Water Torture: A Slow Drip DNS DDoS Attack on QTNet

Slides:



Advertisements
Similar presentations
The leader in session border control for trusted, first class interactive communications.
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
SYSTEM ADMINISTRATION Chapter 19
Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.
1 DNS. 2 BIND DNS –Resolve names to IP address –Resolve IP address to names (reverse DNS) BIND –Berkeley Internet Name Domain system Version 4 is still.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)
1 Internet Control Message Protocol (ICMP) RIZWAN REHMAN CCS, DU.
Everything. MACIP End-host IP: MAC: 11:11:11:11:11 gateway IP: MAC: 22:22:22:22:22 Google server IP: MACIP MACInterfaceMACInterface.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Support Protocols and Technologies. Topics Filling in the gaps we need to make for IP forwarding work in practice – Getting IP addresses (DHCP) – Mapping.
Chapter 16 – DNS. DNS Domain Name Service This service allows client machines to resolve computer names (domain names) to IP addresses DNS works at the.
Page 19/13/2015 Chapter 8 Some conditions that must be met for host to host communication over an internetwork: a default gateway must be properly configured.
DNS: Domain Name System
DNS (Domain Name System) Protocol On the Internet, the DNS associates various sorts of information with domain names. A domain name is a meaningful and.
1 DNS: Domain Name System People: many identifiers: m SSN, name, Passport # Internet hosts, routers: m IP address (32 bit) - used for addressing datagrams.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
1 Application Layer Lecture 6 Imran Ahmed University of Management & Technology.
Chapter 1: Introduction to Web Applications. This chapter gives an overview of the Internet, and where the World Wide Web fits in. It then outlines the.
Software Firewalls © N. Ganesan, Ph.D.. Module Objectives Explore the features of a software firewall such as Zone Alarm Pro.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 9 Basic Router Troubleshooting.
Internet Ethernet Token Ring Video High Speed Router Host A: Client browser: REQUEST:http//mango.ee.nogradesu.edu/c461.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
Day 14 Introduction to Networking. Unix Networking Unix is very frequently used as a server. –Server is a machine which “serves” some function Web Server.
The Inter-network is a big network of networks.. The five-layer networking model for the internet.
Chapter 19 - Binding Protocol Addresses
Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
CCNA 2 Week 9 Router Troubleshooting. Copyright © 2005 University of Bolton Topics Routing Table Overview Network Testing Troubleshooting Router Issues.
Guide to TCP/IP, Third Edition Chapter 8: The Dynamic Host Configuration Protocol.
Internet Address and Domain Name Service (DNS)
Presented by Rebecca Meinhold But How Does the Internet Work?
BAI513 - PROTOCOLS ARP BAIST – Network Management.
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.
UNIT 2 LESSON 10 CS PRINCIPLES. UNIT 2 LESSON 10 OBJECTIVES Students will be able to: Describe how a system of DNS servers support IP lookups. Explain.
Cisco 2 - Routers Perrine. J Page 112/19/2015 Chapter 8 TCP/IP Error Message Some of the conditions that must be met in order for host to host communication.
Sample DNS configurations. Example 1: Master 'master' DNS and is authoritative for this zone for example.com provides 'caching' services for all other.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2000 Chapter 10 Internet Group Management Protocol (IGMP)
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
NETWORKING (2) Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
Networking (Cont’d). Congestion Control l Is achieved by informing nodes along a route that congestion has occurred and asking them to reduce their packet.
Grades update. Homework #1 Count35 Minimum Value47.00 Maximum Value Average
Matt Jennings.  What is DDoS?  Recent DDoS attacks  History of DDoS  Prevention Techniques.
End-host IP: MAC: 11:11:11:11:11 gateway IP: MAC: 22:22:22:22:22 Google server IP: interne t interface DNS server IP:
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
MAN-IN-THE-MIDDLE ATTACK STEGANOGRAPHY Lab# MAC Addresses and ARP  32-bit IP address:  network-layer address  used to get datagram to destination.
1 Address Resolution Protocol (ARP). 2 Overview 3 Need for Address Translation Note: –The Internet is based on IP addresses –Local area networks use.
أمن المعلومات لـ أ. عبدالرحمن محجوب حمد mtc.edu.sd أمن المعلومات Information Security أمن المعلومات Information Security  أ. عبدالرحمن محجوب  Lec (5)
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Instructor Materials Chapter 9: Testing and Troubleshooting
Address Resolution Protocol (ARP)
Internet Control Message Protocol (ICMP)
DNS security.
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
TCP/IP Networking An Example
Internet Control Message Protocol (ICMP)
ITL Simple Diagnostic Tools
Address Resolution Protocol (ARP)
Chapter 10 IGMP Prof. Choong Seon HONG.
DNS: Domain Name System
Presentation transcript:

