Scientists of Samara University, together with their colleagues from Sevastopol State University and the University of Missouri (Columbia, USA), have developed the efficient way of protecting against hacker attacks. Using this method, it is possible to significantly improve protection of Internet sites against so-called DDoS attacks with DNS amplification: currently, this is one of the most popular types of attacks used by attackers, as the result of which sites and internal networks of companies and organizations become temporarily inaccessible to users.

The scientists’ development is distinguished by the original approach, the speed of automatic activation of protection, and almost 100 % impenetrability of the “armor”, which significantly exceeds performance of similar software presented on the market. Details of the Samara electronic “shield” are set out in the article published in the authoritative international Journal of Communications and Information Networks.

In a very simplified form, a typical DDoS attack with DNS amplification can be compared to throwing snowballs. A hacker surreptitiously throws a snowball (a data packet with a request) into the back of a jock athlete (DNS server). The athlete turns around, puzzled, and the hacker assures him, “It wasn’t me who threw it, it’s him”, and points to a passerby walking by, whom the hacker chose as his victim, deciding to use the athlete’s strength (DNS amplification) to attack.

The fact is that in the virtual world, each such “snowball” is named, it has something like the signature of the one who made it and threw it. The hacker forges the passerby’s signature on his snowball, the athlete sees that yes, judging by the signature, that passerby threw it, and brings down in response to the innocent person (the victim website) a huge block of snow weighing tens of times more than the snowball that was thrown by the hacker. As a result, the passerby is covered in snow, stunned and practically senseless.

Now imagine that the scene is repeated thousands or millions of times, and lasts for hours or whole day and night. The “stunned” website selected as a victim becomes inaccessible to users. Buyers, for example, cannot enter an online store and go to its competitors, the bank cannot receive payments, site users are left without the information they need, etc., DDoS attacks result in continuous losses and problems. According to open sources, in 2022, in the world, the DDoS attacks intensity increased tenfold, compared to the previous year, and the number of attacks on Runet increased by 700 %.

“Distributed Denial of Service (DDoS) attacks with Domain Name System (DNS) amplification are one of the popular types of intrusion that involve attackers accessing DNS servers on behalf of the victim. The size of the DNS server response is many times larger than one of the received request, i.e. the attacked server is literally flooded with huge data packets, and it stops working. We have presented the original method of countering DDoS attacks with DNS amplification. Novelty of the approach is in the fact that we propose to analyze not incoming, as usual, but outgoing traffic from the victim server. DNS servers used by hackers for such attacks can be easily automatically identified and blocked by the ICMP packet headers that the server under attack starts sending”, said Andrey Sukhov, Professor of the Department of Supercomputers and General Informatics of Samara University, one of the authors of the development.

Once under attack, the victim server begins to throw small special “snowballs” in response to the DNS server – ICMP protocol packets (Internet Control Message Protocol), that’s what the protection system proposed by Samara scientists analyzes. Instead of trying to analyze all traffic, including large “snow blocks” that overwhelm the server, taking away its last strength and resources, the protection system easily and quickly determines from the headers of small outgoing packets, from which DNS server the attack is being conducted, and temporarily blocks its addresses: the thrown blocks are no longer hit the passerby, the attacked website continues working.

“DNS servers used for amplification attacks are easily detected by ICMP packet headers (type 3, code 3) of outgoing traffic. Packets of this type are generated when accessing the closed ports of the victim server. For preventing these attacks, we used a Linux utility and the software-defined network (SDN) module, which was previously developed by us for protection against port scanning. In the process of testing, the Linux utility showed the highest protection efficiency equal to 99.8 %, i.e. only two attack packets out of one thousand sent reached the attacked server”, said Samara Mayhub, the Associate Professor of the Department of Supercomputers and General Informatics of Samara University.

For testing, the computer testing ground was created, within which the special software program – the Saddam utility – attacked the victim server, using the DNS server to strengthen requests. The traffic collected on the attacked server was used to analyze all aspects of countering the attack.

“The test results have demonstrated that the software we have developed can be used for practical purposes not only to protect servers from any amplified DDoS attacks, but also to counter any attack, during which port scanning occurs”, said Andrey Sukhov.
 
For reference

DNS servers (English “Domain Name System”) are servers on the Internet, due to which the website name is connected to its digital address. The DNS server can be compared to a phone book or a list of contacts: for accessing the site you need, your computer makes a request to the DNS server before that.