Enhanced Secure DNS: A Defense Against DDOS Attacks by David B. Wilkinson University of Colorado at Colorado Springs November 26, 2003.

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
Firewalls and Intrusion Detection Systems
Computer Security and Penetration Testing
Internet Control Message Protocol (ICMP)
PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.
ChowSCOLD1 Secure Collective Defense Network (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Using Multiple Gateways to Foil DDOS Attack by David Wilkinson.
Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.
DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.
Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
Lecture 15 Denial of Service Attacks
Denial of Service attacks. Types of DoS attacks Bandwidth consumption attackers have more bandwidth than victim, e.g T3 (45Mpbs) attacks T1 (1.544 Mbps).
TCP/IP Tools Lesson 5. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Using basic TCP/IP commands Understanding TCP/IP3.6.
Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
11.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 11: Introducing WINS, DNS,
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
FIREWALL Mạng máy tính nâng cao-V1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Web Server Administration Chapter 10 Securing the Web Environment.
1 IP: putting it all together Part 2 G53ACC Chris Greenhalgh.
October 15, 2002Serguei A. Mokhov, 1 Intro to DNS SOEN321 - Information Systems Security.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
Examining TCP/IP.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 6: Name Resolution.
IP Forwarding.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Security News Source Courtesy:
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Day 14 Introduction to Networking. Unix Networking Unix is very frequently used as a server. –Server is a machine which “serves” some function Web Server.
TODAY & TOMORROW DAY 2 - GROUP 5 PRESENTED BY: JAMES SPEIRS CHARLES HIGBY BRADY REDFEARN Domain Name System (DNS)
CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
NETWORK ATTACKS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
Denial of Service Attacks
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
________________ CS3235, Nov 2002 (Distributed) Denial of Service Relatively new development. –Feb 2000 saw attacks on Yahoo, buy.com, ebay, Amazon, CNN.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
Linux Operations and Administration
ERICSON BRANDON M. BASCUG Alternate - REGIONAL NETWORK ADMINISTRATOR HOW TO TROUBLESHOOT TCP/IP CONNECTIVITY.
DoS/DDoS attack and defense
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
1 CMPT 471 Networking II DNS © Janice Regan,
OPTION section It is the first section of the named.conf User can use only one option statement and many option-value pair under the section. Syntax is.
TCP/IP Protocol Suite 1 Chapter 17 Upon completion you will be able to: Domain Name System: DNS Understand how the DNS is organized Know the domains in.
Matt Jennings.  What is DDoS?  Recent DDoS attacks  History of DDoS  Prevention Techniques.
Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.
Denial-of-Service Attacks
Comparison of Network Attacks COSC 356 Kyler Rhoades.
Understand Names Resolution
Error and Control Messages in the Internet Protocol
Presentation transcript:

Enhanced Secure DNS: A Defense Against DDOS Attacks by David B. Wilkinson University of Colorado at Colorado Springs November 26, 2003

DDOS - Distributed Denial of Service DDOS attack - A flooding attack directed against one host by many computers across many networks Attack consumes victim’s network bandwidth - site becomes very slow or is unavailable to users Threat to Internet commerce: In early 2000, DDOS attacks shut down Yahoo, eBay, Amazon, CNN.com, E*Trade, Datek Online, Buy.com and the FBI website for up to a few hours, resulting in millions of dollars in lost revenue October 2002: 13 root DNS servers attacked (unsuccessful, but...)

