Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.

Slides:



Advertisements
Similar presentations
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Advertisements

IPv6 Background Radiation Geoff Huston APNIC R&D.
Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
Domain Name System: DNS
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
25.1 Chapter 25 Domain Name System Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Presented by Neeta Jain CISC 856 TCP/IP and Upper Layer Protocols RFC 1034 & RFC 1035.
DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.
Name Resolution and DNS. Domain names and IP addresses r People prefer to use easy-to-remember names instead of IP addresses r Domain names are alphanumeric.
Measuring DANE TLSA Deployment Liang Zhu 1, Duane Wessels 2, Allison Mankin 2, John Heidemann 1 1. USC ISI 2. Verisign Labs 1.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Domain Name System (DNS) Ayitey Bulley Session-1: Fundamentals.
NET0183 Networks and Communications Lecture 25 DNS Domain Name System 8/25/20091 NET0183 Networks and Communications by Dr Andy Brooks.
Module 3 DNS Types.
Harness Your Internet Activity. Zeroing in On Zero Days DNS OARC Spring 2014 Ralf Weber
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,
Welcome Today Our Topics are: DNS (The Potential Problem for Complete Anonymity) Transparent DNS Proxy (The Problem & The Solution) How To.
Netprog: DNS and name lookups1 Address Conversion Functions and The Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Ch-9: NAME SERVICES By Srinivasa R. Gudipati. To be discussed.. Fundamentals of Naming Services Naming Resolution The Domain Name System (DNS) Directory.
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
Domain names and IP addresses Resolver and name server DNS Name hierarchy Domain name system Domain names Top-level domains Hierarchy of name servers.
Chapter 17 Domain Name System
Harness Your Internet Activity. Drilling down into DNS DDoS Data Amsterdam, May 2015 Ralf Weber.
1 Computer Communication & Networks Lecture 26 Application Layer: Domain Name System Waleed Ejaz.
Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
Domain Name System CH 25 Aseel Alturki
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Domain Name System. CONTENTS Definitions. DNS Naming Structure. DNS Components. How DNS Servers work. DNS Organizations. Summary.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.
Netprog: DNS and name lookups1 Address Conversion Functions and The Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Open Resolver Project Results from 2 months of active scans
1 Kyung Hee University Chapter 18 Domain Name System.
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Self-Service Open Resolver Scanning Duane Wessels DNS-OARC Workshop Dublin May 12, 2013.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
A study of caching behavior with respect to root server TTLs Matthew Thomas, Duane Wessels October 3 rd, 2015.
Module 8 DNS Tools & Diagnostics. Dig always available with BIND (*nix) and windows Nslookup available on windows and *nix Dig on windows – unpack zip,
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 18 Domain Name System (DNS)
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
AfNOG-2003 Domain Name System (DNS) Ayitey Bulley
Domain Name System (DNS) Joe Abley AfNOG Workshop, AIS 2014, Djibouti Session-1: Fundamentals.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
COMP 431 Internet Services & Protocols
Internet Naming Service: DNS* Chapter 5. The Name Space The name space is the structure of the DNS database –An inverted tree with the root node at the.
Domain Name System INTRODUCTION to Eng. Yasser Al-eimad
So DNS is A client-server application that maps domain names into their corresponding IP addresses with the help of name servers. Mapping domain names.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia
Chapter 5c.  Upon completion of this chapter, you should be able to:  Configure IP addresses  Identify & select valid IP addresses for networks  Configure.
1 Internet Service DNS & BIND OPS335 Seneca College of Applied Technology.
DNS and Inbound Load Balancing
A Speculation on DNS DDOS
Domain Name System (DNS)
Geoff Huston APNIC March 2017
Principles of Computer Security
Chapter 25 Domain Name System.
Networking Applications
A Speculation on DNS DDOS
DNS-Based DDoS Evolving Threat UKNOF Sept 2015 Manchester, UK
Chapter 19 Domain Name System (DNS)
Chapter 25 Domain Name System
Chapter 25 Domain Name System.
Domain Name System Refs: Chapter 9 RFC 1034 RFC 1035.
Chapter 25 Domain Name System
Computer Networks Primary, Secondary and Root Servers
What part of “NO” is so hard for the DNS to understand?
Presentation transcript:

Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland

Verisign Public Outine Why do we care about Open Resolvers? Surveys at Verisign Characterizing Open Resolvers Intersection with COM/NET query sources Geographic distribution Discussion

Verisign Public Why do we care? Exploited in DDoS attacks Makes cache poisoning attacks much easier Cache snooping Analogous to open mail relays Note: we’re talking about unintentionally open resolvers here… 3

Verisign Public Two Surveys of IPv4 Open Resolvers

Verisign Public Models Target forwards query directly to Authority Prober Auth NS Auth NS Target Q1 Q2 R1 R2

Verisign Public Models Target forwards to a “forwarder” Prober Auth NS Auth NS Target Forwarder Q1 Q2 R1 R2

Verisign Public From Amazon Web Services Took 173 Hours :00 – :00 Sent 3,676,739,504 Q1 probes All IPv4 space, except class D/E, RFC1918 and do-not-probe list Received 43,538,209 Q2’s For 28,897,054 distinct probes From 277,049 distinct IP addresses Received 34,604,998 R2’s For 32,040,586 distinct probes From 31,424,854 distinct IP addresses October 2013 Survey

Verisign Public

Verisign Public From Verisign Took 17 hours :20 – :30 Sent 3,676,724,690 Q1 probes All IPv4 space, except class D/E, RFC1918, and do-not-probe list Received 38,079,578 Q2’s For 24,553,785 distinct probes From 230,417 distinct IP addresses Received 28,426,251 R2’s For 27,905,762 distinct probes From 27,281,623 distinct IP addresses May 2014 Survey

Verisign Public

Verisign Public Data is collected with pcap while scan runs Pcap files are then parsed into whitespace delimited text Separate files for Q1, Q2, R1, R2 The text files are loaded onto Hadoop Analyzed with Hive (SQL statements) Lots of large, multi-table joins Data Analysis

Verisign Public Closed Targets When the probe results in neither a Q1 nor an R2. Prober Auth NS Auth NS Target Forwarder Oct 2013May 2014 Closed %

Verisign Public Open Targets When the probe results in either a Q1 or an R2. Oct 2013May 2014 Open Count33,660,90629,292,597 Oct 2013May 2014 openresolverproject 32,673,33727,454,609 Prober Auth NS Auth NS Target Forwarder

Verisign Public Simple Open Resolver Q2 source address equals Target address i.e., Target does not forward elsewhere Prober Auth NS Auth NS Target Oct 2013May 2014 Simple0.6 %

Verisign Public Forwarder Q2 source address differs from Target address How many to Google? Prober Auth NS Auth NS Target Forwarder Oct 2013May 2014 Simple0.6 % Forwarder79.8 %78.0 % Oct 2013May 2014 Google Fwds8.3 %8.9 %

Verisign Public No Q2, R2 Error Prober Auth NS Auth NS Target Forwarder RCODEOct 2013May FORMERR0.0 % 2 SERVFAIL10.0 %9.1 % 3 NXDOMAIN3.0 %3.6 % 4 NOTIMPL0.0 % 5 REFUSED86.9 %87.3 % 70.0 % % Oct 2013May 2014 Simple0.6 % Forwarder79.8 %78.0 % Err No Forward10.8 %12.6 % Didn’t get a Q2 query and got an Error response Usually REFUSED, which is good!

Verisign Public Got Q2, but R2 error code Received the Q2 query, but then got an error response. Usually SERVFAIL Prober Auth NS Auth NS Target Forwarder RCODEOct 2013May FORMERR0.1 %0.4 % 2 SERVFAIL77.5 %75.9 % 3 NXDOMAIN0.4 %0.1 % 4 NOTIMPL0.0 % 5 REFUSED22.0 %23.6 % % Oct 2013May 2014 Simple0.6 % Forwarder79.8 %78.0 % Err No Forward10.8 %12.6 % Err w/ Forward0.7 %0.5 %

