What is the name of attack when an attacker sends series of DNS requests with spoofed source address being the target host?

Response Rate Limiting

No organization wants their authoritative DNS server to be used in a Distributed Denial of Service (DDoS) amplification attack, but the fact is that any is a potential target for attackers. To that end, BIND introduced the concept of Response Rate Limiting (RRL) in version 9.10. RRL limits the number of queries from a host that the authoritative name server will respond to over a given period of time.

RRL in BIND requires at least version 9.10 and BIND must be compiled with -enable-rrl during the configure phase of the install. Once BIND has been compiled with RRL support enabled activating it is as simple as adding a statement to the options section of the named.conf file:

rate-limit {responses-per-second 5;};

This code snipped limits the number of responses per second to 5 to a specific host. Remember, from Chapter 4, the way a DNS amplification attack works is that the attacker launches millions of small forged queries that appear to be originating from the target of the attack. The authoritative server has a much larger response and all of those responses are directed at the target. By limiting the number of queries per host that the authoritative server will respond to the DNS Amplification attack becomes muted.

There is a danger in limiting the number of responses in that it may create false negatives, in other words the DNS server may drop legitimate traffic.

To that end BIND provides the ability to test the configuration by enabling log-only mode, to see if legitimate traffic is dropped using the new configuration:

 rate-limit {

      responses-per-second 5;

      log-only yes;

     };

That snipped will implement the same rule, but it will only log the results, not drop any traffic.

BIND also provides the option to make exemptions to this rule for certain hosts. For example, the secondary name server or the organization’s mail server may need to make frequent queries to the DNS server. In cases like that DNS administrators can add an exemption statement, such as the following:

 rate-limit {

  responses-per-second 5;

  exempt-clients {10.100.50.8;};

 };

This will allow the DNS server to respond to any query made by 10.100.50.8, no matter how many queries are made per second.

Abstract

Denial of service (DoS) attacks are now one of the biggest issues in the Internet. Distributed denial of service (DDoS) Smurf attack is an example of an amplification attack where the attacker send packets to a network amplifier with the return address spoofed to the victim’s IP address. One of the major properties of our solution to identify and mitigate DDoS attacks, which is distinct from other solutions, is the manner in which routers and firewalls communicate to each other to reduce false rejection rate (FRR) and false acceptance rate (FAR) as much possible as they can. The attackers are able to break into hundreds or thousands of computers or machines and install their own tools to abuse them. The objective of this project is to propose a practical algorithm to allow routers to communicate and collaborate over the networks to detect and distinguish DDoS attacks. This algorithm allows the detection of DDoS attacks on the servers as well as identify and block the attacks.

Windows and DDoS

As discussed earlier in the book, DDoS attacks are a common problem with DNS infrastructure. Networks can be involved either as the target of the attack or as an unwitting participant, and administrators should prepare for either scenario. On Windows there are three areas to explore: so called “out of bailiwick” responses, response rate limiting (RRL), and BCP-38 configuration. As of 2016, all three are still under active discussion in the DNS community, so recommendations may change based on new development.

If a server is configured as an authoritative name server but not a recursive resolver, how should it respond to recursive requests? More technically, how should it respond to requests for which it is nonauthoritative? One approach is to ignore them or return an error. Historically DNS has taken the approach of always trying to provide useful information, so it will often return an “upward referral response” that contains the root hints file. The logic being that the client can query the root to start finding the actual authoritative server. These responses are called “out of bailiwick” because the server is not authoritative for them. In reality, most resolvers will ignore out of bailiwick responses, since they can be considered a form of cache pollution. And while seemingly innocuous, the practice of returning root hints can be used in DNS amplification attacks, since it is a relatively large response. An attacker would take advantage of this by querying DNS servers for nonauthoritative or nonexistent domains. A best practice for administrators is to disable this behavior since it provides little benefit to clients. As of Server 2016, Windows will respond with an error by default. On earlier versions, administrators can disable the behavior by deleting the root hints file.13

