论文信息 - Protecting against DNS Reflection Attacks with Bloom Filters

Protecting against DNS Reflection Attacks with Bloom Filters

Nowadays the DNS protocol is under the attention of the security community for its lack of security and for the flaws found in the last few years. In the Internet scenario, the reflection/amplification is the most common and nasty attack that requires very powerful and expensive hardware to be protected from. In this paper we propose a robust countermeasure against this type of threats based on Bloom filters. The proposed method is fast and not too eager of resources, and has a very low error rate, blocking 99.9% of attack packets. The mechanism has been implemented within a project by Telecom Italia S.p.A., named jdshape, based on Juniper Networks® SDK.

Dario Lombardo | Sebastiano Di Paola

[1] Kang Li,et al. Approximate caches for packet classification , 2004, IEEE INFOCOM 2004.

[2] Mark Handley,et al. Internet Denial-of-Service Considerations , 2006, RFC.

[3] Michiel H. M. Smid,et al. On the false-positive rate of Bloom filters , 2008, Inf. Process. Lett..

[4] S. Gritzalis,et al. A Fair Solution to DNS Amplification Attacks , 2007, Second International Workshop on Digital Forensics and Incident Analysis (WDFIA 2007).

[5] Mark Handley,et al. Steps towards a DoS-resistant internet architecture , 2004, FDNA '04.

[6] Li Fan,et al. Summary cache: a scalable wide-area web cache sharing protocol , 2000, TNET.

[7] Yossi Azar,et al. Algorithms - ESA 2006, 14th Annual European Symposium, Zurich, Switzerland, September 11-13, 2006, Proceedings , 2006, ESA.

[8] Bin Liu,et al. Efficient and Low-Cost Hardware Defense Against DNS Amplification Attacks , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[9] Michael Mitzenmacher,et al. Less Hashing, Same Performance: Building a Better Bloom Filter , 2006, ESA.

[10] Vern Paxson,et al. An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[11] Paul V. Mockapetris,et al. Domain names - implementation and specification , 1987, RFC.

[12] David Hutchison,et al. Scalable Bloom Filters , 2007, Inf. Process. Lett..

[13] Burton H. Bloom,et al. Space/time trade-offs in hash coding with allowable errors , 1970, CACM.