Verisign Public R2 Blocked Received Q2 But no R2 Prober Auth NS Auth NS Target Forwarder ? Oct 2013May 2014 Simple0.6 % Forwarder79.8 %78.0 % Err No Forward10.8 %12.6 % Err w/ Forward0.7 %0.5 % R2 Blocked4.8 %4.7 %

Verisign Public Synthesized Answers No Q2 R2 had an Answer section with an A record, but wrong value. Many answer with their own IP Prober Auth NS Auth NS Target Forwarder Oct 2013May 2014 Simple0.6 % Forwarder79.8 %78.0 % Err No Forward10.8 %12.6 % Err w/ Forward0.7 %0.5 % R2 Blocked4.8 %4.7 % Synthesized3.4 %3.6 %

Verisign Public Q2 Missing No Q2, but R2 had an Answer section with correct A record! How? Data collection problem Lucky guess Prober Auth NS Auth NS Target Forwarder Oct 2013May 2014 Simple0.6 % Forwarder79.8 %78.0 % Err No Forward10.8 %12.6 % Err w/ Forward0.7 %0.5 % R2 Blocked4.8 %4.7 % Synthesized3.4 %3.6 % Q2 Missing0.0 % Totals100 % 120 times in Oct 2013 survey 1109 times in May 2014 survey

Verisign Public Weirdness: R2 not from Target Sent query to x.x.x.x Got response from y.y.y.y Prober Auth NS Auth NS Target Forwarder ? Oct 2013May 2014 IP Changed2.1 %2.4 %

Verisign Public Weirdness: Local Port Changed Query sent from port X Response sent to port Y 1560 cases Prober Auth NS Auth NS Target Forwarder X Y Oct 2013May 2014 Local Port

Verisign Public Weirdness: Remote Port Changed Query to port 53 Response from port != 53 Prober Auth NS Auth NS Target Forwarder Oct 2013May 2014 Remote Port46.2 %46.7 %

Verisign Public Weirdness: Q2 with RD=1 Usually queries to Authoritative name servers have RD=0 Prober Auth NS Auth NS Target Forwarder RD=1 Oct 2013May 2014 Q2 RD=

Verisign Public Weirdness: R2 with AA=1 Usually responses from recursive name servers have AA=0 Prober Auth NS Auth NS Target Forwarder AA=1 Oct 2013May 2014 R2 AA=10.7 %0.8 %

Verisign Public Intersection with COM/NET Queriers

Verisign Public Four Verisign “big” sites Only 4 of 13 gtld-servers.net letters COM/NET Query Data

Verisign Public What percent of open resolver exit Ips appear in the COM/NET query data? Example: At Amsterdam, we see 64.3% of the open resolvers IPs in one day. This is 5.2% of all COM/NET IPs seen there. Those IPs are responsible for 51.7% of COM/NET queries at the site. Intersection of open resolvers and COM/NET (Oct 2013)

Verisign Public

Intersection of open resolvers and COM/NET (May 2014)

Verisign Public Geographic Distribution

Verisign Public Open resolvers are massively distributed 232 countries (including special territories) 10,240 different cities 13,887 different organizations (including ISPs) 83,407 different networks (domains) All distributions are heavy tailed (city, org, net, country) Open resolvers/forwarder associations are distributed Includes across country associations Not only limited to well-understood applications, but includes service providers association without territory resolvers Open Resolvers Geographical Distribution

Verisign Public Open Resolvers Geographical Distribution

Verisign Public Per-user distribution is consistent with overall per-country, except in a few cases (small, hop countries) Open Resolvers vs. Internet Usage

Verisign Public Organization Level Distribution – Resolvers

Verisign Public Organization Level Distribution – Open Resolvers Per Forwarder

Verisign Public Organization Level Distribution - log 10 (Forwarders)

Verisign Public Final Thoughts

Verisign Public Key Points Still many millions of Open Resolvers on the Internet The trend is decreasing Most Open Resolvers forward to another recursive About half respond from the wrong port! Open Resolver forwarder IPs are strongly linked to COM/NET queries. Responsible for 50% of the query traffic 42

Verisign Public Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.