An efficient algorithm to detect DDoS amplification attacks

Abstract

Domain name system (DNS) plays a critical part in the functioning of the Internet. But since DNS queries are sent using UDP, it is vulnerable to Distributed Denial of Service (DDoS) attacks. The attacker can take advantage of this and spoof the source IP address and direct the response towards the victim network. And since the network does not keep track of the number of requests going out and responses coming in, the attacker can flood the network with these unwanted DNS responses. Along with DNS, other protocols are also exploited to perform DDoS. Usage of Network Time Protocol (NTP) is to synchronize clocks on systems. Its monlist command replies with 600 entries of previous traffic records. This response is enormous compared to the request. This functionality is used by the attacker in DDoS. Since these attacks can cause colossal congestion, it is crucial to prevent or mitigate these types of attacks. It is obligatory to discover a way to drop the spoofed packets while entering the network to mitigate this type of attack. Intelligent cybersecurity systems are designed for the detection of these attacks. An Intelligent system has AI and ML algorithms to achieve its function. This paper discusses such intelligent method to detect the attack server from legitimate traffic. This method uses an algorithm that gets activated by excess traffic in the network. The excess traffic is determined by the speed or rate of the requests and responses and their ratio. The algorithm extracts the IP addresses of servers and detects which server is sending more packets than requested or which are not requested. This server can be later blocked using a firewall or Access Control List (ACL).

Keywords

Amplification attacks DRDoS domain name system network time protocol

1 Introduction

The internet has been popularized a lot in this era of technological advancements. DNS is one of the crucial protocols in the functioning of the internet. It is used to query the IP address for any particular domain. As harmless as this protocol seems, it can be used to disrupt various services. DDoS attacks can be performed using DNS servers. Since DNS uses UDP protocol for querying, an attacker can spoof the source address in the request so that the response reaches the target system. DNS servers can be used as a reflector and as an amplifier.

This attack can cause a network to overload and delay or halt legitimate traffic. If a web service is being attacked by DDoS, users are not able to complete their request for resources because of the conjunct service. The attack uses up all the memory resources to process these vast unsolicited responses. If these attacks are not mitigated, the organization will suffer a considerable loss.

Prevention of these attacks is essential. So, we are going to discuss a method to prevent DNS DDoS. We are using an intelligent algorithm to detect DDoS attacks by analyzing network traffic. Specific features of the traffic are extracted, which are used to determine an attack.

Domain Name Server (DNS) is used by every computer to access the website on the Internet. It stores information on domains, including their IP address, canonical names, and other records. It translates the domain names into IP addresses for us so that we do not have to commit to memory the IP addresses. UDP is used as DNS’s transport layer protocol as it’s fast and does not require prior connection with the server or handshake mechanism like TCP to connect to the server. The drawback of using UDP is that it is connectionless and does not keep track of the source IP address. Therefore, there is no way a server can ensure that the request is from a genuine user. By exploiting this vulnerability, the IP address of the request can be spoofed by an attacker, and it can be sent to the DNS server. The DNS server responds to the query to the IP address mentioned in the request. Thus, the response can be directed to any IP address. The attacker can launch a DDoS attack by spoofing the source IP to the victim’s IP address and sending a vast quantity of requests to the DNS server. This attack is termed as Distributed Reflection Denial of Services (DRDoS) since it uses an intermediary reflector.

There are 13 Root DNS servers and 10,366 name servers in the world. If the name servers are not correctly configured and functions like rate limiting are not applied, they can be used as reflectors. The attacker uses the actuality that the DNS response size can be significantly more prominent than the size of the request made. If a DNS query is requesting a TXT record (short for text record), the response can be as big as 10 times the request. The attacker spoofs the DNS request directing to the victim’s network. The victim receives a massive number of DNS responses of enormous size. This consumes the network’s bandwidth and makes the network starve. Even with a small botnet, the attack can become devastating with the right DNS queries. This attack is also called a DNS amplification attack. According to Nexusguard’s Q3 threat report, DNS attacks has grown up to 4800% from Q3 2018 to Q3 2019. They say that it’s not a new method, but has emerged to become 3rd most used attack vector.

Synchronization between the computer clocks in a network is performed by Network time protocol (NTP). The link delay, along with local offset, is calculated by the server, which is requested by the client to set the local clocks time the same as the server’s clock. It takes a few requests and responses to set the clock accurately. NTP servers have a function called ‘monlist.’ By calling this function, a response containing the last 600 monitored data records is sent. Since NTP also uses UDP protocol, this can be used as an attack vector. A small request calling this function gives a response a hundred times larger than the request. In 2014, the most significant DDoS attack was recorded. It peaked at 400 Gbps in bandwidth and involved 4592 NTP servers.

