Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.

Slides:



Advertisements
Similar presentations
(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Advertisements

Review iClickers. Ch 1: The Importance of DNS Security.
Thank you to IT Training at Indiana University Computer Malware.
© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.
David Grochocki et al.  Lures Potential attackers  Smartmeters do two way communication  Millions of Meters has to be replaced  Serious damages just.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Secure SharePoint mobile connectivity
Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.
Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.
 Unlike other forms of computer attacks, goal isn’t access or theft of information or services  The goal is to stop the service from operating o.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
On the Feasibility of Large-Scale Infections of iOS Devices
DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.
Water Torture: A Slow Drip DNS DDoS Attack on QTNet
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Internet Security In the 21st Century Presented by Daniel Mills.
Norman SecureSurf Protect your users when surfing the Internet.
Module 3 DNS Types.
Harness Your Internet Activity. Zeroing in On Zero Days DNS OARC Spring 2014 Ralf Weber
1 Domain Name System (DNS). 2 DNS: Domain Name System Internet hosts: – IP address (32 bit) - used for addressing datagrams – “name”, e.g.,
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
OSP201 Security and complexity are often inversely proportional. Security and usability are often inversely proportional. Security is an investment,
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
Harness Your Internet Activity. Drilling down into DNS DDoS Data Amsterdam, May 2015 Ralf Weber.
Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
Chapter 13 Microsoft DNS Server n DNS server: A Microsoft service that resolves computer names to IP addresses, such as resolving the computer name Brown.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Module 8 DNS Tools & Diagnostics. Objectives Understand dig and nslookup Understand BIND toolset Understand BIND logs Understand wire level messages.
BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed.
Open Resolver Project Results from 2 months of active scans
DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28.
Scenario: Internet Attack Eunice Huang. What is DDoS? A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to.
Denial-of-Service, Address Ownership,and,Early Authentication in IPv6 World (An Approach) Aditya Vutukuri From article by Pekka Nikander Ericsson Research.
Denial of Service Datakom Ht08 Jesper Christensen, Patrick Johansson, Robert Kajic A short introduction to DoS.
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
Sid Stamm, Zulfikar Ramzan and Markus Jokobsson Erkang Xu.
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL DNS Security with AntiDDoS and AntiMalware for.
Module  Introduction Introduction  Techniques and tools used to commit computer crimes Techniques and tools used to commit computer crimes.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
1. Internet hosts:  IP address (32 bit) - used for addressing datagrams  “name”, e.g., ww.yahoo.com - used by humans DNS: provides translation between.
Harness Your Internet Activity. Random Subdomain Attacks Plaguing the Internet.
Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt.
So DNS is A client-server application that maps domain names into their corresponding IP addresses with the help of name servers. Mapping domain names.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
John S. Otto Mario A. Sánchez John P. Rula Fabián E. Bustamante Northwestern, EECS.
© A10 Networks, Inc. Distributed Prevention of DoS Collaboration is key.
Monitoring, analyzing and cleaning DNS configuration errors across European NRENs Slavko Gajin University of Belgrade, Serbia
Swiss NREN protection with DNS RPZ
© 2013 Infoblox Inc. All Rights Reserved. Paul UKNOF 26 – 13 Sep 2013, London Paul Ebersman.
Harness Your Internet Activity. AAAA Deep Dive DNS-OARC, Buenos Aires March 2016 Ralf Weber.
Measuring the Leakage of Onion at the Root A measurement of Tor’s.onion pseudo-top-level domain in the global domain name system Aziz Mohaisen Verisign.
© 2014 ISC Tales of the unexpected - handling unusual DNS client behaviour UKNOF29 – Cathy Almond, ISC.
High performance recursive DNS solution
A Speculation on DNS DDOS
Unit 5: Providing Network Services
A Speculation on DNS DDOS
DNS-Based DDoS Evolving Threat UKNOF Sept 2015 Manchester, UK
6. Application Software Security
Defencebyte THE PERFECT SECURITY FOR YOUR COMPUTER.
Presentation transcript:

Harness Your Internet Activity

DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice

Random Subdomain Attacks 2014 Data

– Quieter in Some Ways JANFEBMARAPR 2015 Data All quiet???