Another addition in Windows Server 2016 is what is called RRL. The motivation is to mitigate DDoS attacks by capping how many packets a server will send to a particular IP. Instead of generating responses at line speed, a server will only send (by default) five identical responses per second to any given client. By default this is disabled, but can be turned on with the command “Set-DNSServerRRL.” The rules can be further tweaked to limit how many error messages are sent per second, how many IPs should be grouped together for filtering, and how often the filters should be overridden to allow responses to “leak” out.14 The Leak Rate is to help prevent RRL itself from being exploited as a DoS vector. For example, if an attacker knew that the IP address 1.1.1.1 used the DNS server 2.2.2.2, it could launch what appears to be a DDoS attack against 1.1.1.1 using spoofed packets sent to 2.2.2.2. If the DNS server used RRL, it would then dutifully block further queries from 1.1.1.1 (assuming the attacker used domains the target would be legitimately querying). This could turn a relatively small DDoS attack into a complete lack of access to DNS. As described by Paul Vixie and Vernon Schryver in their memo on RRL, “LEAK-RATE must be from 2 to 10 and should approximate the real victim’s retry count on a legitimate query.”15

When large-scale DDoS attacks take place against DNS infrastructure, a common refrain is that the problem would be largely fixed if everyone implemented BCP-38. In fact, its title is “Defeating Denial of Service Attacks which employ Address Spoofing.” BCP-38 is essentially a set of network-level filters, such as verifying the reputed source IP on a packet is within the range of IPs connected to an interface. If, for example, an ISP sees many packets coming from a residential customer with the source IP of a government web site, it should be able to tell that those are spoofed. Since these are network-level filters there are not too many direct implications for a Windows administrator. It is simply another available tool when setting up a security plan.

3.1 Amplification and DoS attacks

A DNS amplification attack is a reflection-based DDoS attack. In DNS, an amplification attack is done by issuing a small number of DNS queries that are later transformed into a considerably large payload coordinated at the target network. The high level architecture of a typical DNS amplification attack is demonstrated in Fig. 3. The attacker hides the exploit source and directs the DNS response into the target address through spoofing look-up requests issued to DNS servers. It is difficult to defend against such an attack, since it originates from legitimate servers with legitimate traffic.

A wide variety research works have been conducted to detect and mitigate DNS amplification attacks [7–15,81,82]. For instance, Ballani et al. [8] have presented a simple method based on caching behavior analysis of DNS resolvers to defend against DNS DoS attacks. They have stored cached records with TTL in a stale cache. Then, the stale cache can be used by a resolver that does not receive any response from the authoritative name servers. Herzberg et al. [10] have designed an anti-reflection system, providing DNS authentication, which nullifies the amplification factor of the DNS responses abused for DoS attacks. DNS authentication is composed of two subsystems, namely a request authentication that detects and filters requests sent from spoofed IP addresses, and resolver authentication that maintains a list of potentially compromised hosts. They have deployed the resolver authentication as a cloud-based service to further reduce costs and provide additional defenses for DNS servers. Furthermore, Rijswijk-Deij et al. [82] investigated the potential for abuse in DNSSEC-signed domains in a large scale, covering 70% of all signed domains in operation. Their analysis demonstrate that DNSSEC in-fact empowers DNS amplification attacks for a particular query type, ANY. In addition, Rossow [81] has investigated Distributed Reflective Denial-of-Service (DRDoS) attacks through revisiting well-known UDP-based protocols, including network services, online games, file sharing networks, and botnets to assess their security against DRDoS abuse. His analysis revealed that attackers already started abusing 14 protocols through bandwidth amplification and multiplying the traffic up to a factor 4670.

MacFarland et al. [11] examined a large number of domains (≈ 129M) and authoritative servers (≈1.1M) to investigate the inherent DNS amplification risks associated with DNS authoritative name servers. Their analysis showed that only a small number of authoritative servers (≈3.8%) are responsible for the highest amplification factors. In addition, their analysis revealed that adoption of DNS response rate limit is limited to less than ≈3% of authoritative servers. Finally, they have suggested tunneling into a remote resolver as a straightforward and simple countermeasure to mitigate on-going attack at the organization level. Verma et al. [14] have utilized the fact that DNS resolvers share the local DNS query rates to propose an amplified DNS attack mitigation system called Distributed Rate Sharing-based Amplified DNS-DDoS Attack Mitigation (DRS-ADAM). The authors claim that DRS-ADAM detects and completely stops an amplified DNS attack by imposing DNS query rate sharing among resolvers involved in an attack. DRS-ADAM has several advantages; deployment, robustness against manipulation, and attack mitigation.