It is essential to discover the server sending these rogue responses to detect and prevent these amplification attacks. This paper presents a way to distinguish the IP of the server who is sending responses that were not requested. This way, we can drop the further incoming responses and prevent the network from congestion.

This paper contributes a lightweight algorithm to detect DDoS attacks. It is a result of various researches done using properties of internet traffic. The result of the proposed method gives a list of possible servers from which the attack is happening.

The paper is prearranged as follows. Section II debates the previous studies and researches on DRDoS attack detection and prevention. Section III explains the amplification attacks. Section IV discusses the proposed method. Section V contains the experiment setup information.

2 Related work

The evolution of DNS protocol and its security has been taken place over time. But it is still one of the most targeted services to perform a DDoS attack. Hackers exploit the features of DNS to perform amplification attacks. Various preventive measures can be used to prevent DDoS attacks. Network Ingress Filtering can be applied to routers to prevent sending out spoofed packets in the first place. Load balancing or having sufficient network capacity can be used to mitigate an active DDoS attack. One possible way to prevent DDoS is to use TCP for DNS queries. But the whole point of performing fast queries is left out there.

In [5], Tsunoda mentioned a technique to map the DNS requests to their corresponding responses to make sure that unwanted responses can be detected and measures can be taken to block the IP of the DNS server. Suppose all the DNS responses are coming from a single DNS server. Then this method can only detect the amplification attack. There is no way one can block a DNS server without having consequences in the organization. [1] Fijinoki presented a novel method to detect an attack. Recursive servers are made to divide up the high traffic using the cloud and continue it until the attack server’s IP is distinguished. The rest of the DNS server’s IP is made to go through a mirror server. This method can pinpoint us to the attacker DNS server, but a lot of temporary servers have to be created to find it.

An unusual method is discussed in [3] where the threshold to block an IP is made to change based on active network traffic. This method considers the status of the current traffic and calculates a value that is best for keeping as a threshold. In [2] and [4] Support Vector Machine, a machine learning algorithm is used as a classifier to distinguish an amplification attack. Various attributes of the traffic like incoming and outgoing packet count, packet size, the difference between the count of requests made, and responses received are considered for testing the model. The results acquired from this model is entirely accurate. [4] mentioned the use of the Software-Defined Network to gather the attributes.

Saharan has studied researches of various researchers and listed different types of preventive measures in [9]. He also proposed a framework to strengthen the DNS architecture using deep packet inspection and the Internet of things. The use of SDN to detect DNS amplification attacks are well described in [10] by Xing.

Many types of research have been done on NTP amplification attacks. According to research, Gaming servers are frequent targets of these attacks. The motive is to slow down or shut down the server so that the opponent’s game lag or disconnect. In [12], Rudman has analyzed 2 different NTP amplified attacks and found that this attack is performed using various computers using the mostly same path to the victim. This was done by analyzing the Time-to-live (TTL) fields of the packets. Most of the packets had TTL > 230, and this shows that the attacker had set TTL to 255. Using TTL, one can also guess the tool used because tools use their own TTL value.

Cisco has provided various solutions for mitigating NTP amplification attacks. They are Access Control Lists, Router Access Control Lists, and Committed Access Rate. Each of these has its benefits. ACL is used to control the packet movements to filter network traffic. CAR is used for security and optimizing the network by limiting the interface’s incoming and outgoing traffic speed. To do this, different criteria like IP access list or IP precedence, is used. It can be productive during the congestion of a network. [11] Bahman has experimented on these functionalities of Cisco routers and discussed them in his research. Analysis of performance during the attack with or without security is depicted in his work.

Another method proposed in [16] detects amplification attacks. The idea is to use a different port for every new request and then monitor them. Different characteristics are gathered to process the differentiation of regular traffic and attack traffic. For example, the bandwidth amplification factor of a request and response pair should be greater than 5, and the response size should be greater than 10MB. A similarity factor based on compression algorithms is used to compare a sample attack traffic and live traffic. These factors, along with some other characteristics, can detect an attack.

3 Amplification attacks

The main idea of this attack is to generate a massive response to small queries and direct them towards the victim. DNS amplification and NTP amplification attacks are popular among them. The attacker sends queries to DNS or NTP servers, which gives a massive response. These packet’s source address is spoofed by the attacker so that the victim receives the responses.

In this attack, the relation between request and its corresponding response is known as the amplification factor. It is calculated as

Amplification factor = (response’s size)/ (request’s size)

The amplification factor is directly proportional to the consumption of resources and the bandwidth of the victim.