DDOS Attack Architecture Attacker Handler A Compromised systems AAA... AA Victim... A = Agent Packets sent to broadcast addresses of intermediate networks... Replies to Victim

Types of DDOS Attacks SYN Flooding - The agents send out TCP SYN requests to the victim, but do not reply to the SYN-ACK. Large numbers of open connections quickly exhaust available memory [Skoudis 2002]. Smurf Attack - Agents send to intermediate networks ICMP echo request (“ping”) packets that have source IP address of the victim; victim gets replies Fraggle Attack - Flood of datagrams (again with source address of victim) sent to UDP echo port 7 of intermediate hosts; echoes all sent to victim SYN-ACK Attack - TCP SYN packets sent to random servers on Internet; SYN-ACKs all go to victim

One Possible Solution: “Safe Network Security Practices” Egress Filtering - Check source addresses of all packets leaving a network; discard if illegitimate Ingress Filtering - Check source addresses of all packets entering a network; discard packets with , , etc., as source address Harden Computers - Close unnecessary ports (e.g., echo port #7); remove services vulnerable to overflow security exploit; install latest patches Communicate risks of opening attachments to employees

Another Solution: Secure Collective Defense (SCOLD) A network or consortium of participating entities that utilize new capabilities in the Domain Name System (DNS) software to keep an attacked member site available during the attack New idea of “Intrusion Tolerance” - attacks will always happen so try to successfully work around them

Detail of DDOS attack Victim A = Agent R = Router G = Gateway A A A A A DNS R R R R Net A Net B Net C DNS R R R R R R G

SCOLD System Foils DDOS Attack Victim A = AgentAG = Alternate Gateway R = RouterPS = Proxy Server G = Gateway A A A A A R R R R Net A Net B Net C Client DNS R PS1 R R R R G SCOLD Coordinator 1 PS2 PS3 Blocked by IDS AG Victim DNS Server IP

My task: Enhance DNS Software, BIND, to meet the needs of SCOLD Three important areas of change in DNS BIND version 9.2.2: –New program, nsreroute, that proxy server runs to send a DNS message to client DNS server –Enhancement of BIND server software for handling incoming nsreroute message. Includes using SSL for authentication between client DNS server and proxy server. –Enhancement of BIND server software for handling subsequent query for host in victim domain, including retrieval and caching of ALT data type

New DNS Functionality 1)When victim detects attack, it issues alert to SCOLD coordinator, which tells proxy server to run nsreroute 2)nsreroute sends messages to all client DNS servers for each client in list of input 3)Client DNS server authenticates message sender 4)Upon successful authentication, client DNS server writes zone for victim’s domain to disk, adds new entry to server configuration file, and reloads zones 5)Client DNS server redirects next query for host in victim zone to victim DNS server through a SCOLD-aware proxy server via IP tunnel 6)Subsequent queries for same host use cached results from previous query

How to implement this? Use GNU GDB debugger, with DDD GUI, to trace BIND code Use nsupdate client program written by the Internet Software Consortium (ISC) as a starting point for creating nsreroute Use OpenSSL to implement SSL and public key cryptography for server/sender authentication Add a new resource record, ALT (99), to refer to proxy server IP addresses

New client program nsreroute From command line, run nsreroute input_file where input_file contains reroute client.clientnet1.com. victimDNSserver1.victimnet.com. victimDNSserver2.victimnet.com. … reroute client.clientnet2.com. victimDNSserver1.victimnet.com. victimDNSserver2.victimnet.com. …. reroute client.clientnetX.com. victimDNSserver1.victimnet.com. victimDNSserver2.victimnet.com. …

Step 1: nsreroute gets all authoritative DNS servers for client domain DNS1 Authoritative DNS servers for clientnet.com DNS2 (primary master name server) DNS3 Example input: reroute client.clientnet.com. victimdns1.victimnet.com. victimdns2.victimnet.com Proxy server Alert from victim Q: Want NS records for clientnet.com A: DNS1, DNS2, DNS3

Step 2: nsreroute sends message (“reroutemsg”) to each DNS server at DNS server’s port #53 DNS1 Authoritative DNS servers for clientnet.com DNS2 (primary master name server) DNS3 Proxy server TCP #53

DNS Message Format Header Question Answers Authority Additional

Basic reroutemsg structure opcode = 7 reroutemsg authority section = victimdns1.victimnet.com victim_dns list = victimdns2.victimnet.com victim_dns2 list = rdataset type = 1 private1 = rdataset_proxy type = 99 private1 = rdataset2 type = 1 private1 = rdataset_proxy2 type = 99 private1 = rdata_victim rdata_proxy[0] rdata_victim rdata_proxy2[0] rdata_proxy[1] rdata_proxy[2] rdata_proxy2[1] rdata_proxy2[2]