5 Typical “Day in the Life” DNS Queries Seen at Resolvers DDoS Other

6 Typical Day in The Life DDoS Queries Seen at a Resolver Amplification Random Subdomain

Use of open resolvers/proxies still predominates –Installed base around 17 M –Trend toward more stealthy attacks - Send enough traffic to bring down authorities –Highly distributed attacks – 1,000s of open resolvers per attack –Often low intensity per IP –Interesting recent example: 7 Observations

Bot based attacks –Tend to be few IPs - tens to hundreds –High to very high intensity per IP - Up to 1000s of QPS/IP - Long tail with lower QPS –Recent interesting example: rutgers.edu 8 Observations

Attacks Using Bots Internet 2 Authoritative Server Recursive queries Bot infected devices 3 NXD responses ISP Target Web Site ISP Resolver Queries with randomized subdomains 1 Home Gateways

Network scans for vulnerable devices: Home gateways or other “Things” Attempts login with default passwords Many utilities at the attackers disposal Load and run malware 10 What’s Happening? Other vectors possible: Bots with loaders, Rompager

Considerable stress on DNS infrastructure: Resolvers Queries require recursion (computationally expensive) Working around failed or slow authorities Stress concentrates as authorities fail Authorities Unexpected query spikes exceed provisioned limits 11 The Problem

Minimize work for resolvers Eliminate bad traffic to authoritative servers Answer legitimate queries Answer legitimate queries for attacked domains –don’t drop, don’t SERVFAIL Two approaches being used: –Rate limit traffic to authorities –Ingress filtering How do they behave in practice? 12 Goals for Remediation

Testing Efficiency of Rate Limiting Authoritative Server Attack Traffic Internet ISP Resolver User traffic Authoritative Outbund rate limiting Inggess policy based filtering

14 Test Diagram 100qps 1qps Redwood City, CA Authoritative Servers dnsperf tcpreplay Regensberg, Germany good traffic 10kqps background 100qps for test domains attack traffic 2 * 5000 qps for two domains Resolver 2 domains being attacked other resolutions Rate limits should not be hit for normal traffic Resolver and authoritative servers record traffic

15 Run good traffic: User results

16 Run good traffic: Test domains results

17 Run good traffic: Authoritative Server Results

18 System Stats Vantio Power DNS Bind Unbound

19 Run attack traffic – Compare with normal

20 Run protected attack traffic: User results

21 Run good traffic: User results

22 Run protected attack traffic: Test domains results

23 Run good traffic: Test domains results

24 Run protected attack traffic: Authoritiative Server Results

25 Run good traffic: Authoritative Server Results

26 System Stats Vantio Power DNS Bind Unbound

27 Results: Resolver Traffic 9,000,000 queries Resolver Test runTypeNo ErrorNXDomainLostServfail Vantio3Good Attack ingress filter7Attack PDNS3Good Attack Bind3Good Attack unprotect7Attack Unbound8Good Attack

28 Results: Attack domains SoftwareTest RunType No Error Lost Servfail Auth Noerror Auth NXDomain Auth Dropped CS73Good Attack ingress filter7Attack PDNS3Good Attack Bind3Good Attack unprotect7Attack Unbound8Good Attack

29 Test Results Summary Ingress Filtering Rate Limit Authorities Eliminate bad traffic to authoritative servers YESSOME Correctly answer legitimate queries (don’t drop, don’t SERVFAIL) YES Correctly answer legitimate queries for attacked domains YESNO

Constant DNS Based DDoS evolution Open Home Gateways remain a problem Malware-based exploits create broad exposure Not clear where attacks are headed Evidence attackers refining techniques Remediation needs to be undertaken with care 30 Summary

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.