3.1 DNS amplification

DNS servers are used as an intermediary service for DDoS attacks. The attacker sends requests to DNS servers, who’s responses are redirected to the victim. It can be seen in Fig. 1. Generally, the size of the requested DNS query is smaller than the size of the response generated. Attackers take advantage of this to overwhelm the victim’s network. Since the DNS server is used to perform a direct attack, it is difficult to prevent them. DNS has an essential function in any organization. It is needed by any service requiring a name resolution service. In regular DDoS, the attack traffic comes from the bots. The server can block the IP addresses of the bots to mitigate the DDoS attack. But in the event of a DNS amplification attack, the server cannot just block the DNS server without affecting and damaging the functions of the corporate network. The amplification factor of DNS varies from 28 to 54.

Fig. 1

DRDoS attacks method.

3.2 NTP amplification

In NTP servers, there is a functionality called monlist. When requested, it responds with a maximum of 600 IP addresses of the systems that communicated previously with the server. This makes the response significantly huge compared to the request sent. Thus, the amplification factor is very high. The attacker uses this factor to his advantage and makes requests to the NTP server and spoofs the source IP. The responses to these requests go to the victim and overload his network with NTP packets. The amplification factor of NTP is 556.9.

4 Proposed method

This section presents a mechanism to defend against DNS and NTP amplification attacks.

4.1 Overall mechanism

In this method, the whole monitoring is done at the router. Presuming that only one system is being victimized, the whole process is described as follows. The DNS and NTP packets are captured and stored in a pcap file at a regular interval. This file is then used to extract features of the DNS traffic and NTP traffic, which is used to detect an amplification attack. First, the speed of both protocol packets is measured. If it bypasses a certain threshold, then the ratio of requests made and responses received is calculated. This can determine if the incoming traffic is legit or not. If the ratio is too low, all the source IP addresses of the response packets of that particular protocol are gathered. The ratio of incoming and outgoing traffic of the individual IP addresses using that protocol is calculated. The IP address that has 0 as their ratio is labeled as Attack Server, as no requests were made for this IP address. This IP can be blocked by the firewall to prevent further attacks. The time interval for packet capture varies during the attack and non-attack phase. With this intelligent algorithm, the detection of attack servers (servers which forward the responses of spoofed requests) is possible. The whole process is shown in Fig. 3.

Fig. 2

Algorithm List of IPs to be blocked or null.

Fig. 3

Proposed Method to defend against DNS and NTP amplification attacks.

4.2 Algorithm

t = 10 seconds (time interval for packet capture)

T_S = threshold of speed.

T_R = threshold of ratio.

Input: A pcap file having all the DNS request and response packets within the 20 seconds interval.

Output: List of IPs to be blocked or null is printed.

Figure 2 contains the proposed algorithm.

4.3 Packet capture

Tcpdump is a command-line tool used for analyzing network packets. Using Tcpdump, the packets can be capture for analysis. A protocol filter is applied so that only the traffic of the specified protocol is captured. The packets are captured in a fixed interval of 10 seconds. With small intervals, it is easier to make calculations, and attack is detected faster. As an attack is detected, the capture interval reduces to 3 seconds in order to speed up detection. After the attack, the time interval gradually increases by 1 second after every capture until it reaches its default value of 10 seconds.

4.4 Feature extraction

Various features are extracted from the pcap files. The first feature is the speed of the packets.

Speed of packets = (Total number of packets) / (total time in seconds)

This helps to check if excess traffic is passing through the router. The next feature is the ratio of incoming and outgoing packets.

Ratio = number of requests / number of responses

The third feature is a list of IP addresses of the DNS or NTP servers. All the IP addresses are to be analyzed in this list to determine the attack server.

The final feature to be extracted is the ratio of incoming and outgoing of packets to and from an individual IP address.

Ratio (IP) = count of requests made to that IP / count of responses received from that IP.

4.5 Processing

At first, the captured packets of both DNS and NTP protocols are analyzed, and the speed and ratio are calculated for each protocol. If the speed is reasonable for both of them, there is no need to check for attacks. If the speed is higher than a specific speed threshold for either of the protocols, then the ratio is checked. If the ratio of the packets is less than a specified ratio for that protocol, then further processing is done. Otherwise, it is considered legitimate traffic, and no further processing is needed.

