Back to Search
Start Over
A software-based approach to reproduce and detect flooding attacks against DNS
- Source :
- RIPE 74 2017 : RIPE NCC meeting-Réseaux IP Européens, RIPE 74 2017 : RIPE NCC meeting-Réseaux IP Européens, May 2017, Budapest, Hongrie, HAL
- Publication Year :
- 2017
- Publisher :
- HAL CCSD, 2017.
-
Abstract
- International audience; In this presentation we show our ongoing work to develop a testbed --based on software and commodity hardware-- to research on flooding attacks against DNS infrastructure. We have currently developed two prototype components: a flooding DNS query generator, able to saturate 10GbE links with 11Mrps, and an online detector of overabundant queried domains at reception. Relying on DPDK and libmoon (a LuaJIT framework for DPDK), these two tools run on commodity hardware, while optimizing the number of packets that we can handle at transmission and reception. Both generation and reception tools run Lua scripts, achieving a high level of flexibility. In this presentation we show some lessons we are learning, we compare the generator against other available tools, and present some unexpected results. For example, how a slower software query generator has a stronger impact on a Bind server than our current flooding tool (650Krps versus 10Mrps). We also describe how we count the number of queries per domain at reception under 11Mrps traffic, with reduced packet losses. Given the high number of possible elements to analyse from the DNS messages (IP addresses, random qnames) we make use of statistical tools, mainly CountMin-Sketch, to restrict the use of memory space. This tool can trigger an alarm when a domain exceeds a threshold of queries per a small interval of time. In this presentation we also look for feedback from the DNS-OARC community about possible strategies to use this tool to countermeasure flooding attacks.
- Subjects :
- Detection
[INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR]
[INFO.INFO-NI]Computer Science [cs]/Networking and Internet Architecture [cs.NI]
DNS
ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS
Flooding attacks
Load testing
[INFO.INFO-HC]Computer Science [cs]/Human-Computer Interaction [cs.HC]
[INFO.INFO-DC]Computer Science [cs]/Distributed, Parallel, and Cluster Computing [cs.DC]
DPDK
Subjects
Details
- Language :
- French
- Database :
- OpenAIRE
- Journal :
- RIPE 74 2017 : RIPE NCC meeting-Réseaux IP Européens, RIPE 74 2017 : RIPE NCC meeting-Réseaux IP Européens, May 2017, Budapest, Hongrie, HAL
- Accession number :
- edsair.dedup.wf.001..e536e1849c48432d038cc7052d6c75c3