Harness Your Internet Activity. Drilling down into DNS DDoS Data Amsterdam, May 2015 Ralf Weber.

Slides:

Advertisements

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Advertisements

© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.

1 Content Delivery Networks iBAND2 May 24, 1999 Dave Farber CTO Sandpiper Networks, Inc.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Computer Networks: Domain Name System. The domain name system (DNS) is an application-layer protocol for mapping domain names to IP addresses Vacation.

Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

King : Estimating latency between arbitrary Internet end hosts Krishna Gummadi, Stefan Saroiu Steven D. Gribble University of Washington Presented by:

Security Awareness: Applying Practical Security in Your World

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 5 Introduction to DNS in Windows Server 2008.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Water Torture: A Slow Drip DNS DDoS Attack on QTNet

OpenFlow Switch Limitations. Background: Current Applications Traffic Engineering application (performance) – Fine grained rules and short time scales.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Norman SecureSurf Protect your users when surfing the Internet.

Module 3 DNS Types.

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Middleboxes & Network Appliances EE122 TAs Past and Present.

Distributed Data Stores – Facebook Presented by Ben Gooding University of Arkansas – April 21, 2015.

Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.

Harness Your Internet Activity. Zeroing in On Zero Days DNS OARC Spring 2014 Ralf Weber

STRENTHENING YOUR EXTERNAL DNS External DNS Overview DNS Background Strengthening External DNS with Anycast Example of an Anycast DNS Service.

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) 4. Active Monitoring Techniques.

DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.

DNS Tunneling Mihir Nanavati & Long Zhang {mihirn, April 19th 2010.

BCOP on Anti-Spoofing Long known problem Deployment status Reason for this work Where more input needed.

DNS as a Gatekeeper: Creating Lightweight Capabilities for Server Defense Curtis Taylor Craig Shue

Naming March 8, Networks What is naming?  Associations between some elements in a set of names and some elements in a set of values  Binding.

Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.

Information Session DNS Service level recommendations and experiences.

Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.

2.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 2: Examining.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 19 Domain Name System (DNS)

* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.

DNS Cache Poisoning. History 1993 – DNS protocol allowed attacker to inject false data which was then cached 1997 – BIND 16-bit transaction ids not randomized,

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

PRACTICAL INTRODUCTION TO INTERNET TECHNOLOGY. Practical one PACKET DELAY AND LOSS IN INTERNET In this experiment, you will observe real delays and loss.

A Network Security -Firewall Bruce Turin.

Network Components Kortney Horton LTEC October 20, 2013 Assignment 3.

Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

Harness Your Internet Activity. Random Subdomain Attacks Plaguing the Internet.

Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt.

Networking (Cont’d). Congestion Control l Is achieved by informing nodes along a route that congestion has occurred and asking them to reduce their packet.

Matt Jennings.  What is DDoS?  Recent DDoS attacks  History of DDoS  Prevention Techniques.

© A10 Networks, Inc. Distributed Prevention of DoS Collaboration is key.

SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.

Swiss NREN protection with DNS RPZ

© 2013 Infoblox Inc. All Rights Reserved. Paul UKNOF 26 – 13 Sep 2013, London Paul Ebersman.

Harness Your Internet Activity. AAAA Deep Dive DNS-OARC, Buenos Aires March 2016 Ralf Weber.

By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.

© 2014 ISC Tales of the unexpected - handling unusual DNS client behaviour UKNOF29 – Cathy Almond, ISC.

High performance recursive DNS solution

DNS Security Issues SeongHo Cho DPNM Lab., POSTECH

Measurement-based Design

DNS-Based DDoS Evolving Threat UKNOF Sept 2015 Manchester, UK

Proactive Network Protection Through DNS

Firewalls Jiang Long Spring 2002.

Presentation transcript:

Harness Your Internet Activity

Drilling down into DNS DDoS Data Amsterdam, May 2015 Ralf Weber

Random Subdomain Attacks 2014 Data

– Quieter in Some Ways JANFEBMARAPR 2015 Data All quiet???

4 major categories of attacks distinguished by: –Randomization algorithms –Use of open DNS proxies or bots –Traffic patterns – intensity, duration, ToD –Domains attacked LOTS of other attack activity out in the long tail 5 Observations

Use of open resolvers/proxies still predominates –Installed base around 17M –Trend toward more stealthy attacks –Only send enough traffic to bring down authorities –Highly distributed attacks – 1000s of open resolvers –Often low intensity per IP –Interesting recent example: 6 Observations

Bot based attacks –Tend to be few IPs - tens to hundreds –High to very high intensity per IP - Up to 1000s of QPS/IP - Long tail with lower QPS –Recent interesting example: rutgers.edu 7 Observations

