Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Speculation on DNS DDOS

Published byOphelia Mosley Modified over 5 years ago

Similar presentations

Presentation on theme: "A Speculation on DNS DDOS"— Presentation transcript:

1 A Speculation on DNS DDOS
Some thoughts about for Geoff Huston APNIC

2 What we know about the October DYN attack…
Well – guess - from the snippets that have been released… It was a Mirai attack It used a compromised device collection It used a range of attack vectors TCP SYN, TCP ACK, GRE, … One of these was DNS

3 DDOS Attacks Are nothing new – unfortunately
And our response is often responding like for like Build thicker and thicker bunkers of bandwidth and processing capacity that can absorb the attacks And leave the undefended open space as toxic wasteland! But using the DNS for attacks opens some new possibilities…

4 What we understand about direct DNS DDOS attacks
These are not reflection/ amplification attacks They are directed at the authoritative name servers / root servers It loads the authoritative servers with query traffic It can saturate the carriage / switching infrastructure of the server It can exhaust the server itself of resources so it drops “legitimate” queries The attack queries look exactly like other queries that are seen at these servers So front end pattern matching and filtering may not work The qname is likely to be <random>.target so as to defeat caches and simple filters These queries look just like Chrome’s behaviour!

5 The intended outcome of the attack
Because the <random>.target qname form will defeat the recursive resolver caching function, the query is passed to the auth name server to resolve With an adequately high query volume, the authoritative server will start to discard queries due to resource starvation The result is that the target name will fade away on the Internet as recursive resolvers’ cache entries expire, and they cannot refresh their cache from the authoritative servers

6 Possible Mitigations – 1
”A Bigger Bunker” Add more Foo More authoritative name servers More bandwidth to authoritative name servers More CPU and memory to authoritative name servers i.e. deploy more ”foo” and try and absorb the attack at the authoritative name server infrastructure while still answering “legitimate” queries

7 Possible Mitigations - 2
Longer TTLs: Low TTL’s make the auth servers more vulnerable because recursives need to refer to authoritatives more frequently With a longer TTL, the attack will still happen, but the legit recursives may not get a cache expiry so quickly The recursive resolvers will still serve cached names from their cache even when the authoritative name server is offline Attackers will need to attack for longer intervals to cause widespread visible damage But.. Nobody likes to cement their DNS with long TTLs And current recursive resolvers don’t seem to honour longer TTLs anyway!

8 Possible Mitigations – 3
Filter queries: Try to get a fix on the <random> name component in the queries Set of a front end query filter and block these queries But This is just tail chasing!

9 Possible Mitigations - 4
What if the attacking devices are passing the queries directly to the authoritative name servers? Filter IP addresses!

10 All resolvers might be equal, but some resolvers are more equal than others!
8,000 distinct IP addresses (2.3% of all seen IP addrs) for resolvers serve 90% of all experiments

11 Possible Mitigations - 4
“Filter Filter Filter” (IP sources) Only 8,000 discrete IP addresses account for more than 90% of the users’ DNS queries These are the main recursive resolvers used by most of the internet – so its probably good to answer them! Put all other source IP address queries on a lower priority resolution path within the authoritative name server Divide queriers into separate queues of “Friends” and “Strangers”: Just like SMTP!

12 Possible Mitigations - 5
What if the devices are passing the queries via recursive resolvers?

13 Possible Mitigations - 5
Get assistance! Use DNSSEC and apply NSEC Aggressive caching * The attack will generate NXDOMAIN answers So why not get the recursive resolvers closer to the individual devices to answer the NXDOMAIN query directly This can be done with the combination of DNSSEC and NSEC signing, using the NSEC span response to then respond to further queries within the span without reference to the authoritative servers This means that the recursive system absorbs the DNS query attack and does not refer the queries back to the auth servers * draft-ietf-dnsop-nsec-aggressiveuse-05

14 If only… Piecemeal solutions deployed in a piecemeal fashion will see attackers pick off the vulnerable again and again And the long term answer is not bigger and thicker walls, as the IoT volumes will always be higher We need to think again how to leverage the existing DNS resolution infrastructure to be more resilient And for that we probably need to talk about this openly and constructively and see if we can be smarter and make a more resilient DNS infrastructure And for that we probably need to talk about the DNS and DNSSEC and how it works, and how it can work for us to defend these attacks

Download ppt "A Speculation on DNS DDOS"

Similar presentations

Measuring IP Performance Geoff Huston Telstra. What are you trying to measure? User experience –Responsiveness –Sustained Throughput –Application performance.

Measuring IP Performance Geoff Huston Telstra. What are you trying to measure? User experience –Responsiveness –Sustained Throughput –Application performance.
DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009.

DNS Proxy Bypass by Recursive DNS Discovery and LOCAL.ARPA draft-ietf-dns-recursive-discovery Ray Bellis IETF76 DNSOP WG Hiroshima, 11 th November 2009.
Review iClickers. Ch 1: The Importance of DNS Security.

Review iClickers. Ch 1: The Importance of DNS Security.
RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.

RRSIG:“I certify that this DNS record set is correct” Problem: how to certify a negative response, i.e. that a record doesn’t exist? NSEC:“I certify that.
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.

Open Resolvers in COM/NET Resolution Duane Wessels, Aziz Mohaisen DNS-OARC 2014 Spring Workshop Warsaw, Poland.
A Question of Protocol Geoff Huston APNIC. Originally there was RFC791:

A Question of Protocol Geoff Huston APNIC. Originally there was RFC791:
Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.

Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Module 3 DNS Types.

Module 3 DNS Types.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)

TELE 301 Lecture 11: DNS 1 Overview Last Lecture –Scheduled tasks and log management This Lecture –DNS Next Lecture –Address assignment (DHCP)
Geoff Huston APNIC Labs

Geoff Huston APNIC Labs
Paper Presentation – CAP 6135. Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.

Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.

Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.
DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28.

DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.

* Agenda  What is the DNS ?  Poisoning the cache  Short term solution  Long term solution.
Mitigating DNS DoS Attacks Hitesh Ballani, Paul Francis 1.

Mitigating DNS DoS Attacks Hitesh Ballani, Paul Francis 1.

Similar presentations

Ads by Google