DNS Amplification and DNS Hijack Risk Mitigation

Slides:

Advertisements

Similar presentations

60 Days of Basic Naughtiness

Advertisements

An Operational Perspective on BGP Security Geoff Huston February 2005.

Enabling Secure Internet Access with ISA Server

Review iClickers. Ch 1: The Importance of DNS Security.

Point Protection 111. Check List AAA to the Network Devices Controlling Packets Destined to the Network Devices Config Audits.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.

1 Yehuda Afek, Tel-Aviv University / WANWall Ltd. Anat Bremler-Barr, Alon Golan, Hank Nussbacher, Dan Touitou WANWall Ltd. Diversion & Sieving Techniques.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.

SYSTEM ADMINISTRATION Chapter 19

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Kevin Miller Carnegie Mellon University Three Practical Ways to Improve Your Network.

COEN 252: Computer Forensics Router Investigation.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

– Chapter 4 – Secure Routing

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Chapter 6: Packet Filtering

Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.

Address Resolution Protocol(ARP) By:Protogenius. Overview Introduction When ARP is used? Types of ARP message ARP Message Format Example use of ARP ARP.

Access Control List ACL. Access Control List ACL.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Infrastructure Attack Vectors and Mitigation Benno Overeinder NLnet Labs.

BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed.

Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28.

MENU Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell

Working Group #4: Network Security Best Practices September 12, 2012 Presenter: Rod Rasmussen, Internet Identity WG #4 Co-Chair.

Distributed Denial of Service Attacks

Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.

Network Security1 Secure Routing Source: Ch. 4 of Malik. Network Security Principles and Practices (CCIE Professional Development). Pearson Education.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

Chapter 6: Securing the Local Area Network

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.

SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

By Steve Shenfield COSC 480.  Definition  Incidents  Damages  Defense Mechanisms Firewalls/Switches/Routers Routing Techniques (Blackholing/Sinkholing)

Matt Jennings.  What is DDoS?  Recent DDoS attacks  History of DDoS  Prevention Techniques.

© A10 Networks, Inc. Distributed Prevention of DoS Collaboration is key.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.

Working at a Small-to-Medium Business or ISP – Chapter 8

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Filtering Spoofed Packets

Chapter 4: Access Control Lists (ACLs)

* Essential Network Security Book Slides.

Firewalls Purpose of a Firewall Characteristic of a firewall

Firewalls Chapter 8.

Presentation transcript:

DNS Amplification and DNS Hijack Risk Mitigation NANOG On The Road Portland, OR - September 10, 2013 Merike Kaeo Security Evangelist, IID merike@internetidentity.com

Statistics on DNS Amplification Attacks in 2012/2013 Intro Statistics on DNS Amplification Attacks in 2012/2013 Measurements on Open Recursive Resolvers How To Close Unmanaged Open Recursive Resolvers What Other Basic Network Hygiene Can Help? What About DNS Hijacks? NANOG OTR - 9/10/13

Open resolver amplification attack Attacker 2 Open Resolvers Open Resolvers Open resolvers send legitimate queries to authoritative servers 1 2 Use forged IP address of intended victim to send legitimate queries to open resolvers. 4 4 Authoritative DNS Servers 3 Authoritative servers send back legitimate replies to Resolvers Authoritative servers send back legitimate replies to Resolvers 3 Authoritative DNS Servers Victim 4 Open resolver legitimate responses create massive DDoS attack to victim’s IP address. NANOG OTR - 9/10/13

Reflective DDoS attacks use IP addresses of legitimate users Growing trends Reflective DDoS attacks use IP addresses of legitimate users Combining spoofed addresses with legitimate protocol use makes mitigation extremely difficult – what do you block and where? Recent trends have been utilizing DNS as attack vector since it is a fundamentally used Internet technology Exploit unmanaged open recursive resolvers Exploit large response profile to some standard queries (e.g. DNSSEC) Utilize resources of large hosting providers for added attack bandwidth Many other Internet protocols also susceptible [SNMP, Chargen, etc] NANOG OTR - 9/10/13

How bad is the problem? Largest in 2012 Event Time Start: Aug 1, 2012 00:33:00 UTC Attack Types: DNS Flood, GET Flood, UDP Fragment Flood, ICMP Flood Destination Ports: 80,443,53 Industry Vertical: Financial Peak Bandwidth: 42.2 Gbps Peak pps: 2.1 Mpps Source: Prolexic “Trending data points to an increase of DNS attacks that can be observed in the comparison of Q1 2012 (2.50 percent), Q4 2012 (4.67 percent), and Q1 2013 (6.97 percent). This represents an increase of over 200 percent in the last year.” Source: Prolexic Quarterly Global DDoS Attack Report Q1 2013 NANOG OTR - 9/10/13

