講演抄録/キーワード |
講演名 |
2016-03-03 13:00
Collaborative Spoofing Detection and Mitigation - SDN based looping authentication for DNS services ○Nor Masri bin Sahri・Koji Okamura(Kyushu University) SITE2015-58 IA2015-90 |
抄録 |
(和) |
As DNS packet are mostly UDP-based, make it as a perfect platform for hackers to launch a well-known type of distributed denial of service (DDoS). The purpose of this attack is to saturate the DNS server availability and resources with ?unwanted? DNS query traffic. This type of attack utilizes a large number of botnet and usually perform spoofing on the IP address of the targeted victim. While it is difficult to identify which one is legitimate or attack traffic, we take a different approach for spoofing detection and mitigation strategies to protect the DNS server by utilizing Software Defined Networking (SDN). In this paper, we present CAuth, a novel mechanism that autonomously block the spoofing query packet while authenticate the legitimate query. By manipulating Openflow control message, we design a collaborative approach between client and server network. Whenever a server controller receives query packet, it will send an authentication packet back to the client network and later the client controller also reply via authentication packet back to the server controller. The server controller will only forward the query to the respective server if it receives the replied authentication packet from the client. Most notably, our mechanism designed with no changes in existing DNS application and Openflow protocol. From the evaluation, CAuth instantly manage to block 100% spoofing query packet as soon as the mechanism started. |
(英) |
As DNS packet are mostly UDP-based, make it as a perfect platform for hackers to launch a well-known type of distributed denial of service (DDoS). The purpose of this attack is to saturate the DNS server availability and resources with ?unwanted? DNS query traffic. This type of attack utilizes a large number of botnet and usually perform spoofing on the IP address of the targeted victim. While it is difficult to identify which one is legitimate or attack traffic, we take a different approach for spoofing detection and mitigation strategies to protect the DNS server by utilizing Software Defined Networking (SDN). In this paper, we present CAuth, a novel mechanism that autonomously block the spoofing query packet while authenticate the legitimate query. By manipulating Openflow control message, we design a collaborative approach between client and server network. Whenever a server controller receives query packet, it will send an authentication packet back to the client network and later the client controller also reply via authentication packet back to the server controller. The server controller will only forward the query to the respective server if it receives the replied authentication packet from the client. Most notably, our mechanism designed with no changes in existing DNS application and Openflow protocol. From the evaluation, CAuth instantly manage to block 100% spoofing query packet as soon as the mechanism started. |
キーワード |
(和) |
spoofing detection / dns flooding attack / authentication / network security / openflow / SDN / / |
(英) |
spoofing detection / dns flooding attack / authentication / network security / openflow / SDN / / |
文献情報 |
信学技報, vol. 115, no. 482, IA2015-90, pp. 55-60, 2016年3月. |
資料番号 |
IA2015-90 |
発行日 |
2016-02-25 (SITE, IA) |
ISSN |
Print edition: ISSN 0913-5685 Online edition: ISSN 2432-6380 |
著作権に ついて |
技術研究報告に掲載された論文の著作権は電子情報通信学会に帰属します.(許諾番号:10GA0019/12GB0052/13GB0056/17GB0034/18GB0034) |
PDFダウンロード |
SITE2015-58 IA2015-90 |
|