Leveraging on the XDP Framework for the Efficient Mitigation of Water Torture Attacks within Authoritative DNS Servers

Abstract

In this paper we utilize XDP for DNS Deep Packet Inspection (DPI) in order to mitigate Water Torture attacks at the NIC driver level of Authoritative DNS Servers. Our approach may benefit DNS Administrators who wish to filter attack traffic within their DNS infrastructure and avoid the latency overhead and additional costs imposed by external cloud scrubbing services. Our schema does not depend on specialized hardware and does not blacklist entire domain name suffices, hence does not block legitimate requests. Packets are intercepted by XDP that identifies messages of DNS requests for further processing. Requested names are extracted from the message payload and categorized based on their validity. Valid names are forwarded to the user space to be resolved, whilst invalid ones are dropped within the Linux kernel at an early stage without downgrading the DNS service. Names are classified using Bloom Filters that map DNS zone contents in a memory efficient manner. These probabilistic data structures are free of false negatives and therefore valid DNS requests are never dropped. We provide a proof of concept setup to test our schema under a DDoS attack scenario and assess how mitigation performance is affected by DPI on DNS requests. Our experiments verify that using XDP significantly increases the throughput of valid DNS responses compared to user space alternatives. In conclusion, XDP emerges as a promising solution for the mitigation of Water Torture attacks against DNS servers.