KarmaNet: SDN Solution to DNS-Based Denial-of-Service

Networks are fundamentally designed to efficiently share network resources among end-users. The Internet has facilitated a global communication and computational environment by interconnecting billions of computers. People depend on the Internet to share professional, personal, confidential, and valuable information with other network users. Because of this high dependency of users, attackers often exploit its weaknesses to paralyze crucial and important segments of the Internet. Domain Name System (DNS) is one such segment whose proper functioning is highly crucial for the Internet to function properly. Attackers often exploit vulnerabilities of the Internet and DNS to launch large scale Distributed Denial of Service (DDoS) attacks and disrupt network services. Such DNS based DDoS attacks generally use IP spoofing to bombard target network/host so as to paralyze them with attack packets. In this paper we present a novel DDoS attack prevention mechanism by utilizing the flexibility and programmability aspects of Software Defined Networks (SDN). The principal philosophy used behind it is to route DNS response packets along the same path which was used by corresponding DNS request packet. Such routing is independent of the destination IP address present in the packet. This way, the malicious host responsible for launching DDoS attack will self-destruct itself. The results of the simulation showed that KarmaNet reduced the network delay by 41% when the network was experiencing a DDoS attack. Also, as any security mechanism comes at a cost, simulations of proposed mechanism shows that it also introduced additional delay of 8%–9% in getting DNS responses as compared to current DNS structure.

[1]  Narmeen Zakaria Bawany,et al.  DDoS Attack Detection and Mitigation Using SDN: Methods, Practices, and Solutions , 2017 .

[2]  Haya Shulman,et al.  Internet-wide study of DNS cache injections , 2017, IEEE INFOCOM 2017 - IEEE Conference on Computer Communications.

[3]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[4]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[5]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[6]  F. Richard Yu,et al.  Software-Defined Networking (SDN) and Distributed Denial of Service (DDoS) Attacks in Cloud Computing Environments: A Survey, Some Research Issues, and Challenges , 2016, IEEE Communications Surveys & Tutorials.

[7]  Ruby B. Lee,et al.  Distributed Denial of Service: Taxonomies of Attacks, Tools, and Countermeasures , 2004, PDCS.

[8]  Keith Kirkpatrick,et al.  Software-defined networking , 2013, CACM.

[9]  Fernando M. V. Ramos,et al.  Software-Defined Networking: A Comprehensive Survey , 2014, Proceedings of the IEEE.

[10]  Manoj Singh Gaur,et al.  DDoS attacks in cloud computing: Issues, taxonomy, and future directions , 2017, Comput. Commun..

[11]  Emin Anarim,et al.  Frequency based DDoS attack detection approach using naive Bayes classification , 2016, 2016 39th International Conference on Telecommunications and Signal Processing (TSP).

[12]  Raj Jain,et al.  Network virtualization and software defined networking for cloud computing: a survey , 2013, IEEE Communications Magazine.

[13]  Tzi-cker Chiueh,et al.  Spoof Detection for Preventing DoS Attacks against DNS Servers , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[14]  Ben Laurie,et al.  DNS Security (DNSSEC) Hashed Authenticated Denial of Existence , 2008, RFC.

[15]  Lukas Krämer,et al.  AmpPot: Monitoring and Defending Against Amplification DDoS Attacks , 2015, RAID.

[16]  H. Kim,et al.  A SDN-oriented DDoS blocking scheme for botnet-based attacks , 2014, 2014 Sixth International Conference on Ubiquitous and Future Networks (ICUFN).

[17]  Sora Lee,et al.  Preventing DNS Amplification Attacks Using the History of DNS Queries with SDN , 2017, ESORICS.

[18]  M. Belyaev,et al.  Towards load balancing in SDN-networks during DDoS-attacks , 2014, 2014 First International Science and Technology Conference (Modern Networking Technologies) (MoNeTeC).

[19]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.