TY - GEN
T1 - Protecting DNS services from IP spoofing-SDN collaborative authentication approach
AU - Sahri, N. M.
AU - Okamura, Koji
PY - 2016/6/15
Y1 - 2016/6/15
N2 - As DNS packet are mostly UDP-based, make it as a perfect tool for hackers to launch a well-known type of distributed denial of service (DDoS). The purpose of this attack is to saturate the DNS server availability and resources. This type of attack usually utilizes a large number of botnet and perform spoofing on the IP address of the targeted victim. We take a different approach for IP spoofing detection and mitigation strategies to protect the DNS server by utilizing Software Defined Networking (SDN). In this paper, we present CAuth, a novel mechanism that autonomously block the spoofing query packet while authenticate the legitimate query. By manipulating Openflow control message, we design a collaborative approach between client and server network. Whenever a server controller receives query packet, it will send an authentication packet back to the client network and later the client controller also replies via authentication packet back to the server controller. The server controller will only forward the query to the DNS server if it receives the replied authentication packet from the client. From the evaluation, CAuth instantly manage to block spoofing query packet while authenticate the legitimate query as soon as the mechanism started. Most notably, our mechanism designed with no changes in existing DNS application and Openflow protocol.
AB - As DNS packet are mostly UDP-based, make it as a perfect tool for hackers to launch a well-known type of distributed denial of service (DDoS). The purpose of this attack is to saturate the DNS server availability and resources. This type of attack usually utilizes a large number of botnet and perform spoofing on the IP address of the targeted victim. We take a different approach for IP spoofing detection and mitigation strategies to protect the DNS server by utilizing Software Defined Networking (SDN). In this paper, we present CAuth, a novel mechanism that autonomously block the spoofing query packet while authenticate the legitimate query. By manipulating Openflow control message, we design a collaborative approach between client and server network. Whenever a server controller receives query packet, it will send an authentication packet back to the client network and later the client controller also replies via authentication packet back to the server controller. The server controller will only forward the query to the DNS server if it receives the replied authentication packet from the client. From the evaluation, CAuth instantly manage to block spoofing query packet while authenticate the legitimate query as soon as the mechanism started. Most notably, our mechanism designed with no changes in existing DNS application and Openflow protocol.
UR - http://www.scopus.com/inward/record.url?scp=84983086245&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84983086245&partnerID=8YFLogxK
U2 - 10.1145/2935663.2935666
DO - 10.1145/2935663.2935666
M3 - Conference contribution
AN - SCOPUS:84983086245
T3 - ACM International Conference Proceeding Series
SP - 83
EP - 89
BT - Proceedings of the 11th International Conference on Future Internet Technologies, CFI 2016
PB - Association for Computing Machinery
T2 - 11th International Conference on Future Internet Technologies, CFI 2016
Y2 - 15 June 2016 through 17 June 2016
ER -