System Design Security in distributed systems

Here I would like to discuss the basic security issues we need to understand while designing a distributed system.

DDoS Attack — Denial of service attack at application layer (Layer 7)

DDoS happens where HTTP GET and HTTP POST calls occur hence denying service to legitimate traffic

DNS Amplification — Network layer — Layer 4

DNS Amplification consumes netwook resources as well as server resources

Attacker chooses DNS Servers and a target server. Attacker spoofs the sourceIP address to appear as the target IP because dns resolver sends response to the target IP address. Attacker requests for large responses from DNS using ‘ANY’ queries. Foir eg, 40 byte query can generate 4000 byte response and attacker sends numerous queries to overwhelm and flood the target server.

Mitigation Strategies

To defend against DNS amplification attacks, both service providers and network administrators can implement several measures:

1. Secure DNS Configurations: Configure DNS resolvers to reject queries from unauthorized IP addresses. This involves restricting recursive queries to known and trusted networks
2. Limit Response size: Disable or limit the response size for DNS “ANY” queries.
3. Use of Rate Limiting: Implement rate limiting on DNS servers to control the volume of responses they can generate.
4. Source IP Validation: Employ network ingress and egress filtering to prevent IP address spoofing using techniques such as BCP 38 (Best Current Practice 38), which ensures that outgoing packets have a source IP address matching the network from which they originate.
5. Deployment of DDoS Mitigation Services:Use cloud-based or on-premises DDoS protection services to detect and mitigate large-scale traffic floods.
6. Monitoring and Incident Response: Continuously monitor network traffic for unusual patterns that may indicate an ongoing attack. Have an incident response plan in place to quickly react to and mitigate attacks.