Considerable stress on DNS infrastructure: –Resolvers Queries require recursion Working around failed or slow authorities Stress concentrates as authorities fail –Authorities Unexpopected spikes exceed provisioned limits New rate limiting approaches –Limit traffic to authorities Ingress filtering –Drop incoming queries based on policy 8 Remediation is Needed

Testing Efficiency of Rate Limiting Authoritative Server Attack Traffic Internet ISP Resolver User traffic

Testing Efficiency of Rate Limiting Authoritative Server Attack Traffic Internet ISP Resolver User traffic Authoritative Outbund rate limiting Inggess policy based filtering

Test impact of outbound rate limiting different software –BIND –Power DNS –Unbound –Vantio CacheServe Auth Server only answers at a certain rate –Two domains (one at 100qps, one at 1 qps) –Domains only have one authoritative server –Normal User traffic gets 100% replies –Insert Attack Traffic –This will overflow the auth server rate 11 Setup for Testing Rate Limiting

Server HW –Intel E5-2690V2, 20 cores/40 threads, –128 GB, 4TB disks –10 Gig Ethernet, 4G Internet connection dnsperf - simulate “normal” customer traffic –10kqps: normal traffic, sampled from Euro ISP –100 qps: traffic for 2 domains (99 + 1) being attacked tcpreplay – simulate attack traffic – 2 * 5,000 qps for two domains, result is Nxdomain 12 Test Method: HW, Resolvers, Traffic Sources

Run all traffic for 15 minutes Do a couple of runs to –Preload cache –Rule out problems at one point in time This is running over the Internet –Packet Loss is expected –Test server to auth has a ~150ms round trip Count packets –At machine running dnsperf –At authoritative server 13 Test Method: Execution

14 Test Diagram 100qps 1qps Redwood City, CA Authoritative Servers dnsperf tcpreplay Regensberg, Germany good traffic 10kqps background 100qps for test domains attack traffic 2 * 5000 qps for two domains Resolver 2 domains being attacked other resolutions Rate limits should not be hit for normal traffic Resolver and authoritative servers record traffic

15 Run good traffic: User results

16 Run good traffic: Test domains results

17 Run good traffic: Authoritiative Server Results

18 System Stats Vantio Power DNS Bind Unbound

19 Run attack traffic – Compare with normal

20 Run protected attack traffic: User results

21 Run good traffic: User results

22 Run protected attack traffic: Test domains results

23 Run good traffic: Test domains results

24 Run protected attack traffic: Authoritiative Server Results

25 Run good traffic: Authoritiative Server Results

26 System Stats Vantio Power DNS Bind Unbound

27 Results: Resolver Traffic 9,000,000 queries Resolver Test runTypeNo ErrorNXDomainLostServfail Vantio3Good Attack ingress filter7Attack PDNS3Good Attack Bind3Good Attack unprotect7Attack Unbound8Good Attack

28 Results: Attack domains SoftwareTest RunType No Error Lost Servfail Auth Noerror Auth NXDomain Auth Dropped CS73Good Attack ingress filter7Attack PDNS3Good Attack Bind3Good Attack unprotect7Attack Unbound8Good Attack

Random subdomain attacks can affect normal user traffic Outbound rate limiting protections works great for non affected traffic Outbound rate limiting does not protect the attacked domain Ingress list based filtering does 29 Take aways

April –Alexa Rank – 574 Attack lasted ~10 hours Used open home gateways Also widely publicized attacks Summer Recent Attacks:

{random}. sample 40 mins of traffic{random}. –Total queries 735M –Total clients 10.6M –Attack queries 37.9M (5.15%of total) –Attack clients 79.7 thousand (0.75% of total) –Average QPS per attacking client =.2 31 Flying Under the Radar

April 28, 2015 –Alexa Rank 3,805 Many earlier attacks {random}.rutgers.edu Sample 60 mins traffic{random}.rutgers.edu –Total queries 1.01 Billion –Attack queries19.1 Million –Total clients11.1 Million –Attack clients238 –Average QPS per client= Recent Attacks: rutgers.edu

Whitelist to protect legitimate queries Blocklist to eliminate malicious traffic 33 Challenge: Protecting Good Traffic liebiao.800fy.com. wuyangairsoft.com. *. *. liebiao.800fy.com. *. *. wuyangairsoft.com.

Query: Answered, protected by whitelist Query: avytafkjad. Blocked by blocklist Query: www2.appledaily.com.tw. Answered through normal resolution 34 Examples

Constant DNS Based DDoS evolution Open Home Gateways remain a problem Malware-based exploits create broad exposure Not clear where attacks are headed Evidence attackers refining techniques Remediation needs to be undertaken with care Clients want answers!! Critical to protect good traffic 35 Summary