Protecting against DNS Reflection Attacks with Bloom Filters

  • Sebastiano Di Paola
  • Dario Lombardo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6739)


Nowadays the DNS protocol is under the attention of the security community for its lack of security and for the flaws found in the last few years. In the Internet scenario, the reflection/amplification is the most common and nasty attack that requires very powerful and expensive hardware to be protected from. In this paper we propose a robust countermeasure against this type of threats based on Bloom filters. The proposed method is fast and not too eager of resources, and has a very low error rate, blocking 99.9% of attack packets. The mechanism has been implemented within a project by Telecom Italia S.p.A., named jdshape, based on Juniper Networks\(^{\textregistered}\) SDK.


Hash Function Bloom Filter Packet Rate Source Port Digital Forensic 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Paxson, V.: An analysis of using reflectors for distributed denial-of-service attacks. In: ACM SIGCOMM Computer Communication Review Homepage, vol. 31(3) (July 2001)Google Scholar
  2. 2.
    Handley, M., Rescorla, E.: Internet Denial-of-Service Considerations. RFC4732 November (2006)Google Scholar
  3. 3.
    Silva, K., Scalzo, F., Barber, P.: Anatomy of Recent DNS Reflector Attacks from the Victim and Reflector Point of View. Verisign White paper, April 4 (2006)Google Scholar
  4. 4.
    Vaughn, R., Evron, G.: DNS Amplification Attack (March 17, 2006)Google Scholar
  5. 5.
    Mockapetris, P.: Domain names - implementation and specification, RFC1035 (November 1987)Google Scholar
  6. 6.
    Bloom, B.: Space/time trade-offs in hash coding with allowable errors. Communications of ACM 13(7), 422–426 (1970)CrossRefzbMATHGoogle Scholar
  7. 7.
    Kirsch, A., Mitzenmacher, M.: Less hashing, same performance: Building a better bloom filter. In: Azar, Y., Erlebach, T. (eds.) ESA 2006. LNCS, vol. 4168, pp. 456–467. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Bose, P., Guo, H., Kranakis, E., Maheshwari, A., Morin, P., Morrison, J., Smid, M., Tang, Y.: On the false-positive rate of Bloom filters. Information Processing Letters 108(4), 210–213 (2008)CrossRefzbMATHMathSciNetGoogle Scholar
  9. 9.
    Chang, F., Chang Feng, W., Li, K.: Approximate caches for packet classification. In: Twenty-third AnnualJoint Conference of the IEEE Computer and Communications Societies, INFOCOM 2004, March 7-11, vol. 4, pp. 2196–2207 (2004)Google Scholar
  10. 10.
    Almeida, P.S., Baquero, C., Preguiça, N., Hutchinson, D.: Scalable bloom filters. Information Processing Letters 101(6), 255–261 (2007) ISSN 0020-0190CrossRefzbMATHMathSciNetGoogle Scholar
  11. 11.
    Handley, M., Greenhalgh, A.: Steps towards a DoS-resistant internet architecture. In: Proceedings of the ACM SIGCOMM workshop on Future directions in network architecture (FDNA 2004)Google Scholar
  12. 12.
    Akinori, M., Yoshinobu, M.M.: Implement anti-spoofing to prevent DNS Amplification Attack. In: SANOG, Karachi, Pakistan, July 27 - August 4 , vol. 8 (2006)Google Scholar
  13. 13.
    Kambourakis, G., Moschos, T., Geneiatakis, D., Gritzalis, S.: A Fair Solution to DNS Amplification Attacks. In: Workshop on Digital Forensics and Incident Analysis, Second International Workshop on Digital Forensics and Incident Analysis (WDFIA 2007), pp. 38–47 (2007)Google Scholar
  14. 14.
    Sun, C., Liu, B., Shi, L.: Efficient and Low-Cost Hardware Defense Against DNS Amplification Attacks. In: Proc. IEEE GLOBECOM, New Orleans, LA, November 30-December 4 (2008)Google Scholar
  15. 15.
    Fan, L., Cao, P., Almeida, J., Broder, A.Z.: Summary cache: a scalable wide-area Web cache sharing protocol. IEEE/ACM Transactions on Networking 8(3), 281–293 (2000)CrossRefGoogle Scholar
  16. 16.
    Brusotti, S., Gazza, M., Lombardo, D.: Network Embedded security: new scenarios (article in Italian, english translation will be available as soon as possible). Notiziario Tecnico Telecom Italia   (3) (2010)Google Scholar
  17. 17.

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Sebastiano Di Paola
    • 1
  • Dario Lombardo
    • 1
  1. 1.Telecom Italia S.p.A.TorinoItaly

Personalised recommendations