Why does the Dns amplification work so well? Victims cannot see actual originator of attack Lots of DNS packets from a wide variety of ‘real’ DNS servers Victims cannot block the BotNet making the spoofed queries DNS servers are answering seemingly normal requests Originating ISPs aren’t impacted Originating ISPs only see small amounts of traffic Filtering attack traffic is difficult in practice The open resolvers are themselves not infected not malicious Depending on architecture, may block legitimate traffic NANOG OTR - 9/10/13

Why Would People RUN Open Resolvers? Deliberate Services Google, OpenDNS, DynDNS, Amazon Route53 Ensure reliability and stability Many are not deliberate – why do they exist? Evil DNS servers run by criminals on bulletproof hosts Everyone else Hosting companies Small/medium ISPs Enterprises, SMBs Default device configuration NANOG OTR - 9/10/13

Ensure no unmanaged open recursive resolvers exist Equipment vendors need ship default as CLOSED BCPs should not show recursive resolver configurations as open Get everyone to participate in stopping ability to spoof IP addresses ISPs need to do ingress filtering (BCP38/BCP84) Enterprises/SMBs need to implement egress filters Equipment vendors need to have better defaults for helping alleviate spoofing Sponsoring research/studies to get definitive data on where IP address spoofing is possible may help MIT Spoofer Project (http://spoofer.csail.mit.edu) What needs to be done NANOG OTR - 9/10/13

Projects that help determine open resolvers Measurement Factory http://dns.measurement-factory.com/surveys/openresolvers.html has been running tests for open recursive resolvers since 2006 have daily reports of open resolvers per AS number send DNS query to a target IP address for a name in test.openresolver.org domain (target IP addresses tested no more than once every three days) The Open Resolver project http://openresolverproject.org started in March 2013 active scans run on a weekly basis that get some added information NANOG OTR - 9/10/13

The Measurement factory [On main page go to ‘Results’ then ‘DNS survey results’ and finally ‘Open Resolvers’] NANOG OTR - 9/10/13

Open Resolver Project NANOG OTR - 9/10/13

Open Recursive Resolver Project Stats NANOG OTR - 9/10/13

Closing Recursive Resolvers RFC 5358 (BCP 140): Preventing Use of Recursive Nameservers in Reflector Attacks http://www.ietf.org/rfc/rfc5358.txt BIND http://www.zytrax.com/books/dns/ch9/close.html Team CYMRU Pointers to BIND implementations and Microsoft http://www.team-cymru.org/Services/Resolvers/instructions.html NANOG OTR - 9/10/13

Dns Response rate limiting (DBS RRL) http://www.redbarn.org/dns/ratelimits NANOG OTR - 9/10/13

What Other Basic Network Hygiene Helps? Ingress Filtering (BCP38/BCP84) Using simple filters Using uRPF http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/s ec_cfg_unicast_rpf.html http://www.juniper.net/techpubs/en_US/junos9.4/topics/concept/unicast-rpf- ex-series.html https://tools.ietf.org/html/draft-savola-bcp84-urpf-experiences-03 Transit Route Filters Peering Route Filters IX Specific Set next-hop self on border routers Do not redistribute connected routes into IGP/BGP NANOG OTR - 9/10/13

urfp (Unicast Reverse Path Forwarding) Loose Mode: Source IP has to match any interface entry in the FIB int 2 int 2 int 1 int 3 int 1 int 3 S y D data S y D data S z D data S z D data FIB FIB Dest Path Dest Path S int 1 S int 1 x x S int 2 S int 2 y y S null0 S null0 z z ü û sourceIP=any int? sourceIP=any int? IP verify unicast source reachable – via any NANOG OTR - 9/10/13

INGRESS/EGRESS FILTerS Deploy anti-spoofing filters as close to potential source as possible SMB Customer router bgp <AS#> neighbor <IP> remote-as <AS#> neighbor <IP> prefix-list customer in ip prefix-list customer permit <netblock> ip prefix-list customer deny <everything else> INGRESS ISP ipv6 access-list extended DSL-ipv6-Inbound permit ipv6 2001:DB8:AA65::/48 any deny ipv6 any any log interface atm 0/0 ipv6 traffic-filter DSL-ipv6_Inbound in INGRESS ipv6 access-list extended DSL-ipv6-Outbound permit ipv6 2001:DB8:AA65::/48 any deny ipv6 any any log interface atm 0/0 ipv6 traffic-filter DSL-ipv6_Outbound out EGRESS Home Customer NANOG OTR - 9/10/13