Step 3: client DNS server authenticates proxy server via SSL over TCP using DNS server port #5300 DNS1 Authoritative DNS servers for clientnet.com DNS2 (primary master name server) DNS3 Proxy server TCP Exchange certificates Proxy server verifies authenticity of DNS server cert. DNS server verifies proxy server certificate AND checks if proxy cert. is on a list of approved senders #5300 #53 SSL

Step 4: After successful authentication, DNS server creates new zone file (“db.victimnet.com”) for victimnet.com domain and loads it into IN SOA clientdns.clientnet.com. root.clientnet.com. ( 1; Serial 3h; Refresh after 3 hours 1h; Retry after 1 hour 1w; Expire after 1 week 1h; Negative caching TTL of 1 hour ) IN NSvictimdns1.victimnet.com. IN NSvictimdns2.victimnet.com. victimdns1.victimnet.com IN A victimdns1.victimnet.com IN ALT IN ALT IN ALT victimdns2.victimnet.com IN A victimdns2.victimnet.com IN ALT IN ALT IN ALT

New behavior for client DNS server for handling query for victim domain G = Gateway AG = Alternate Gateway PS = Proxy Server client.clientnet.com DNS G SCOLD Coordinator PSAG Victim DNS Server Without rerouting zone, query goes to root... ALT = Query eventually goes to victim’s flooded main gateway With rerouting zone, query goes to an ALT address Referral to closer DNS server Slow Fast Q A IP tunnel (Set up IP tunnels) a b c

Query also requires retrieval and caching of new ALT data type client.clientnet.com DNS Victim DNS Server Q First query for victim after victim zone installed on client DNS server... Answer contains ALT records retrieved from zone database Cache ALT records DNS Victim DNS Server Q Subsequent queries for victim QQ... client.clientnet.com Answer contains ALT records retrieved from cache database Answer contains ALT records included in victim DNS server message Not needed AAA A

Time (in seconds) for proxy server and client DNS server to process reroutemsg Client DNS ServerProxy ServerTrial T proxy server = T NS lookup + T sending to client DNS T client DNS = T ns_reroute_start() to reroutedone_action()

Time (in seconds) for query for host in targetnet.csnet.uccs.edu zone. Client DNS server does not have victim’s zone TimeTrial “uccs.edu”server Q1 client DNS server “edu” DNS server root DNS server R1 “csnet.uccs.edu” server R2 Q2 Q3 R3 Q4 R4 “targetnet.csnet.uccs.edu” server Q5 Answer Q = Query R = Referral

Time (in seconds) for query for host in victim zone. Client DNS server has victim’s reroute zone TimeTrial Client DNS server “targetnet.csnet.uccs.edu” server QueryAnswer

Lessons Learned Understanding ISC’s BIND code Tracing named daemon process –must attach to process, not run process Default timeouts hamper tracing “Clock skew” problems –made installation take much longer than necessary –interfered with authentication –corrected with ntpdate function in crontab file Result of caching “NS ” –subsequent queries to gandalf failed Trying to fork in server Problems with reliability of my authentication code In the end, everything works correctly, every time

Future Work Perform more comprehensive tests involving other aspects of DNS (TSIG, DNSSEC, DNS dynamic update, using different views, using other kinds of data types, etc.) Try to reduce connection time between reroutemsg sender and client DNS server Fork in client DNS server Implement incremental zone reloading Send reroutemsg to only SOA server and then do zone transfer to other DNS servers; compare total elapsed times

Conclusions New Enhanced BIND v has some great features: nsreroute program that remotely installs victim zones on client DNS machines New zones help clients communicate with another member of the SCOLD consortium that is under attack Intrusion tolerance works New ALT data type results in faster queries over multiple dynamic paths Multiple-path routing capability results in larger aggregate bandwidth for the server