Mitigating DNS Amplification Attacks Using a Set of Geographically Distributed SDN Routers

Abstract

Large DNS amplification attacks which overwhelm the victim's network bandwidth are a serious problem. In this paper, we propose a solution which can protect networks from these large DNS amplification attacks. The solution involves a set of geographically distributed routers, called a Barrier of Routers (BoR). Networks which want to protect themselves will route all their incoming and outgoing traffic through this barrier. The barrier scans all incoming traffic, drops attack traffic and sends the rest to the intended recipient. For some type of attacks, like DNS amplification attack, the barrier can mitigate attack traffic with almost full accuracy under the stated achievable assumptions. Therefore, the number of attack packets reaching the victim is negligible.