Table 2. Summary of representative work that studied DNS amplification attacks; RL is Response Latency, ID is Input Data, and O(1,2,3) donates Other disadvantages: (1)modification of standard DNS resolver semantics, (2)third-party organizations, and (3)low detection accuracy.

Aizuddin et al. [7] have incorporated sFlow with security-centric SDN features to analyze DNS query identifiers (IDs) for detecting and mitigating DNS amplification attack in a timely manner. Their analysis showed that the proposed method provides accurate detection results (more than 97.0%) even with a small number of flow values (DNS attributes). Kim et al. [9] have presented a DNS amplification attack mitigation system through a one-to-one strict mapping method between DNS requests and responses in order to identify orphan DNS responses. Their analysis showed that the proposed solution removes the possibility of false positive packets. Erhan et al. [83] have presented a new DDoS detection approach employing the Matching Pursuit algorithm for detection of resource depletion type DDoS attacks. Their proposed algorithm is able to detect low-density DDoS attacks.

Zheng et al. [15] have proposed Reinforcing Anti-DDoS Actions in Real-time (RADAR) which detects various DDoS attacks, such as link flooding, SYN flooding, and UDP-based amplification attacks. They do so through adaptive correlation analysis on commercial off-the-shelf SDN switches. RADAR does not require any changes in the SDN protocols and switches deployed in the network today, nor does it require additional appliances to detect attacks, making it an easy-to-plug solution in today’s operations.

Truong et al. [13] analyzed DNS traffic to design a detection system for recognition of pseudo-random domain names, including Conficker and Zeus, form legitimate domain names. The proposed detection system is composed of two main subsystems, including feature extraction and classification. The length of domain names and their expected values construct the feature space and classification section is composed of several classification algorithms, e.g., RF, KNN, SVM, and NB.

Recently, Lu et al. [84] have presented range-based amplification attacks, which allows attackers to overwhelm both outgoing bandwidth of the origin servers deployed behind CDNs and bandwidth of CDN surrogate nodes. Furthermore, Chang et al. [85] have presented a query-crafting attack where the attacker is able to control the DNS query payload to increase the threat impact per query.

Discussion. Despite the large body of research work on the detection and mitigation of DNS amplification and DoS attacks, such attacks are still prevalent and compromising today’s Internet. Table 2 summarizes the proposed methods in the literature and their strengths and weaknesses. Shortcomings of the proposed methods, which would require further attention from the community, can be summarized as: 1. increasing response latency due to detection process, which requires light-weight and latency sensitive detectors [7,9–11]. 2. requiring a range of changes to the DNS resolvers and semantics [8], which calls for work that address legacy-compatibility or require very little of such changes. 3. requiring large number of IP addresses to be collected every day [12], or requiring large number of flow rules [15], which calls for aggregate and light-weight feature engineering methods. 4. low detection accuracy, in some cases [13], which calls for improving accuracy through multi-modality of detection features.

3 Amplification-based distributed denial of service (ADDoS)

From the traditional command and control style attack, DDoS attacks have evolved into amplification attacks. This has been the most common type of DDoS attack in recent years (Akamai, 2018; Musil Steven, 2014; Prince Matthew, 2014). There are two essential aspects to this type of attack:

Reflection: The attacker spoofs the IP packets (IP spoofing) and changes the source address to the IP of the victim and sends it to some third party entity on the Internet.

Amplification: The third-party entities (mostly legitimate services provided like DNS servers) on the Internet which provide services respond with a bigger packet than what it received and sends it to the victim because the source IP address is that of the victim. In general the attacker chooses a query that provides bigger responses. The spoofed packet is generally a query and the reflector replies back to the victim with an amplified response (Colella and Colombini, 2014).

Fig. 6 shows the link between a reflector and an amplifier. A reflector would only act as a machine that allows IP spoofing, sending a response to the victim. However, an amplifier would not only be able to reflect but also to amplify the response thus creating more damage.

Therefore, a reflector would only allow for spoofing the source IP to target a victim. However, an amplifier is also a reflector but would also be able to send a response which has bigger size than the initial query.

We can observe in the literature (for instance, Ryba et al., 2015) that DrDoS (Distributed reflective Denial of Service) is the name given to the amplification attack. However, the reflector also amplifies the packet, so the name does not quite cover that aspect of amplification.

