Abstract
Networks are fundamentally designed to efficiently share network resources among end-users. The Internet has facilitated a global communication and computational environment by interconnecting billions of computers. People depend on the Internet to share professional, personal, confidential, and valuable information with other network users. Because of this high dependency of users, attackers often exploit its weaknesses to paralyze crucial and important segments of the Internet. Domain Name System (DNS) is one such segment whose proper functioning is highly crucial for the Internet to function properly. Attackers often exploit vulnerabilities of the Internet and DNS to launch large scale Distributed Denial of Service (DDoS) attacks and disrupt network services. Such DNS based DDoS attacks generally use IP spoofing to bombard target network/host so as to paralyze them with attack packets. In this paper we present a novel DDoS attack prevention mechanism by utilizing the flexibility and programmability aspects of Software Defined Networks (SDN). The principal philosophy used behind it is to route DNS response packets along the same path which was used by corresponding DNS request packet. Such routing is independent of the destination IP address present in the packet. This way, the malicious host responsible for launching DDoS attack will self-destruct itself. The results of the simulation showed that KarmaNet reduced the network delay by 41% when the network was experiencing a DDoS attack. Also, as any security mechanism comes at a cost, simulations of proposed mechanism shows that it also introduced additional delay of 8%–9% in getting DNS responses as compared to current DNS structure.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Mockapetris, P.: RFC 1034: Domain names: concepts and facilities (November 1987). Status: Standard, 6 (2003)
Mockapetris, P.: RFC 1035-Domain names-implementation and specification, November 1987 (2004). http://www.ietf.org/rfc/rfc1035.txt
Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)
McKeown, N.: Software-defined networking. INFOCOM Keynote Talk 17(2), 30–32 (2009)
Kirkpatrick, K.: Software-defined networking. Commun. ACM 56(9), 16–19 (2013)
Feamster, N.: Software defined networking (2013). Retrieved from coursera https://class.coursera.org/sdn-001
Jain, R., Paul, S.: Network virtualization and software defined networking for cloud computing: a survey. IEEE Commun. Mag. 51(11), 24–31 (2013)
Kreutz, D., Ramos, F.M., Verissimo, P.E., Rothenberg, C.E., Azodolmolky, S., Uhlig, S.: Software-defined networking: a comprehensive survey. Proc. IEEE 103(1), 14–76 (2015)
Roolvink, S.: Detecting attacks involving DNS servers (2008)
Guo, F., Chen, J., Chiueh, T.C.: Spoof detection for preventing dos attacks against DNS servers. In: 26th IEEE International Conference on Distributed Computing Systems, ICDCS 2006, pp. 37–37. IEEE (2006)
Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. ACM SIGCOMM Comput. Commun. Rev. 31(3), 38–47 (2001)
Blacka, D., Laurie, B., Sisson, G., Arends, R.: DNS security (DNSSEC) hashed authenticated denial of existence (2008)
Klein, A., Shulman, H., Waidner, M.: Internet-wide study of DNS cache injections. In: INFOCOM 2017-IEEE Conference on Computer Communications, pp. 1–9. IEEE, May 2017
Specht, S.M., Lee, R.B.: Distributed denial of service: taxonomies of attacks, tools, and countermeasures. In: ISCA PDCS, pp. 543–550, September 2004
Somani, G., Gaur, M.S., Sanghi, D., Conti, M., Buyya, R.: DDoS attacks in cloud computing: issues, taxonomy, and future directions. Comput. Commun. 107, 30–48 (2017)
Krämer, L., et al.: AmpPot: monitoring and defending against amplification DDoS attacks. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 615–636. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_28
Rossow, C.: Amplification hell: revisiting network protocols for DDoS abuse. In: NDSS, February 2014
Fouladi, R.F., Kayatas, C.E., Anarim, E.: Frequency based DDoS attack detection approach using naive Bayes classification. In: 2016 39th International Conference on Telecommunications and Signal Processing (TSP), pp. 104–107. IEEE, June 2016
Yan, Q., Yu, F.R., Gong, Q., Li, J.: Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: a survey, some research issues, and challenges. IEEE Commun. Surv. Tutorials 18(1), 602–622 (2016)
Lim, S., Ha, J., Kim, H., Kim, Y., Yang, S.: A SDN-oriented DDoS blocking scheme for botnet-based attacks. In: 2014 Sixth International Conf on Ubiquitous and Future Networks (ICUFN), pp. 63–68. IEEE, July 2014
Belyaev, M., Gaivoronski, S.: Towards load balancing in SDN-networks during DDoS-attacks. In: 2014 First International Science and Technology Conference (Modern Networking Technologies) (MoNeTeC), pp. 1–6. IEEE, October 2014
Bawany, N.Z., Shamsi, J.A., Salah, K.: DDoS attack detection and mitigation using SDN: methods, practices, and solutions. Arab. J. Sci. Eng. 42(2), 425–441 (2017)
Kim, S., Lee, S., Cho, G., Ahmed, M.E., Jeong, J.P., Kim, H.: Preventing DNS amplification attacks using the history of DNS queries with SDN. In: Foley, S.N., Gollmann, D., Snekkenes, E. (eds.) ESORICS 2017. LNCS, vol. 10493, pp. 135–152. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66399-9_8
https://www.calyptix.com/top-threats/top-7-network-attack-types-in-2015-so-far. Accessed 15 June 2018
Availability
KarmaNet is free and released under the MIT Licence. It is available on GitHub: https://github.com/mittalgovind/KarmaNet-DNS-based-DDoS-Simulation-and-Prevention-Using-SDN.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Mittal, G., Gupta, V. (2019). KarmaNet: SDN Solution to DNS-Based Denial-of-Service. In: Thampi, S., Madria, S., Wang, G., Rawat, D., Alcaraz Calero, J. (eds) Security in Computing and Communications. SSCC 2018. Communications in Computer and Information Science, vol 969. Springer, Singapore. https://doi.org/10.1007/978-981-13-5826-5_33
Download citation
DOI: https://doi.org/10.1007/978-981-13-5826-5_33
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-5825-8
Online ISBN: 978-981-13-5826-5
eBook Packages: Computer ScienceComputer Science (R0)