A Speculation on DNS DDOS

Slides:



Advertisements
Similar presentations
Review iClickers. Ch 1: The Importance of DNS Security.
Advertisements

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.
A Question of Protocol Geoff Huston APNIC. Originally there was RFC791:
Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.
Domain Name Services Oakton Community College CIS 238.
Module 3 DNS Types.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
IIT Indore © Neminath Hubballi
Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28.
Measuring DNSSEC Use Geoff Huston APNIC Labs. We all know…
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
Mitigating DNS DoS Attacks Hitesh Ballani, Paul Francis 1.
DNSSEC – Issues and Achievements Geoff Huston APNIC Labs.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
What if Everyone Did It? Geoff Huston APNIC Labs.
Harness Your Internet Activity. Random Subdomain Attacks Plaguing the Internet.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
DNS Domain Name System By Alexandros Zampas B101 Coursework The Technology Context.
Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia
Domain Name System: DNS To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the Connection of a host to the Internet.
Andrew Lahiff HEP SYSMAN June 2016 Hiding infrastructure problems from users: load balancers at the RAL Tier-1 1.
© 2014 ISC Tales of the unexpected - handling unusual DNS client behaviour UKNOF29 – Cathy Almond, ISC.
DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c
Scaling the Network: Subnetting and Protocols
High performance recursive DNS solution
Architectures of Digital Information Systems Part 1: Interrupts and DMA dr.ir. A.C. Verschueren Eindhoven University of Technology Section of Digital.
Geoff Huston APNIC March 2017
Chapter 25 Domain Name System.
DNSSEC Deployment Challenges
Geoff Huston APNIC Labs
Geoff Huston APNIC Labs
Distributed Denial of Service (DDoS) Attacks
Practical Censorship Evasion Leveraging Content Delivery Networks
Teemu Savolainen (Nokia) MIF WG IETF#75 28-July-2009
Written by : Thomas Ristenpart, Eran Tromer, Hovav Shacham,
Geoff Huston APNIC Labs September 2017
Filtering Spoofed Packets
Geoff Huston APNIC Labs
Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009
DNS Cache Poisoning Attack
CPS 512 midterm exam #1, 10/5/17 Your name please: NetID:_______ Sign for your honor:____________________________.
A Speculation on DNS DDOS
DNS security.
DNS-Based DDoS Evolving Threat UKNOF Sept 2015 Manchester, UK
Joao Damas, Geoff Labs March 2018
Net 323 D: Networks Protocols
Chapter 19 Domain Name System (DNS)
Subject Name: Computer Communication Networks Subject Code: 10EC71
How to resolve the not working issue of Yahoo mail?
Geoff Huston, Joao Damas APNIC Roy Arends ICANN
CS4622: Computer Networking
Lecture 28: Virtual Memory-Address Translation
D* (DNS, and DNSSEC and DDOS)
TCP/IP Networking An Example
Re-Engineering the Root of the DNS
Measuring KSK Roll Readiness
Memory Organization.
Why don’t we have a Secure and Trusted Inter-Domain Routing System?
COMPUTER NETWORKS PRESENTATION
EE 122: Lecture 22 (Overlay Networks)
APNIC’s Engagement on Security
An Engineering Approach to Computer Networking
IPv6 Reliability Measurements
What part of “NO” is so hard for the DNS to understand?
Distributed Denial of Service (DDoS) Attacks
The Resolvers We Use Geoff Huston APNIC.
Presentation transcript:

A Speculation on DNS DDOS Some thoughts about for Geoff Huston APNIC

What we know… Well – guess - from the snippets that have been released… It was a Mirai attack It used a compromised device collection It used a range of attack vectors TCP SYN, TCP ACK, GRE, … One of these was DNS

DDOS Attacks Are nothing new – unfortunately And our response is often responding like for like Build bunkers of bandwidth and processing capacity that can absorb the attacks And leave the undefended open space as toxic wasteland! But using the DNS for attacks opens some new possibilities…

What we guess about the DNS attack The attack queries looked like queries that are often seen at authoritative name servers So front end pattern matching and filtering may not work It loaded the authoritative servers with legitimate queries So its likely it was <random>.target queries to defeat caches and simple filters Just like Chrome!

The victim set Authoritative DNS name servers for the attacked domain names Because the <random> name form will defeat the recursive resolver caching function and the query is passed to the auth name server to resolve The result is that the name will fade out once recursive resolvers’ cache entries expire, and they cannot refresh

Possible Mitigations – 1 ”A Bigger Gun” More Foo Add more authoritative name servers Add more bandwidth to authoritative name servers Add more CPU and memory to authoritative name servers i.e. more ”foo” and try and absorb the attack at the authoritative name server infrastructure

Possible Mitigations - 2 Longer TTLs: Low TTL’s make you more vulnerable because recursives need to refer to authoritatives more frequently With a longer TTL, the attack will still happen, but the legit recursives may not get a cache expiry so quickly The recursive resolvers will still serve cached names from their cache even when the authoritative name server is offline Attackers will need to attack for longer intervals to cause widespread visible damage But.. Nobody likes to cement their DNS with long TTLs And recursive resolvers won’t honor longer TTLs anyway!

Possible Mitigations – 3 Filter queries: Try to get a fix on the <random> name component in the queries Set of a front end query filter and block these But This is just tail chasing!

Possible Mitigations - 4 What if the devices are passing the queries directly to the authoritative name servers? Filter IP addresses!

All resolvers might be equal, but some resolvers are more equal than others! 8,000 distinct IP addresses (2.3% of all seen IP addrs) for resolvers serve 90% of all experiments

Possible Mitigations - 4 “Filter Filter Filter” (IP sources) Only 8,000 discrete IP addresses account for more than 90% of the users’ DNS queries These are the main recursive resolvers used by most of the internet – answer them! Put all other source IP address queries on a lower priority resolution path within the authoritative name server Divide queriers into “Friends” and “Strangers”: Just like SMTP!

Possible Mitigations - 5 What if the devices are passing the queries via recursive resolvers?

Possible Mitigations - 5 Get assistance! (Yes, I’m dreaming, but it’s a Good Dream!) Use DNSSEC and apply NSEC Aggressive caching The attack will generate NXDOMAIN answers So why not get the recursive resolvers closer to the individual devices to answer the NXDOMAIN query directly This can be done with the combination of DNSSEC and NSEC signing, using the NSEC span response to then respond to further queries within the span without reference to the authoritative servers This means that the recursive system absorbs the attack and does not refer the queries back to the authoritatives

If only… Piecemeal solutions deployed in a piecemeal fashion will see attackers pick off the vulnerable again and again And the long term answer is not bigger walls, as the IoT volumes will always be higher We need to think again how to leverage the existing DNS resolution infrastructure to be more resilient And for that we probably need to talk about this openly and constructively and see if we can be smarter and make a more resilient DNS infrastructure And for that we probably need to talk about the DNS and DNSSEC and how it works, and how it can work for us

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.