The paper discusses about one of the many DNS failures which can cause disruption for the efficient functioning of the network.One of the most challenging problems faced today is DNS amplication attacks.DNS amplication attacks mainly utilises IP spoofing and a larger number of open recursive DNS servers to carry out these attacks.The consequences of these attacks are disruption of transmission rate,consumption and wastage of bandwidth.There are a lot of "misconfigured" DNS servers out there. Most DNS servers should be answering for their own domain or its own network.If it is asked to do anything else the DNS should firmly say "Denied".The DNS attacks exploit name servers that allow open recursion.Recursion is a method of processing a DNS request in which a name server performs the request for a client by asking the authoritative name server for the name record. Recursion is not inherently bad; however, recursion should only be provided for a trusted set of clients. Name servers that perform (open) recursion for any host provide attackers with an easily exploitable vector. In the attacks observed, the attacker's goal is to saturate the targeted name server operator's communications infrastructure rather than the name servers themselves. Name server operators typically have large access circuits, so launching an attack from a single source is unlikely to accomplish this goal. As it is difficult to defend against this attack by eliminating the open recursive DNS servers and IP spoofing,one of the intelligent solutions to counter this attack is to defend against it at the edge or leaf router of the victim's ISP or organization.The paper states that [ref] "An efficient and low-hardware approach to first detect the DNS amplification attack accurately and more precisely."One the problem is identified an filter is used to remove illegitimate DNS responses by making use of two-bloom filter solution.This method shows that the memory cost and the hardware approach is both feasible to defend against these attacks.A Distributed denial of service attack(DDoS) is an attack which attempts to infect to end systems like web servers,routers and makes the computer resources unreachable for the intended users. Since DNS is protocol which tranlates host names to IP addresses and distributed denial of service attacks(DDoS) is mainly carried out on root servers,the extent of this damage has far more consequences than others.Lack of authencity of the IP protocol,destination oriented routing and stateless nature of the internet are the primary weaknesses which feed these attacks and helps them to cause havoc to the entire network.These attacks can be classified into two types.One is to directly flood the DNS servers such as root servers,TLD servers with large number of DNS requests or by allowing useless traffic.As DNS servers cannot legitimate between the good and bad requests it accepts both the requests and gives responses.Due to overhead of large amount of requests it uses over-provision to defend against these attacks.Over-provisioning is carried out on computer resources such as network capacity and web servers.The scecond attack can be overcomed by using the exploited recursive DNS server and amplify all the traffic to a certain target system.Large number of DNS query messages are sent by the attacker using the IP address of the victim.This is called IP spoofing.One of the ways to tackle Ddos is to prevent IP spoofing.Some of the ways of handling such attacks are:[ref]
Use an access control list to deny private IP addresses on your downstream interface.
Implement filtering of both inbound and outbound traffic.
Configure your routers and switches, if they support such configuration, to reject packets originating from outside your local network that claim to originate from within.
Enable encryption sessions on your router so that trusted hosts that are outside your network can securely communicate with your local hosts.
The paper discussses as to how to counterattack on these issues.The researchers proposes Detection and Filter mechanism to prevent such attacks.They say that the semantic DNS one-to-one mapping can be exploited by elimination request-responses in order to remove complexity and storage problems.In the Detection phase,the DNS amplification attacks are detected with high accuracy and at a low cost.If the amplification attacks exceeds the threshold value then an filter is used to distinguish the legitimate responses from the attack with an affordable computation and memory test.To demostrate the amplification attack an attacker controls a Botnet comprising of many open recursive DNS recusrsive servers.In such attacks a DNS encapsulated within an 60-byte datagram could be answered with as much as 4000-byte response due to the effect of EDNS.The wikipedia definition for EDNS states that [ref2]
"Extension mechanisms for DNS (EDNS) is a specification for expanding the size of several parameters of the (DNS) protocol that had size restrictions that the Internet engineering community deemed too limited in the increasing functionality of the protocol. The first set of extensions was published in 1999 by the Internet Engineering Task Force as RFC 2671, also known as EDNS0.
The root causes of the DNS amplification attacks which is discussed in the paper can be categorised into three points.Open recursiveness of DNS servers and its arbitrary queries,secondly,the Internet architecture is such that IP spoofing canoot be prevented and thirdly DNS used User datagram Protocol on port number 53 so due to the connectionless nature of UDP and as it does it not use three-way handshake to check for verification of communication of communicating parties it is difficult for an security application to detect and filter these attacks.ICANN SSAC has come up with a solution in which the security application utilizes source IP address verification,advanced security for the open recursive servers from external sources.But the main weaknesses is that the deployment of such measures on the ISP's is a tough task.Therefore,the main solution considering all these drawbacks is to create an efficient low cost hardware to counter these amplification attacks.The other weaknesses is that there is less research activities taking place in this field.Some of the main research activities are mechanism to detect IP spoofing using origin of cookies.To maintain these cookies we need a huge database which would eventually become unscalable.
DETECTION AND FILTER SCHEME REVISITED
In the Detection scheme,One DNS request generates one response message.As we explained earlier,the detection scheme works only if the attack computers and open recursive servers are outside of the protected ISP organisation.
MONITORING AND DETECTION
1.)IP packet without fragmentation.
2.)DNS packet with UDP and source destination port is 53.
3.)For outgoing DNS request packet,Destination port is 53 and the response flag is set to zero.
4.)For incoming DNS request packet,Destination port is 53 and the response flag is set to one.
In the Filtering scheme,the main idea is to efficiently store outgoing requests.If the incoming response cannot match a matched request,it can be classified as the attacked response.
The strengths of this research paper are:
1.)Hardware mechanism at low-cost.
2.)The mechanism is implemented only at the leaf router and not all the end systems.
3.)Eliminating IP spoofing.
4.)Using TCP when required or when perceiving an attack.
5.)Since UDP is the default protocol used for DNS,the strength of this protocol can be increased using this mechanism.
6.)Detection and Filter scheme is simple and easy to implement by people who have sound knowledge about networking.