Later a list of IP addresses is generated for the specific protocol who’s speed and ratio crossed the boundaries. The ratio of incoming and outgoing packets to and from all the individual IPs is calculated. To detect the attack, we have to find an IP for which zero or very fewer requests were made, but a vast number of responses were received. So, we have to look for a ratio which is equal to 0 or close to 0. The IP which fits under this criterion is flagged as an Attack server. All the IPs fitting under this criterion can be blocked. Also, the time interval of packet capture is reduced to 3 seconds after the detection of the attack. This way, the detection of later attack servers is fast. This way, all the servers which are sending unwanted packets can be detected.

After the attack, the time interval between packet captures returns to 10 seconds with a gradual increment of 1 second. This way, the load on the processor and memory decreases after the attack.

This method is better because it can be easily implemented on any network. No significant changes in the network are required. The monitoring can be done at a router or even at a switch by using switch monitoring. ACLs on the switch can also be used. And since the algorithm is not very sophisticated, it does not use too much computation power. The limitation of this method is that we are blocking DNS servers, which affects the usage of the Internet. A secure DNS server should be used to solve the problem, which is appropriately configured to handle reflection attacks. This method can be employed in a small network to check the reliability of the algorithm. We have performed an experiment showing the efficiency of this method.

5 Experimental Setup

The experiment is conducted in a virtual environment on a system having processor Intel® Core™ i7-7700HQ CPU @ 2.80 GHz, installed RAM 8 GB. The victim virtual machine has Kali Linux installed. It has been allotted 2 CPU cores and 4GB of RAM. The detection script is executed on it. Tcpdump is installed in this machine to capture packets. Only the packets leaving and coming to this machine are captured using the filter. The attacker executes the attack code from a Linux Mint machine.

In Table 1, the average DNS request rate is given along with the attack rate. The attack was run for 1 minute. In that duration, the victim received 358 DNS packets. In Table 2, the requests made and responses received by the attacker, and the victim is tabulated. The 74.62.245.3 is a DNS server’s IP address. All the packets which were originated from the attacker’s IP were sent to the victim’s IP address by the DNS server. The system of the victim made 0 requests to that particular DNS server but still receives a considerable amount of response packets from it.

Table 1
Rate of packets

Normal DNS request rate Attack rate Total packets received Attack Duration

2 packets per second 350 3500 10 seconds

Normal DNS request rate	Attack rate	Total packets received	Attack Duration
2 packets per second	350	3500	10 seconds

Table 2

Request and response packets received by the attacker and victim

	DNS request packets			DNS response packets
	Src IP	Dest IP	Numbers	Src IP	Dest IP	Numbers
Attacker	10.0.2.10	74.62.245.3	200	74.62.245.3	10.0.2.10	0
Attacker	10.0.2.10	89.10.6.128.27	158	89.10.6.128.27	10.0.2.10	0
Victim	10.0.2.9	74.62.245.3	0	74.62.245.3	10.0.2.9	200
Victim	10.0.2.9	89.10.6.128.27	0	89.10.6.128.27	10.0.2.9	158

As shown in Fig. 4, the DNS traffic elevated from around 2 packets per second to an average of 350 packets per second. This attack was made by just one attacker. If a botnet were to be used to attack, then a significant amount of traffic can be generated.

Fig. 4

DNS Traffic during the attack.

We are using time as a factor to validate the algorithm. The maximum time for detection of attack is 11 seconds, and the minimum is 4 seconds. This includes the capturing of the packets, extracting the features, and detecting the IP address of the attack server. It depends on the time of the attack and the time of initiating packet capture. After the first detection, the detection of new attacker IPs is fast, as the time interval of packet capture is reduced to 3 seconds. So new attack IPs can be detected in 4 seconds.

In Fig. 5, the packet capture starts at 0th second and detects the IP attack server on the 11th second. The new packet capture has started at the 10th second itself while the old capture is being processed.

Fig. 5

Attack Detection cycle.

The CPU usage was monitored during the experiment. It is depicted in Fig. 6. During regular operation, the program did not use much CPU power. But during the attack, the processing of all the packets arriving at the NIC because of the attack and the running of detection script consumed CPU power.

Fig. 6

CPU Usage.

In Fig. 7, the screenshot of the DNS amplification attack detection script is shown. It depicts the count of packets captured, the ratio of response and requests, and the IP addresses of DNS servers used for the attack.

Fig. 7

Detection Script Output.

Similarly, an NTP attack can also be launched and on the system, and it can be detected with this method. Only the command to capture the packet has to be changed. Instead of the DNS port number, NTP port 123 should be used.

