DNS Operation And Security Protection 2016/06
Who am i Mike CNNIC Planning Engineer Responsible for: DNS Projects Planning and Operation Reliability Email: zhangmingkai@cnnic.cn
Contents The Operating Status Of CNNIC Security Monitoring Platform DNS Security Operation And Security Protection Future
1. The Operation Status Of CNNIC The architecture Three centers in two places (CNNIC data center, Yizhuang data center and Chengdu data center) Support IPv6 and DNSSEC 30+ global/Local service nodes. BGP+Anycast for IP broadcast. BGP + IP Anycast ROOT instance(F I J L ) TLD (.CN .中国 .公司 .网络) SLD (cnnic.cn com.cn…) Recursive service (1.2.4.8 and 210.2.4.8) 60+ monitoring nodes for secure and Reliability monitoring 海外节点11个,国内节点21个 平台每年遭受攻击50-100次左右 最高攻击记录160万qps攻击
Number of Domain Names .cn(en) >17.4 million 中文.cn >2.2 million .中国 >500 thousand .公司 >65 thousand .网络 >46 thousand 8 billion + (QPD)
The number of online services are more than 300+ 20+ times service change and upgrading and 3-5 times emergency handling each month The total number of service monitoring up to 14000+, the daily alarm rate reached 2000+!
2. Security Monitoring Platform 2.1 Monitoring Nodes Deployment 2.2 Domain name system monitoring 2.3 Data Processing
2.1 Monitoring Nodes Deployment Cover 6 ISP networks in China 30+ provinces in China Overseas deployment
2.2 Domain name system monitoring Root name server monitoring TLD name server status monitoring Recursive DNS service monitoring VIP domain name monitoring
2.3 Data Processing Big data analysis platform Statistical analysis of domain name data Statistical analysis of domain name based on geographic location Analysis of the change of domain name
3. DNS Security 3.1 DNS Attack types 3.2 Attack Methods Analysis 3.3 DNS Attacks in CNNIC
3.1 DNS Attack types DDOS NXDomain Attack Amplification Attack Cache poisoning DNS hijacking
3.2.1 NXDOMAIN Attack The attacker sends a flood of queries to a DNS server to resolve a non-existent domain name. The recursive server tries to locate this non-existing domain by carrying out multiple domain name queries but does not find it In the process, its cache is filled up with NXDOMAIN results. DNS recursive server waits for responses, outstanding query limit exhausted Target domain’s auth server experiences DDoS
3.2.2 DNS Amplification Attack Combines Reflection and Amplification Uses third-party open resolvers in the Internet (unwitting accomplice) Attacker sends spoofed queries to the open recursive servers Queries specially crafted to result in a very large response
3.2.3 DNS Cache Poisoning A malicious user attempts to guess that a DNS client or server has sent a DNS query and is waiting for a DNS response. A successful spoofing attack will insert a fake DNS response into the DNS server’s cache For UDP query, the No way to verify the DNS data is authentic. The DNSSEC will handle it for you!
3.2.4 DNS Hijacking Some ISP will hijack your DNS query (Sometimes webpages with“server not found”status will be replaced by ads web) Internet Censorship DNS hijacking involves a malware, the DNS Cache poisoning involves overwriting your local DNS cache with fake values
3.3 DNS Attacks in CNNIC DNS Attack Attack Case The CNNIC DNS platform suffered more than 30 attacks in 2015. Attack Case DNS Attack Most attack domain are “random.domain.cn” Most attack domain are game or e-commerce related. The src IP addresses are massive Most domain are set ClientHold status. DDoS:1.6 million QPS/s Attack Domain:xxx.dianbaobao.net.cn Target Website:E-commerce
4. Operation And Security Protection 4.1 SOS2 4.2 SDNS-AM 4.3 SDNS-D
4.1 SOS2 Unified management and monitoring system Monitor all server and service status Configuration management
4.2 SDNS-AM Data analysis + monitoring alarm Real time analysis of DNS data (single node 150 thousand) Multidimensional statistics and analysis (20+ categories, 160+ statistical indicators) Network and anomaly detection mechanism (two patent algorithm support) Distributed deployment support, and centralized analysis
4.3 SDNS-D Real-time traffic analysis Traffic statistics QPS, IP, domain name and other information Attack Recognition Fixed IP attack Random field Network Traffic Redirect DNS Data Cleaning
5. Future 5.1 Embrace the open source community 5.2 Big data analysis and visualization
5.1 Embrace the open source community Automation management system with Ansible Docker virtualization to build a fast delivery system Openstack cloud platform to build DNS cloud(Dr Ding) ELK for Big data indexing and processing.
5.2 Big data analysis and visualization Processing and analyzing massive data(log data, event data, etc.) Real time data analytics. Visual data display, make operation work much faster and easier.
Q&A Thanks