Mitigating DNS Amplification Attacks at the DNS Server: Using BGP AS Paths and Ingress Filtering

Christian Bassey 1, *, Francis Jeremiah 1, Rustem Iuzlibaev 1, Opeyemi Oloruntola 2 and Success Imakuh 3

1 Department of Security and Network Engineering, Innopolis University, Innopolis, Russia.
2 School of Computing and Mathematical Sciences, University of Greenwich, London, U.K.
3 Department of Computing, Teesside University, Middlesbrough, U.K.
Research Article
World Journal of Advanced Research and Reviews, 2024, 22(03), 331–335
Article DOI: 10.30574/wjarr.2024.22.3.1716
Publication history: 
Received on 27 April 2024; revised on 03 June 2024; accepted on 05 June 2024
These days, quite a large number of application servers are being considered to be easily spoofed. Even though technologies like DNSSec, DNS over HTTPS/TLS, and DNSCurve have always been suitable for this type of problem, many developers need help to exercise the complete chain of trust. Implementing the mentioned protocols might be a matter of time, inexperience, or impossibility. In this paper, some workarounds that rely on BGP Autonomous System numbers (AS) are shown, and protocols therein are described by way of Unicast Reverse Path Forwarding (uRPF), its benefits and drawbacks from an analytical standpoint, as well as the primary flow to defend end systems, are presented. Our approach focuses on filtering malicious traffic closer to the source by identifying anomalies in BGP AS path information. The methodology is implemented and tested using Snort as an Intrusion Detection System (IDS) to capture and analyze DNS request patterns, then MikroTik router configurations are used for strict uRPF and ingress filtering, demonstrating the practical application of this solution proposed solution in real-world network environments.
BGP; Security; Spoofing; DNS; Ddos; Ingress Filtering; Urpf; Network Security; Autonomous Systems.
Full text article in PDF: 
Share this