6 Conclusion

DRDoS attacks have become an attack which is being used lately to attack an organization. In this paper, we have provided a solution to detect an attack that uses reflectors. Different attributes of the DNS traffic are observed and analyzed to verify an attack. The speed or rate of the traffic of specific protocol can tell whether to start the detection process or not. The ratio of incoming responses and outgoing requests is helpful to know the expectancy of response packets. By extracting the list of IP addresses from the responses, we identify the legitimate and attack server by checking their speed and ratio of incoming and outgoing traffic. Subsequently, all the attack servers can be identified in a few seconds. The limitation of this method is that the DNS servers are being blocked, which are essential for the functioning of the web. In future work, we will be dedicating to prevent these attacks without blocking the servers and detect it with the use of the Intrusion Detection System. DRDOS protection for attacks using other protocols will also be presented.

References

Fujinoki

, Cloud-Base Defense Against DRDoS Attacks. In 2018 IEEE International Conference on Consumer Electronics-Taiwan (ICCE-TW) (2018, May), (pp. 1–2). IEEE.

Gao

, Feng

, Kawamoto

and Sakurai

, A machine learning based approach for detectingDRDoSattacks and its performance evaluation. In 2016 11th Asia Joint Conference on Information Security (Asia JCIS) (2016, August), (pp. 80–86). IEEE.

Nguyen

S.N.

, Nguyen

V.Q.

, Nguyen

G.T.

, Kim

and Kim

, Source-Side Detection of DRDoS Attack Request with Traffic-Aware Adaptive Threshold, IEICE Transactions on Information and Systems 101(6) (2018), 1686–1690.

Chen

C.C.

, Chen

Y.R.

, Lu

W.C.

, Tsai

S.C.

and Yang

M.C.

, Detecting amplification attacks with software defined networking. In 2017 IEEE conference on dependable and secure computing (2017, August), (pp. 195–201). IEEE.

Tsunoda

, Nemoto

, Ohta

and Yamamoto

, A simple response packet confirmation method for DRDoS Detection. In 2006 8th International Conference Advanced Communication Technology (Vol. 3, (2006, February), pp. 5). IEEE.

Kambourakis

, Moschos

, Geneiatakis

and Gritzalis

, A fair solution to dns amplification attacks. In Second International Workshop on Digital Forensics and Incident Analysis (WDFIA 2007) (2007, August), (pp. 38–47). IEEE.

Mahjabin

, Xiao

, Sun

and Jiang

, A survey of distributed denial-of-service attack, prevention, and mitigation techniques, International Journal of Distributed Sensor Networks 13(12) (2017), 1550147717741463.

Guo

, Chen

and Chiueh

T.C.

, Spoof detection for preventing dos attacks against dns servers. In 26th IEEE International Conference on Distributed Computing Systems (ICDCS’06) (2006, July), (pp. 37–37). IEEE.

Saharan

and Gupta

, Prevention and Mitigation of DNS based DDoS attacks in SDN Environment. In 2019 11th International Conference on Communication Systems & Networks (COMSNETS) (2019, January), (pp. 571–573). IEEE.

10.

Xing

, Luo

, Li

and Hu

, A defense mechanism against the DNS amplification attack in SDN. In 2016 IEEE International Conference on Network Infrastructure and Digital Content (IC-NIDC) (2016, September), (pp. 28–33). IEEE.

11.

Sassani

B.A.

, Abarro

, Pitton

, Young

and Mehdipour

, Analysis of NTP DRDoS attacks’ performance effects and mitigation techniques. In 2016 14th Annual Conference on Privacy, Security and Trust (PST) (2016, December), (pp. 421–427). IEEE.

12.

Rudman

and Irwin

, Characterization and analysis of NTP amplification based DDoS attacks. In 2015 Information Security for South Africa (ISSA) (2015, August), (pp. 1–5). IEEE.

13.

Jing

, Zhao

, Zheng

, Yan

and Pedrycz

, A reversible sketch-based method for detecting and mitigating amplification attacks, Journal of Network and Computer Applications 142 (2019), 15–24.

14.

Liu

, Xiong

, Liu

and Gou

, Detect the reflection amplification attack based on UDP protocol. In 2015 10th International Conference on Communications and Networking in China (ChinaCom) (2015, August), (pp. 260–265). IEEE.

15.

Ryba

F.J.

, Orlinski

, Wählisch

, Rossow

and Schmidt

T.C.

, Amplification and DRDoS attack defense–a survey and new perspectives. (2015). arXiv preprint arXiv:1505.07892.

16.

Böttger

, Braun

, Gasser

, von Eye

, Reiser

and Carle

, Dos amplification attacks–protocol-agnostic detection of service abuse in amplifier networks. In International Workshop on Traffic Monitoring and Analysis (2015, April), (pp. 205-218). Springer, Cham.

17.

https://www.us-cert.gov/ncas/alerts/TA14-017A