Fig. 7 shows how an ADDoS attack is carried out. The main difference between a traditional DDoS attack and ADDoS attack is the lack of a Command and Control Center. Furthermore, every query packet that is sent by the attacker is spoofed with the IP address of the victim.

Based on our review of the related literature and attack software, we describe the attack process as follows in Fig. 8.

Scanning for reflectors: The attacker scans the Internet for public IP addresses that responds back to a spoofed packet. The attacker spoofs the packet and changes the source address to one of its own IP and broadcasts this packet on the Internet or particular subnet. The attacker then goes onto collecting IP addresses of reflectors that replied to the source address. This means these third-party entities allow IP spoofing.

Building the attack vector: Generally the attacker uses common protocols that allow for amplification like DNS, NTP, CharGen and many more. The attacker tries to combine various protocols to build a bigger and stronger attack vector. The attacker would try to collect many reflectors as possible that allows for the most protocols.

Consolidating the attack vector: The attacker compiles and consolidates the list of the reflectors and the amplification it performs based on various protocols. There would be many variables that are still unknown to the attacker at this point. For instance, the maximum bandwidth available to these reflectors, whether there is a time out session for replies, or does the reflector black-list if there are continuous queries etc. The attacker might still be able to estimate the approximate attack size.

Performing attack: The attacker at this point spoofs packets for all the protocols to change the source IP address to that of the victim. The attacker then sends the query packets to reflectors and awaits the impact on the victim. Steps (i), (ii) and (iii) might be performed by the attacker in advance.

3.3 Exhaust rate

The number of amplifiers that the attacker consolidates becomes unusable for the attack and the list of collected amplifiers are exhausted. Most of the third party entities that are used as amplifiers had a quick change in status due to various reasons like change of IP address, change of services provided, and implementation of anti-spoofing or better security architecture.Kührer et al. (2014a) studied the exhaust rate of amplifiers over a period of 13 weeks as shown in the Fig. 9 and this shows a very significant drop.

Fig. 9. Drop of amplifiers over the research period of 13 weeks.

As shown in Table 4, Kührer et al. (2014a) studied the exhaust rate of popular protocols used in ADDoS for a period of 13 weeks. There is a huge drop in the number of amplifiers from the initial scan to just the first week. For instance, the DNS amplifiers reduced by 47.5% and other dropped by half or more. By the end of week 13, the numbers reduced even further as the DNS amplifiers available was just 8.2 million as compared to 25 million in the initial scan. The exhaust rate needs to be factored in terms of a real attack as the studies above show that the exhaust rate of amplifiers is high.

Table 4. Result of exhaust rate study done by Kührer et al. (2014a).

	Initial Scan	Week 1	Week13
Protocol	(#)	(#)	(%)	(#)	(%)
DNS	25,681,450	12,190,302	47.5	8,263,508	32.2
NetBios	2,853,213	1,455,351	51.0	979,266	34.3
NTP	7,269,015	6,859,043	94.4	4,222,060	58.1
SNMP	8,866,748	4,939,118	55.7	3,411,563	38.5
SSDP	5,336,107	3,088,148	57.9	2,067,830	38.8

Kuhrer mentions that one of the major reasons for the effect on the exhaust rate is because most of the amplifiers were connected to consumer routers and had dynamic IP address with low IP address lease times. This further supports our observation that the attacker will need to keep re-scanning to keep their amplifiers list up-to-date.

3.3.1 Bandwidth depletion DDoS attack

According to the previous works, the bandwidth depletion DDoS can be further classified into flood attacks and amplification attacks. For the flood attack, an adversary can command the zombies to send plenty of normal packets to the target server. The representative flood attacks are UDP flood attack and ICMP flood attack (Kolahi et al., 2015; Chauhan and Saini, 2015), where the UDP and ICMP packets are employed to congest the bandwidth of the target server.

Conversely, in the amplification attack, instead of commanding the zombies to directly send DDoS packet to the target server, the adversary makes the zombies send numerous requests to some specific servers such as the DNS servers or NTP servers. The source IP addresses of these requests are set as the IP address of the target server. After receiving these requests, these specific servers will generate the response packets and send these packets to the target server, which will significantly increase the attack rate and congest the target server’s bandwidth. The typical amplification attacks are the Smurf attack and Fraggle attack (Bouyeddou et al., 2018; Deshmukh and Devadkar, 2015).