What About DNS hijacks? NANOG OTR - 9/10/13

Helps protect against registry portal compromises What Is a registry lock? It is intended to mitigate against the potential for unintended changes, deletions or transfers. Helps protect against registry portal compromises Stops any of a registrar's automated systems from being able to make changes to the domain name record. Changes can only be made by manual intervention by staff at a registrar, and by staff at the registry. Additional manual security processes are usually implemented as part of this process - including needing more than one party at the holder of the domain name to authorize a change. NANOG OTR - 9/10/13

How To Better Protect Your Domain Know the security practices of your registrar How rigorous are they with access control to their internal servers? Do they utilize two-factor authentication? What is their process for updating / modifying any of your domain name information? How are user credentials protected? Do they support feature called ‘registry lock’? Monitor your DNS records for changes Why are you paying only $10/month for a domain that is critical to your business???? NANOG OTR - 9/10/13

SOMETHING TO CONSIDER - DNS Firewall How do you currently stop DNS requests to known malicious sites from going out of your network? Block DNS requests from your network to malicious hosts AKA: a secure DNS resolver or DNS filtering Not a new idea – just an under utilized/appreciated approach Key needs: Infrastructure Malicious host listings Policies for blocking/redirection NANOG OTR - 9/10/13

The DNS Resolver as primary defense Malicious Hostname Blocked DNS Resolver + DNS Firewall Infected Machine Redirected Legitimate Request Forwarded SOC/NOC NANOG OTR - 9/10/13

Dns firewall infrastructure Using current in-house DNS resolvers Implement RPZ (ftp://ftp.isc.org/isc/dnsrpz/isc-tn-2010-1.txt) Resolvers ‘cache’ protection data and never go to Internet to resolve bad hostnames Using cloud-based DNS resolver servers Minor change for many – already use ISP resolvers Can update internal infrastructure to forward requests to “cloud” – relatively painless update Fairly easy to implement with no new hardware requirements and no network downtime. NANOG OTR - 9/10/13

Think about usefulness of DNS Firewall in your environment Parting Thoughts Test to determine whether you have unmanaged open resolvers in your environment http://www.thinkbroadband.com/tools/dnscheck.html http://dns.measurement-factory.com/cgi-bin/openresolverquery.pl Ensure that you are helping stop spoofed traffic as close to the source as possible You don’t need to use uRPF – simple filters work Who you pick as Registrar and what their security practices are is important TO YOU! Think about usefulness of DNS Firewall in your environment NANOG OTR - 9/10/13

Questions ?

Eric Zeigast

October Security Update DDoS is not just DNS anymore Seeking help *before* you need it NANOG Tutorial Resources Plugging in to reporting services NANOG OTR - 9/10/13

DNS WAS JUST THE BEGINNING Latest attacks utilize open DNS or NTP servers Future attacks will utilize other protocols Seach for: NDSS 2014 amplification hell Mix of protocols Scanning Good guys *and* bad guys know what’s available Not just servers printers home gateway routers smart CPE / modems / wifi NANOG OTR - 9/10/13

Open NTP SERVER Project NANOG OTR - 9/10/13

Getting help before you need it Know your network and services Network flow analysis and graphs IDS solutions (snort, suricata, commercial) Can your upstream ISPs help? What filters or “scrubbing” can they place for you? Who are their network security contacts? What can you deploy before the attack? Anycast or agile DNS services? Have you provisioned and tested a DDoS mitigation service? NANOG OTR - 9/10/13

NANOG Tutorial Resources Check out NANOG tutorials (http://nanog.org/resources/tutorials): The Service Provider Tool Kit (Barry Greene) An Introduction to DNSSEC (Matt Larson) NSP-SEC Top Ten Security Techniques (Barry Greene) NetFlow to guard the Infrastructure NANOG OTR - 9/10/13

Plugging in to reporting services Several types of abuse are remotely detected and reported by the security community Automated reports about bot activity or sinkhole hits are usually given to ShadowServerv and TeamCymru. Sign up: ShadowServer: Look for “Get Reports On Your Network” on www.shadowserver.org and then email <request_report@shadowserver.org> Team Cymru: www.tcconsole.com or email <outreach@cymru.com> NANOG OTR - 9/10/13