Monitor, http://iptraf.seul.org/
Vaughn, R., Evron, G.: DNS Amplification Attacks. A preliminary release (March 2006)
Google Scholar
ICANN Report, DNS Distributed Denial of Service (DDoS) Attacks, Security and Stability Advisory Committee (SSAC) (March 2006)
Google Scholar
Vixie, P.: SAC004, Securing The Edge, http://www.icann.org/committees/security/sac004.txt
Guo, F., Chen, J., Chiueh, T.: Spoof Detection for Preventing DoS Attacks against DNS Servers. In: Proc. of ICDCS 2006 (2006)
Google Scholar
Bloom, B.: Space/time trade-offs in hash coding with allowable errors. Communications of ACM 13(7), 422–426 (1970)
Article MATH Google Scholar

Download references

Author information

Authors and Affiliations

Laboratory of Information and Communication Systems Security, Department of Information and Communication Systems Engineering, University of the Aegean, Karlovassi, GR-83200, Samos, Greece
Georgios Kambourakis, Tassos Moschos, Dimitris Geneiatakis & Stefanos Gritzalis

Authors

Georgios Kambourakis
View author publications
You can also search for this author in PubMed Google Scholar
Tassos Moschos
View author publications
You can also search for this author in PubMed Google Scholar
Dimitris Geneiatakis
View author publications
You can also search for this author in PubMed Google Scholar
Stefanos Gritzalis
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Department of Computer Science, University of Malaga, 29071, Málaga, Spain
Javier Lopez
Hochschule Technik und Architektur Luzern (HTA), Bodenhofstraße 29, 6005, Luzern, Switzerland
Bernhard M. Hämmerli

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Kambourakis, G., Moschos, T., Geneiatakis, D., Gritzalis, S. (2008). Detecting DNS Amplification Attacks. In: Lopez, J., Hämmerli, B.M. (eds) Critical Information Infrastructures Security. CRITIS 2007. Lecture Notes in Computer Science, vol 5141. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89173-4_16

Download citation

DOI: https://doi.org/10.1007/978-3-540-89173-4_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-89095-9
Online ISBN: 978-3-540-89173-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics