Show/Hide Menu
Hide/Show Apps
Logout
Türkçe
Türkçe
Search
Search
Login
Login
OpenMETU
OpenMETU
About
About
Open Science Policy
Open Science Policy
Open Access Guideline
Open Access Guideline
Postgraduate Thesis Guideline
Postgraduate Thesis Guideline
Communities & Collections
Communities & Collections
Help
Help
Frequently Asked Questions
Frequently Asked Questions
Guides
Guides
Thesis submission
Thesis submission
MS without thesis term project submission
MS without thesis term project submission
Publication submission with DOI
Publication submission with DOI
Publication submission
Publication submission
Supporting Information
Supporting Information
General Information
General Information
Copyright, Embargo and License
Copyright, Embargo and License
Contact us
Contact us
HELP4DNS: Leveraging the programmable data plane for effective and robust defense against DDoS attacks on DNS
Date
2025-08-01
Author
Şahin, Mehmet Emin
DEMİRCİ, MEHMET
Metadata
Show full item record
This work is licensed under a
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License
.
Item Usage Stats
87
views
0
downloads
Cite This
DNS is a critical component of the Internet infrastructure, and securing it has been an active research domain, with a particular emphasis on countering DDoS attacks. With the rise of programmable data planes, novel defensive strategies taking advantage of their flexibility and line-rate packet processing capabilities have been developed to counter a range of DDoS attacks. This study proposes two novel methodologies against DNS flood and DNS amplification attacks within programmable data planes using P4. The first approach involves constraining the concurrent active queries per client to mitigate DNS query flood attacks, thereby ensuring that clients generating a high volume of requests adhere to predetermined limits. The proposed method uses concurrent query limits per client by employing a modified token bucket algorithm within an updatable Bloom filter data structure to track and limit DNS queries. This approach effectively rate limits malicious client requests, preventing server overload and safeguarding benign users from any resulting disruptions. The second method is a DNS firewall implemented on the P4 switch situated on the victim's side to prevent DNS amplification attacks. The proposed firewall utilizes an updatable Bloom filter on a P4 switch, enabling stateful processing of DNS queries at the application layer. Additionally, it supports stateful tracking of fragmented DNS responses resulting from the Extension Mechanisms for DNS. While IP fragmentation occurs at the IP layer, the proposed approach achieves stateful tracking of fragmented DNS responses at the application layer. In this manner, only the responses corresponding to legitimate requests are forwarded among the received DNS responses by the victim, while responses stemming from DNS amplification attacks are blocked. Evaluation results have demonstrated that the proposed approach effectively blocks high-volume DNS amplification attack packets with minimal memory space requirements.
URI
https://hdl.handle.net/11511/114805
Journal
JOURNAL OF NETWORK AND COMPUTER APPLICATIONS
DOI
https://doi.org/10.1016/j.jnca.2025.104198
Collections
Department of Computer Engineering, Article
Citation Formats
IEEE
ACM
APA
CHICAGO
MLA
BibTeX
M. E. Şahin and M. DEMİRCİ, “HELP4DNS: Leveraging the programmable data plane for effective and robust defense against DDoS attacks on DNS,”
JOURNAL OF NETWORK AND COMPUTER APPLICATIONS
, vol. 240, pp. 0–0, 2025, Accessed: 00, 2025. [Online]. Available: https://hdl.handle.net/11511/114805.
