A Fair Solution To DNS Amplification Attacks Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

In today's world many networks come under DDoS attack using IP spoofing. In a DNS amplification attack situation, in order to perform a DoS style attack, DNS servers are utilized. Since the message from a DNS response is mainly greater than the message from a DNS query, DNS amplification attacks exploits this situation.

The authors of this paper are trying to project a unique and possible ploy to allow system administrators to recognize between legit and incorrect replies from DNS. Based on the proposal the information to and from the DNS is subsequently checked and administrators are notified when needed. The proposal also prohibits false and improper packets by working together with the firewall by necessary updates in rules. The summary of results clearly shows the effectiveness of the proposal during attacks.


When the World Wide Web was designed, security was not weighed into the design. Taking advantage of this situation, attacks happen constantly to gain illegal access as well as causing Denial of Service (DoS) in the system. Any illegal activity aimed at the service or breaking the communication within the service is considered a DoS. DoS are of two types, where illegal packets are placed within the software or the attacker overloads the resources in the system which in turn adversely affects the bandwidth, memory, central processing unit etc which is called as flooding. Among the attacks Reflection Distribution Denial of Service (RDDoS) is considered very malicious which in turn reduces productivity and cost money to rectify. Many DNS servers have been affected due to a DoS attack.

Sometimes an attacker makes the DNS server to authorize the attack. Such an attack can be hard to overcome since it would not be possible to obstruct a DNS server without causing damage to the network.

This paper provides a way to get rid of the effects of a DNS amplification attack, where administrators are cautioned before an attack takes place. Also an attack can be eliminated by blocking out the IP address of the attacker at the firewall.

Domain Name System (DNS)

DNS is the system that bridges between a domain name and an IP address. It is also called Address Resolution Service. Domains such as .com, .gov, .edu etc are linked to a particular IP address of the respective DNS server. A special zone is formed by these particular domains and their sub domains. Each zone leaf captures the map between the IP address and the domain name which is stored in the associated Resource Record.

When a client wants to connect to a particular domain, first the client makes a query which is then passed to the resolver, which then tries to associate with the cache server. If the requested mapping is available to the server, the requested resource records are returned. When the mapping is received by the DNS server it stores it and also forwards it to the resolver. This is then passed and received by the client.

Flooding Attacks and the Domain Name System

The objective of a flooding attack is to consume the resources in the system to disrupt services and disconnect the service to the user. Since such an attack affects the DNS, the whole network would also be vulnerable to the attack. A flooding attack can take place in two methods, the first where big bogus DNS requests are sent by the attacker from numerous or a single origin.

Figure 1: Multiple source attack

The attacker co-ordinates multiple hosts to create a bogus DNS request which then malfunctions the normal operations of the DNS by overwhelming the network resources.

The second method of a flooding attack utilizes the DNS components by itself to increase or amplify the effect of the attack. In other words the attacker takes advantage of the vulnerability of the system where small size requests can bring upon responses that are large. The amplification is the ratio of the response size to the request size. As the amplification factor increases the resource consumption also increases. The attacker misuses the situation where a DNS request can bring upon greater responses. In one particular incident the attacker doctored the IP address and a DNS query is created for a genuine resource record which in turn is sent to the name server. Multiple queries were maligned and all the responses were targeted towards the victim's network. This in turn would consume the whole bandwidth. The attacker generates a large response either by finding out the server that stores the resource records or by endangering a server and intentionally adding a specific record which is also called as amplification record.

Protection Mechanisms against DNS Amplification Attacks

Various layers of protection must be installed to protect against a DNS DoS attack. The authors articulate the general countermeasures, their limitations and then propose an approach to counter against attacks.

General Countermeasures and Remedies

UDP is employed by DNS to convey responses and requests. Due to this, an attacker is able to devise an illegal DNS request. To counter such an attack a protection implement at the first level should be made available. Also add on security features should be implemented to counter Man in the Middle (MITM) and DNS cache poisoning attacks. Such a step would guarantee a sound and authentic DNS data that is stored in the zone file or resource record

Another option to counter an attack is to isolate name servers from sources that are external and interact with only sources that can be trusted.

