Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Speculation on DNS DDOS

Published byJudith Charles Modified over 6 years ago

Similar presentations

Presentation on theme: "A Speculation on DNS DDOS"— Presentation transcript:

1 A Speculation on DNS DDOS
Some thoughts about for Geoff Huston APNIC

2 What we know… Well – guess - from the snippets that have been released… It was a Mirai attack It used a compromised device collection It used a range of attack vectors TCP SYN, TCP ACK, GRE, … One of these was DNS

3 DDOS Attacks Are nothing new – unfortunately
And our response is often responding like for like Build bunkers of bandwidth and processing capacity that can absorb the attacks And leave the undefended open space as toxic wasteland! But using the DNS for attacks opens some new possibilities…

4 What we guess about the DNS attack
The attack queries looked like queries that are often seen at authoritative name servers So front end pattern matching and filtering may not work It loaded the authoritative servers with legitimate queries So its likely it was <random>.target queries to defeat caches and simple filters Just like Chrome!

5 The victim set Authoritative DNS name servers for the attacked domain names Because the <random> name form will defeat the recursive resolver caching function and the query is passed to the auth name server to resolve The result is that the name will fade out once recursive resolvers’ cache entries expire, and they cannot refresh

6 Possible Mitigations – 1
”A Bigger Gun” More Foo Add more authoritative name servers Add more bandwidth to authoritative name servers Add more CPU and memory to authoritative name servers i.e. more ”foo” and try and absorb the attack at the authoritative name server infrastructure

7 Possible Mitigations - 2
Longer TTLs: Low TTL’s make you more vulnerable because recursives need to refer to authoritatives more frequently With a longer TTL, the attack will still happen, but the legit recursives may not get a cache expiry so quickly The recursive resolvers will still serve cached names from their cache even when the authoritative name server is offline Attackers will need to attack for longer intervals to cause widespread visible damage But.. Nobody likes to cement their DNS with long TTLs And recursive resolvers won’t honor longer TTLs anyway!

8 Possible Mitigations – 3
Filter queries: Try to get a fix on the <random> name component in the queries Set of a front end query filter and block these But This is just tail chasing!

9 Possible Mitigations - 4
What if the devices are passing the queries directly to the authoritative name servers? Filter IP addresses!

10 All resolvers might be equal, but some resolvers are more equal than others!
8,000 distinct IP addresses (2.3% of all seen IP addrs) for resolvers serve 90% of all experiments

11 Possible Mitigations - 4
“Filter Filter Filter” (IP sources) Only 8,000 discrete IP addresses account for more than 90% of the users’ DNS queries These are the main recursive resolvers used by most of the internet – answer them! Put all other source IP address queries on a lower priority resolution path within the authoritative name server Divide queriers into “Friends” and “Strangers”: Just like SMTP!

12 Possible Mitigations - 5
What if the devices are passing the queries via recursive resolvers?

13 Possible Mitigations - 5
Get assistance! (Yes, I’m dreaming, but it’s a Good Dream!) Use DNSSEC and apply NSEC Aggressive caching The attack will generate NXDOMAIN answers So why not get the recursive resolvers closer to the individual devices to answer the NXDOMAIN query directly This can be done with the combination of DNSSEC and NSEC signing, using the NSEC span response to then respond to further queries within the span without reference to the authoritative servers This means that the recursive system absorbs the attack and does not refer the queries back to the authoritatives

14 If only… Piecemeal solutions deployed in a piecemeal fashion will see attackers pick off the vulnerable again and again And the long term answer is not bigger walls, as the IoT volumes will always be higher We need to think again how to leverage the existing DNS resolution infrastructure to be more resilient And for that we probably need to talk about this openly and constructively and see if we can be smarter and make a more resilient DNS infrastructure And for that we probably need to talk about the DNS and DNSSEC and how it works, and how it can work for us

Download ppt "A Speculation on DNS DDOS"

Similar presentations

Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.

Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.
A Question of Protocol Geoff Huston APNIC. Originally there was RFC791:

A Question of Protocol Geoff Huston APNIC. Originally there was RFC791:
Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.

Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.
Domain Name Services Oakton Community College CIS 238.

Domain Name Services Oakton Community College CIS 238.
Module 3 DNS Types.

Module 3 DNS Types.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
IIT Indore © Neminath Hubballi

IIT Indore © Neminath Hubballi
Paper Presentation – CAP 6135. Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.

Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.

Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28.

DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28.
Measuring DNSSEC Use Geoff Huston APNIC Labs. We all know…

Measuring DNSSEC Use Geoff Huston APNIC Labs. We all know…
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.

* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
Mitigating DNS DoS Attacks Hitesh Ballani, Paul Francis 1.

Mitigating DNS DoS Attacks Hitesh Ballani, Paul Francis 1.
DNSSEC – Issues and Achievements Geoff Huston APNIC Labs.

DNSSEC – Issues and Achievements Geoff Huston APNIC Labs.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.

DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
What if Everyone Did It? Geoff Huston APNIC Labs.

What if Everyone Did It? Geoff Huston APNIC Labs.
Harness Your Internet Activity. Random Subdomain Attacks Plaguing the Internet.

Harness Your Internet Activity. Random Subdomain Attacks Plaguing the Internet.

Similar presentations

Ads by Google