Water Torture: A Slow Drip DNS DDoS Attack on QTNet Kei Nishida, Network Center Kyushu Telecommunication Network Co.,Inc

About QTNet Company Name Services Wide-Area Ethernet FTTH Kyushu Telecommunication Network Co., Inc. (QTNet, for short) Telecommunicasions carrier in Kyushu , Japan Services Wide-Area Ethernet FTTH Internet Access,VoIP,TV Q

What is Water Torture? A type of Distributed denial-of-service attack to DNS Servers. Authoritative DNS servers is the target of this attack. However, as a side effect, Cache DNS Server(Internet service     providers DNS server) ‘s load is increased. Since January 2014, this attack has been reported around the world. Attack is ongoing. January 2014 bps

Overview of the Attack part 1 the Attacker command his botnets. So many bots send to send a small number of random queries to open resolvers(Customer Broadband routers). Open resolvers send random queries to Cache DNS Server. Cache DNS Servers send random queries to Authoritative DNS Server. Botnets DNS Query abcdefg1.example.com abcdefg2. example.com abcdefg3. example.com and so on Attacker 1. … Authoritative DNS Server (example.com) 2. Open Resolvers 4. 3. Cache DNS Server

Overview of the Attack part 2 Authoritative DNS servers go down with many DNS queries which are sent by Cache DNS Servers(Internet service providers DNS servers) Cache DNS Server(Internet Service providers DNS server) go down with many DNS queries which are sent by Open resolvers = customer broadband routers.

QTNet Case -Overview From 29 May. 2014, queries from botnets grown up. QTNet Cache DNS Server was effected by these traffic. Alarm occurs the system resources of Cache DNS Server has reached the limit value. Some customers informed that they could not access some web sites by their devices. To Block the Attack, we tried some measures.

QTNet Case -Traffic from Botnets The areas which are colored indicate the specific botnet ip address. 1/2 traffic was came from non specific botnet ip address. 29 May 30 1 June 31 non specific specific Traffic of 53 port destination from Internet to QTNet Network

QTNet Case -Traffic from Botnets Is a tendency of traffic has changed from June 14. non specific 15 10 Jun 11 12 13 14 Traffic of 53 port destination from Internet to QTNet Network

QTNet Case –Cache DNS Server

QTNet Case –How to Block the Attack 1 We put the zones which is target of attack on Cache DNS Servers. Like this. $TTL xxxxxx @ IN SOA localhost. localhost. ( 2014052900 ; Serial [yyyymmddhh] xxh ; Refresh[xxh] xxh ; Retry [xxh] xxd ; Expire [xxd] xxd ) ; Minimum[xxd] IN NS localhost. Cache DNS Server could reply “NXDOMAIN” without contacting to Authoritative DNS Server. However,… The zone of target was changed frequently. Our operators had to monitor the attack and put the zones manually 24 hours a day.

QTNet Case –How to Block the Attack 2 We use the iptables module (hashlimit) on Cache DNS Servers. The packets to the same authoritative DNS server from the cache DNS Server, setting a certain threshold by hashlimit. The packets which are over the limits are rejected with icmp-port-unreachable message. So, Cache DNS Server can reply “SERVFAIL” without contacting to Authoritative DNS Server. Iptables Overview

QTNet Case – Additional measures The fundamental problems are open resolvers and traffic from the botnets. We are asking customers to update their broadband router’s firmware(so as not be open resolvers).

QTNet Case – Additional measures We think IP53B. Block the destination port 53(udp) traffic from the internet to QTNet customer(dynamic ip address only).

Summary QTNet could block “Water Torture: A Slow Drip DNS DDoS Attack “ by iptables hashlimit module. Operation of "allow list" is necessary. The fundamental problems are open resolvers and traffic from the botnets. Some vendors have released the DNS protocol base block functions, not Layer-3 base block. We are expecting that these functions goes well.

References Yasuhiro Orange Morishita@JPRS: About Water Torture http://2014.seccon.jp/dns/dns_water_torture.pdf (accessed Jun 7th 2015) SECURE64 BLOG -Water Torture: A Slow Drip DNS DDoS Attack https://blog.secure64.com/?p=377 (accessed Jun 7th 2015)

Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.