Survey indicates that most of the servers are used as servers that are open and majority of the domain name servers allow services to inquire about sources without restriction. This makes it vulnerable to DoS and cache poisoning attacks.

Limitations of Countermeasures & Remedies

The author states that even thou a lot of servers are protected against attacks using the countermeasures only a handful employ these protective features. This leaves a lot of unprotected servers out in the open susceptible to attacks.

Solutions such as DNS Security Extensions does not effectively protect against attacks. Also no consideration or features are implemented against malicious insiders who have secured access to these servers. Due to these factors a detection and prevention method should be compulsory to counter against server attacks.

A DNS Guard one is the only known approach to counter a DNS amplification attacks. This feature produces cookies for a server to authenticate the request origin. The major drawbacks with DNS Guard are that heavy traffic is brought upon in the system, delays are caused and also large scale implantation is required.

The Proposed Approach and Research Findings

DNS Servers that are attacked as part of a DNS amplification attack gets responses even thou requests have not been sent out previously. Such a response should be categorized as being suspicious and should also be disposed.

An IPtraf tool should be implemented to observe and capture all the DNS responses and requests. Also along with the IPtraf, the authors have customized a tool called the DNS amplification Attack Detector to be installed which processes the information stored in the database. The detector then categorizes the traffic as a suspect or not and also sets an alarm when an attack takes place.

Table 1: Example of DNS requests

Table 2: Example of DNS responses

It can be noted that the second row information from the response table matches with the first row from the request table.

The proposed scheme is shown in the figure below and the logic behind the detector is shown in figure 3.

Figure 2: Proposed Scheme

Figure 3: Detector logic

The detector would decide if the incoming message is a request or response. A new entry is created to the table by the detector tool every time a request and response is received. When the detector identifies a response the detector checks the request and if there is no earlier match it is termed as corrupt. If a certain count of corruption is exhibited then automatic updates to the firewall rules are applied to hinder the data from the attacker.

An attacking test was conducted to validate the effectiveness of the detector. A DoS attack was forced on the system by creating illegal DNS request which was then sent to the server. The attack can be focused either on any machine in the network or the server. The detector relates the requests to the responses and if no relation is generated then it is termed as malicious. When a certain count of malicious attack is performed the detector can assign the firewall to block the attackers IP address.

Conclusion and Novelty of Solution

The amplification effect takes place when the attacker generates small queries that can become enormous packets. Such an attack can be thwarted using the proposed DNS Amplification Attack Detector.

Strengths of the Proposal

A DNS Amplification Attacks Detector approach can tackle an amplification attack with accuracy higher than other methods and also the response time needed in thwarting an attack is comparably less.

Weaknesses of the Proposal

The drawback associated with a detector system is that the database size is dependent on the traffic rate, larger the traffic rate, larger would be database size be. Due to this more study should be done on data stores. This might enhance the detector performance, but would also make it scalable. Even thou the authors propose the detector system tool no study is shown that studies the performance of the system. Also no discussion is provided to measure the accuracy of the detection.

Even thou the detector are proposed as an option no input is provided as to how much overhead is associated with the implementation.

Related Open Issues Not Discussed in Paper

Open issues that can be compared with and is not considered is how can one separate DNS name servers from the ones that are used by clients and users in the network. Also thoughts can be given to how to control the use of DNS name servers in the network.

Extension of Proposal

The proposed detector system can be tested for a network that uses memory that is shared within all the processors. The findings can provide us with information as to the CPU cycles needed to tender to quite a few requests.

As more and more attacks occur it would be an appropriate extension of the proposal to find out about the network availability, there by guaranteeing that the devices would be able to deal with all the volume of traffic.

Table and Figure Reference

Kambourakis et al., "A Fair Solution to DNS Amplification Attacks", 2007.