Mitigation of DNS Water Torture Attacks within the Data Plane via XDP-Based Naive Bayes Classifiers

Nikos Kostopoulos, Stavros Korentis, D. Kalogeras, B. Maglaris
{"title":"Mitigation of DNS Water Torture Attacks within the Data Plane via XDP-Based Naive Bayes Classifiers","authors":"Nikos Kostopoulos, Stavros Korentis, D. Kalogeras, B. Maglaris","doi":"10.1109/CloudNet53349.2021.9657122","DOIUrl":null,"url":null,"abstract":"Water Torture is a DDoS attack vector that exhausts the processing resources of victim Authoritative DNS Servers. By crafting DNS requests involving names that appear once and are unknown to the victim, attackers bypass the DNS caches of intermediary Recursive DNS Servers (Resolvers), hence forwarding the entire attack traffic to the victim. As a countermeasure, machine learning algorithms have been proposed to filter attack traffic on Resolvers.Our proposed schema implements via programmable data plane methods efficient machine learning algorithms that differentiate between legitimate and DDoS attack traffic within cloud infrastructures. Specifically, we leverage on XDP to implement data plane Naive Bayes Classifier inference and effectively mitigate Water Torture attacks within data center Resolvers. DNS requests regarded as invalid by the Naive Bayes Classifier are dropped within the Linux kernel before any resources are allocated to them, while valid ones are forwarded to the user space to be resolved.Our schema was assessed via a proof of concept setup within a virtualized environment, with learning and testing performed via legitimate and malicious DNS data records with statistical properties consistent with datasets widely reported in the literature. Our experiments mainly focused on evaluating the filtering throughput of the proposed mitigation schema given the constraints imposed by XDP. We conclude that our XDP-based Naive Bayes Classifier significantly decreases the volume of attack traffic within the data plane, thus efficiently safeguarding Resolvers.","PeriodicalId":369247,"journal":{"name":"2021 IEEE 10th International Conference on Cloud Networking (CloudNet)","volume":"49 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-11-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 IEEE 10th International Conference on Cloud Networking (CloudNet)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CloudNet53349.2021.9657122","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1

Abstract

Water Torture is a DDoS attack vector that exhausts the processing resources of victim Authoritative DNS Servers. By crafting DNS requests involving names that appear once and are unknown to the victim, attackers bypass the DNS caches of intermediary Recursive DNS Servers (Resolvers), hence forwarding the entire attack traffic to the victim. As a countermeasure, machine learning algorithms have been proposed to filter attack traffic on Resolvers.Our proposed schema implements via programmable data plane methods efficient machine learning algorithms that differentiate between legitimate and DDoS attack traffic within cloud infrastructures. Specifically, we leverage on XDP to implement data plane Naive Bayes Classifier inference and effectively mitigate Water Torture attacks within data center Resolvers. DNS requests regarded as invalid by the Naive Bayes Classifier are dropped within the Linux kernel before any resources are allocated to them, while valid ones are forwarded to the user space to be resolved.Our schema was assessed via a proof of concept setup within a virtualized environment, with learning and testing performed via legitimate and malicious DNS data records with statistical properties consistent with datasets widely reported in the literature. Our experiments mainly focused on evaluating the filtering throughput of the proposed mitigation schema given the constraints imposed by XDP. We conclude that our XDP-based Naive Bayes Classifier significantly decreases the volume of attack traffic within the data plane, thus efficiently safeguarding Resolvers.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
基于xdp的朴素贝叶斯分类器缓解数据平面内DNS水刑攻击
水刑是一种DDoS攻击向量,耗尽受害者权威DNS服务器的处理资源。通过制作包含出现一次且受害者不知道的名称的DNS请求,攻击者绕过中间递归DNS服务器(解析器)的DNS缓存,从而将整个攻击流量转发给受害者。作为一种对策,机器学习算法被提出来过滤解析器上的攻击流量。我们提出的模式通过可编程数据平面方法实现高效的机器学习算法,区分云基础设施中的合法和DDoS攻击流量。具体来说,我们利用XDP来实现数据平面朴素贝叶斯分类器推理,并有效地减轻数据中心解析器中的水酷刑攻击。被朴素贝叶斯分类器视为无效的DNS请求在分配任何资源之前被丢弃在Linux内核中,而有效的DNS请求则被转发到用户空间进行解析。我们的模式通过虚拟环境中的概念验证设置进行评估,并通过合法和恶意DNS数据记录进行学习和测试,这些数据记录具有与文献中广泛报道的数据集一致的统计属性。我们的实验主要集中在评估在XDP施加约束的情况下所提出的缓解方案的过滤吞吐量。我们得出结论,我们基于xdp的朴素贝叶斯分类器显著减少了数据平面内的攻击流量,从而有效地保护了解析器。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Estimating Function Completion Time Distribution in Open Source FaaS Using Machine Learning and In-band Network Telemetry for Service Metrics Estimation A Machine Learning Approach for Service Function Chain Embedding in Cloud Datacenter Networks Where is the Light(ning) in the Taproot Dawn? Unveiling the Bitcoin Lightning (IP) Network An Edge Video Analysis Solution For Intelligent Real-Time Video Surveillance Systems
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1