A Speculation on DNS DDOS

Slides:



Advertisements
Similar presentations
Measuring IP Performance Geoff Huston Telstra. What are you trying to measure? User experience –Responsiveness –Sustained Throughput –Application performance.
Advertisements

DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009.
Review iClickers. Ch 1: The Importance of DNS Security.
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.
A Question of Protocol Geoff Huston APNIC. Originally there was RFC791:
Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Module 3 DNS Types.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Geoff Huston APNIC Labs
Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.
DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
Mitigating DNS DoS Attacks Hitesh Ballani, Paul Francis 1.
DNSSEC – Issues and Achievements Geoff Huston APNIC Labs.
DoS/DDoS attack and defense
What if Everyone Did It? Geoff Huston APNIC Labs.
Harness Your Internet Activity. Random Subdomain Attacks Plaguing the Internet.
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
Lecture 17 Page 1 CS 236, Spring 2008 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method:
DNS Domain Name System By Alexandros Zampas B101 Coursework The Technology Context.
Domain Name System: DNS To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the Connection of a host to the Internet.
© 2014 ISC Tales of the unexpected - handling unusual DNS client behaviour UKNOF29 – Cathy Almond, ISC.
DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c
Scaling the Network: Subnetting and Protocols
High performance recursive DNS solution
Large (UDP) Packets in IPv6
A Speculation on DNS DDOS
Architectures of Digital Information Systems Part 1: Interrupts and DMA dr.ir. A.C. Verschueren Eindhoven University of Technology Section of Digital.
Geoff Huston APNIC March 2017
Chapter 25 Domain Name System.
Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al.
DNSSEC Deployment Challenges
Geoff Huston APNIC Labs
Geoff Huston APNIC Labs
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Distributed Denial of Service (DDoS) Attacks
Geoff Huston APNIC Labs September 2017
Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009
DNS Cache Poisoning Attack
RFC 7706: Decreasing Access Time to Root Servers by Running One on Loopback A good idea or not? Petr Špaček • •
AP CSP: Making a reliable Internet & DNS
DNS security.
DNS-Based DDoS Evolving Threat UKNOF Sept 2015 Manchester, UK
Joao Damas, Geoff Labs March 2018
How to resolve the not working issue of Yahoo mail?
Geoff Huston, Joao Damas APNIC Roy Arends ICANN
CS4622: Computer Networking
Lecture 28: Virtual Memory-Address Translation
IPv6: Are we really ready to turn off IPv4?
D* (DNS, and DNSSEC and DDOS)
TCP/IP Networking An Example
Re-Engineering the Root of the DNS
Measuring KSK Roll Readiness
An Update on Multihoming in IPv6 Report on IETF Activity
Why don’t we have a Secure and Trusted Inter-Domain Routing System?
COMPUTER NETWORKS PRESENTATION
EE 122: Lecture 22 (Overlay Networks)
APNIC’s Engagement on Security
IPv6 Reliability Measurements
What part of “NO” is so hard for the DNS to understand?
Distributed Denial of Service (DDoS) Attacks
Cleaning Up the Internet of Evil Things
The Resolvers We Use Geoff Huston APNIC.
Presentation transcript:

A Speculation on DNS DDOS Some thoughts about for Geoff Huston APNIC

What we know about the October DYN attack… Well – guess - from the snippets that have been released… It was a Mirai attack It used a compromised device collection It used a range of attack vectors TCP SYN, TCP ACK, GRE, … One of these was DNS

DDOS Attacks Are nothing new – unfortunately And our response is often responding like for like Build thicker and thicker bunkers of bandwidth and processing capacity that can absorb the attacks And leave the undefended open space as toxic wasteland! But using the DNS for attacks opens some new possibilities…

What we understand about direct DNS DDOS attacks These are not reflection/ amplification attacks They are directed at the authoritative name servers / root servers It loads the authoritative servers with query traffic It can saturate the carriage / switching infrastructure of the server It can exhaust the server itself of resources so it drops “legitimate” queries The attack queries look exactly like other queries that are seen at these servers So front end pattern matching and filtering may not work The qname is likely to be <random>.target so as to defeat caches and simple filters These queries look just like Chrome’s behaviour!

The intended outcome of the attack Because the <random>.target qname form will defeat the recursive resolver caching function, the query is passed to the auth name server to resolve With an adequately high query volume, the authoritative server will start to discard queries due to resource starvation The result is that the target name will fade away on the Internet as recursive resolvers’ cache entries expire, and they cannot refresh their cache from the authoritative servers

Possible Mitigations – 1 ”A Bigger Bunker” Add more Foo More authoritative name servers More bandwidth to authoritative name servers More CPU and memory to authoritative name servers i.e. deploy more ”foo” and try and absorb the attack at the authoritative name server infrastructure while still answering “legitimate” queries

Possible Mitigations - 2 Longer TTLs: Low TTL’s make the auth servers more vulnerable because recursives need to refer to authoritatives more frequently With a longer TTL, the attack will still happen, but the legit recursives may not get a cache expiry so quickly The recursive resolvers will still serve cached names from their cache even when the authoritative name server is offline Attackers will need to attack for longer intervals to cause widespread visible damage But.. Nobody likes to cement their DNS with long TTLs And current recursive resolvers don’t seem to honour longer TTLs anyway!

Possible Mitigations – 3 Filter queries: Try to get a fix on the <random> name component in the queries Set of a front end query filter and block these queries But This is just tail chasing!

Possible Mitigations - 4 What if the attacking devices are passing the queries directly to the authoritative name servers? Filter IP addresses!

All resolvers might be equal, but some resolvers are more equal than others! 8,000 distinct IP addresses (2.3% of all seen IP addrs) for resolvers serve 90% of all experiments

Possible Mitigations - 4 “Filter Filter Filter” (IP sources) Only 8,000 discrete IP addresses account for more than 90% of the users’ DNS queries These are the main recursive resolvers used by most of the internet – so its probably good to answer them! Put all other source IP address queries on a lower priority resolution path within the authoritative name server Divide queriers into separate queues of “Friends” and “Strangers”: Just like SMTP!

Possible Mitigations - 5 What if the devices are passing the queries via recursive resolvers?

Possible Mitigations - 5 Get assistance! Use DNSSEC and apply NSEC Aggressive caching * The attack will generate NXDOMAIN answers So why not get the recursive resolvers closer to the individual devices to answer the NXDOMAIN query directly This can be done with the combination of DNSSEC and NSEC signing, using the NSEC span response to then respond to further queries within the span without reference to the authoritative servers This means that the recursive system absorbs the DNS query attack and does not refer the queries back to the auth servers * draft-ietf-dnsop-nsec-aggressiveuse-05

If only… Piecemeal solutions deployed in a piecemeal fashion will see attackers pick off the vulnerable again and again And the long term answer is not bigger and thicker walls, as the IoT volumes will always be higher We need to think again how to leverage the existing DNS resolution infrastructure to be more resilient And for that we probably need to talk about this openly and constructively and see if we can be smarter and make a more resilient DNS infrastructure And for that we probably need to talk about the DNS and DNSSEC and how it works, and how it can work for us to defend these attacks

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.