Presentation is loading. Please wait.

Presentation is loading. Please wait.

Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.

Published byLaureen Booker Modified over 9 years ago

Similar presentations

Presentation on theme: "Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice."— Presentation transcript:

1 Harness Your Internet Activity

2 DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice

3 3 2014 Random Subdomain Attacks 2014 Data

4 4 2015 – Quieter in Some Ways JANFEBMARAPR 2015 Data All quiet???

5 5 Typical “Day in the Life” DNS Queries Seen at Resolvers DDoS Other

6 6 Typical Day in The Life DDoS Queries Seen at a Resolver Amplification Random Subdomain

7 Use of open resolvers/proxies still predominates –Installed base around 17 M –Trend toward more stealthy attacks - Send enough traffic to bring down authorities –Highly distributed attacks – 1,000s of open resolvers per attack –Often low intensity per IP –Interesting recent example: www.appledaily.com 7 Observations

8 Bot based attacks –Tend to be few IPs - tens to hundreds –High to very high intensity per IP - Up to 1000s of QPS/IP - Long tail with lower QPS –Recent interesting example: rutgers.edu 8 Observations

9 Attacks Using Bots Internet 2 Authoritative Server Recursive queries Bot infected devices 3 NXD responses ISP Target Web Site ISP Resolver Queries with randomized subdomains 1 Home Gateways

10 Network scans for vulnerable devices: Home gateways or other “Things” Attempts login with default passwords Many utilities at the attackers disposal Load and run malware 10 What’s Happening? Other vectors possible: Bots with loaders, Rompager

11 Considerable stress on DNS infrastructure: Resolvers Queries require recursion (computationally expensive) Working around failed or slow authorities Stress concentrates as authorities fail Authorities Unexpected query spikes exceed provisioned limits 11 The Problem

12 Minimize work for resolvers Eliminate bad traffic to authoritative servers Answer legitimate queries Answer legitimate queries for attacked domains –don’t drop, don’t SERVFAIL Two approaches being used: –Rate limit traffic to authorities –Ingress filtering How do they behave in practice? 12 Goals for Remediation

13 Testing Efficiency of Rate Limiting Authoritative Server Attack Traffic Internet ISP Resolver User traffic Authoritative Outbund rate limiting Inggess policy based filtering

14 14 Test Diagram 100qps 1qps Redwood City, CA Authoritative Servers dnsperf tcpreplay Regensberg, Germany good traffic 10kqps background 100qps for test domains attack traffic 2 * 5000 qps for two domains Resolver 2 domains being attacked other resolutions Rate limits should not be hit for normal traffic Resolver and authoritative servers record traffic

15 15 Run good traffic: User results

16 16 Run good traffic: Test domains results

17 17 Run good traffic: Authoritative Server Results

18 18 System Stats Vantio Power DNS Bind Unbound

19 19 Run attack traffic – Compare with normal

20 20 Run protected attack traffic: User results

21 21 Run good traffic: User results

22 22 Run protected attack traffic: Test domains results

23 23 Run good traffic: Test domains results

24 24 Run protected attack traffic: Authoritiative Server Results

25 25 Run good traffic: Authoritative Server Results

26 26 System Stats Vantio Power DNS Bind Unbound

27 27 Results: Resolver Traffic 9,000,000 queries Resolver Test runTypeNo ErrorNXDomainLostServfail Vantio3Good898762212248 74 56 5Attack 898829111576 100 33 ingress filter7Attack897804920668 1142 141 PDNS3Good 8989007 9477 941422 5Attack 8986967876728681398 Bind3Good 8986205 11537 2312027 5Attack8985913115713712145 unprotect7Attack 749715019291 54361478123 Unbound8Good898225417309 287 150 9Attack 8975942171149016043

28 28 Results: Attack domains SoftwareTest RunType No Error Lost Servfail Auth Noerror Auth NXDomain Auth Dropped CS73Good 89970030899700 5Attack 14500885501459368480790 ingress filter7Attack 899950050899800 PDNS3Good 89929 071899500 5Attack 807139587798991631762131 Bind3Good 9000000900000 5Attack 560289438 5676836670 unprotect7Attack 331016086530 332943152538256 Unbound8Good90000001640100 9Attack 431168558491048110417843

29 29 Test Results Summary Ingress Filtering Rate Limit Authorities Eliminate bad traffic to authoritative servers YESSOME Correctly answer legitimate queries (don’t drop, don’t SERVFAIL) YES Correctly answer legitimate queries for attacked domains YESNO

30 Constant DNS Based DDoS evolution Open Home Gateways remain a problem Malware-based exploits create broad exposure Not clear where attacks are headed Evidence attackers refining techniques Remediation needs to be undertaken with care 30 Summary

Download ppt "Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice."

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.

© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.
David Grochocki et al.  Lures Potential attackers  Smartmeters do two way communication  Millions of Meters has to be replaced  Serious damages just.

David Grochocki et al.  Lures Potential attackers  Smartmeters do two way communication  Millions of Meters has to be replaced  Serious damages just.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.

Sweeping lame DNS reverse delegations APNIC16 – DNS Operations SIG Seoul, Korea, 20 August 2003.
Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.

Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.
 Unlike other forms of computer attacks, goal isn’t access or theft of information or services  The goal is to stop the service from operating o.

 Unlike other forms of computer attacks, goal isn’t access or theft of information or services  The goal is to stop the service from operating o.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
On the Feasibility of Large-Scale Infections of iOS Devices

On the Feasibility of Large-Scale Infections of iOS Devices
DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.

DNS. Outline r Domain Name System r DNS Hierarchy r Resolution.
Water Torture: A Slow Drip DNS DDoS Attack on QTNet

Water Torture: A Slow Drip DNS DDoS Attack on QTNet
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Internet Security In the 21st Century Presented by Daniel Mills.

Internet Security In the 21st Century Presented by Daniel Mills.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.

Similar presentations

Ads by Google