3.2.4.2 DNS attacks addressing

With increasing the IP-spoofed requests forwarded to the DNS servers, the possibility of occurrence of the DNS amplification attacks is increased. In [107], a low-cost hardware approach consisting of two phases has been proposed to deal with such attacks. In the detection phase, the attack traffic is detected. In the second phase, the scheme distinguishes the forged responses from the secure packets by using two BFs which alternately store the requests in two continuous time periods. If the input response does not match a request in the two BFs, the response is illegitimate. The authors reported that this scheme is feasible to be employed at high speed links [107].

5.2.4 Availability of services

Data centers provide huge number of services which are hosted in multiple servers. In order to support these services or a huge amount of data transfer, it requires proper network links with high bandwidth. There are several types of security attacks which affect the availability of a cloud based service like, DoS, DDoS, flooding attacks, DNS reflection and amplification attack. Basically, Denial of Service (DoS) attacks are classified into two categories as direct and indirect attacks. In direct attack, a single malicious request creates the server overloads by exploiting a vulnerability or processing numerous requests. In the indirect attack, the flow of packets fully saturates the network links or intermediate routers with bogus requests which terminates the honest connections while reaching the bandwidth capacity. In order to overcome the impact of DoS attacks, it requires to setup a High Availability (HA) environment which spreads across multiple data centers and also requires a proper Disaster Recovery (DR) plan [61].

3 Categories of DDoS attacks

In this section, we provide a categorization of DDoS attacks from a cloud computing perspective. This examination is useful in order to appreciate how the various DDoS attacks can impact the cloud environment and to be able to design effective detection mechanisms for the same. The well known categories of DDoS attacks are mentioned first. This is followed by discussion on DDoS attacks by categorizing them based on which part of the cloud is attacked. Section 3.1 discusses DDoS attacks on cloud infrastructure components, Section 3.2 discusses attacks on cloud services, and Section 3.3 discusses attacks on cloud customers.

DDoS attacks can be targeted towards depleting bandwidth or depleting resources of a network or a combination of both these approaches. The categories of DDoS attacks are: volumetric (Gbps), protocol (pps) and application layer (rps) attacks. Volumetric attack or floods target the bandwidth of the network and can be launched through botnets or amplification. Protocol attacks target the compute and memory of servers and intermediate devices and often work at layers 3 and 4 of the OSI model on network devices like routers. Most attacks can be categorized depending on the vector and packet size, and the categories often overlap. Detailed description of DDoS volumetric and protocol attacks and their corresponding detection methods has been discussed in [58]. Application layer/layer 7 attacks are also viewed as a resource based attacks. These type of attacks target servers hosting some kind of a web application. The attackers in most cases make legitimate requests like a website user, and require very few bots to attack which makes it difficult to detect such type of attacks. As a consequence, these attacks displays much smaller traffic spikes. Application layer attacks are computed as requests per second (rps) or the number of requests made to an application. Detailed description of application layer attacks, and their corresponding detection methods has been discussed in [16].

DDoS attacks result in service disruption which is the primary effect. Service downtime/disruption leads to economic losses and short or long term business reputation losses. DDoS attacks in cloud might not always result in service downtime due to autoscalability feature of cloud. Autoscalability is one of the characteristics of cloud which automatically adds or removes computational resources based on usage at that instant. But it has the negative impact of increased billing costs for the cloud users. Additionally, since co-hosted VMs on a single physical server may be shared amongst different cloud users (multitenancy), there is collateral damage to non targets by disrupting their service and causing autoscaling of their resources as well. Fraudulent resource consumption results in economic losses to cloud users and reputation loss to cloud providers. Fig. 3 depicts the various DDoS attack categories from a cloud computing perspective. The attacker attacks different components of cloud according to the intent and existing vulnerability. The various cloud components that come under DDoS attacks are — Cloud Infrastructure (VMs, Hypervisor, Cloud Scheduler), Cloud Services (SAAS and web services) and Cloud Customers (Cost accountability component).

4.1 Goal (1)

The Goal (1) Category contains the features implemented by a botnet that capture its ultimate objective. This category contains five families: DDoS, PDoS, Spying, Income generation and Attack vector distribution.

The taxonomy of this category is given in Fig. 4, and a recapitulative table is given in Table 5 (see Table 2).