A software-based approach to reproduce and detect flooding attacks against DNS

Santiago Ruano Rincon 1, 2 Sandrine Vaton 1, 2 Stéphane Bortzmeyer 3
1 ADOPNET - Advanced technologies for operated networks
UR1 - Université de Rennes 1, IMT Atlantique - IMT Atlantique Bretagne-Pays de la Loire, IRISA-D2 - RÉSEAUX, TÉLÉCOMMUNICATION ET SERVICES
Résumé : In this presentation we show our ongoing work to develop a testbed --based on software and commodity hardware-- to research on flooding attacks against DNS infrastructure. We have currently developed two prototype components: a flooding DNS query generator, able to saturate 10GbE links with 11Mrps, and an online detector of overabundant queried domains at reception. Relying on DPDK and libmoon (a LuaJIT framework for DPDK), these two tools run on commodity hardware, while optimizing the number of packets that we can handle at transmission and reception. Both generation and reception tools run Lua scripts, achieving a high level of flexibility. In this presentation we show some lessons we are learning, we compare the generator against other available tools, and present some unexpected results. For example, how a slower software query generator has a stronger impact on a Bind server than our current flooding tool (650Krps versus 10Mrps). We also describe how we count the number of queries per domain at reception under 11Mrps traffic, with reduced packet losses. Given the high number of possible elements to analyse from the DNS messages (IP addresses, random qnames) we make use of statistical tools, mainly CountMin-Sketch, to restrict the use of memory space. This tool can trigger an alarm when a domain exceeds a threshold of queries per a small interval of time. In this presentation we also look for feedback from the DNS-OARC community about possible strategies to use this tool to countermeasure flooding attacks.
Complete list of metadatas

https://hal.archives-ouvertes.fr/hal-01581498
Contributor : Bibliothèque Télécom Bretagne <>
Submitted on : Monday, September 4, 2017 - 5:57:00 PM
Last modification on : Friday, September 13, 2019 - 9:50:55 AM

Identifiers

  • HAL Id : hal-01581498, version 1

Citation

Santiago Ruano Rincon, Sandrine Vaton, Stéphane Bortzmeyer. A software-based approach to reproduce and detect flooding attacks against DNS. RIPE 74 2017 : RIPE NCC meeting - Réseaux IP Européens, May 2017, Budapest, Hongrie. ⟨hal-01581498⟩

Share

Metrics

Record views

338