Enhanced Secure DNS:A Defense Against

DDOS Attacks

by David B. Wilkinson

University of Colorado at Colorado Springs

November 26, 2003

DDOS - Distributed Denial of

Service• DDOS attack - A flooding attack directed against

one host by many computers across many networks

• Attack consumes victim’s network bandwidth - site becomes very slow or is unavailable to users

• Threat to Internet commerce: In early 2000, DDOS attacks shut down Yahoo, eBay, Amazon, CNN.com, E*Trade, Datek Online, Buy.com and the FBI website for up to a few hours, resulting in millions of dollars in lost revenue

• October 2002: 13 root DNS servers attacked (unsuccessful, but ...)

DDOS Attack Architecture

Attacker

Handler

A

Handler HandlerCompromised systems

A A A

...

A A

Victim

... ... ...

A = Agent

Packets sent to broadcast addresses of intermediate networks

...

Replies to Victim

Types of DDOS Attacks• SYN Flooding - The agents send out TCP SYN requests to the victim, but do not reply to the SYN-ACK. Large numbers of open connections quickly exhaust available memory [Skoudis 2002].

• Smurf Attack - Agents send to intermediate networks ICMP echo request (“ping”) packets that have source IP address of the victim; victim gets replies

• Fraggle Attack - Flood of datagrams (again with source address of victim) sent to UDP echo port 7 of intermediate hosts; echoes all sent to victim

• SYN-ACK Attack - TCP SYN packets sent to random servers on Internet; SYN-ACKs all go to victim

One Possible Solution: “Safe Network Security

Practices”• Egress Filtering - Check source addresses of all

packets leaving a network; discard if illegitimate• Ingress Filtering - Check source addresses of all

packets entering a network; discard packets with 127.0.0.1, 192.168.0.1, etc., as source address

• Harden Computers - Close unnecessary ports (e.g., echo port #7); remove services vulnerable to overflow security exploit; install latest patches

• Communicate risks of opening email attachments to employees

Another Solution:Secure Collective Defense

(SCOLD)• A network or consortium of

participating entities that utilize new capabilities in the Domain Name System (DNS) software to keep an attacked member site available during the attack

• New idea of “Intrusion Tolerance” - attacks will always happen so try to successfully work around them

Detail of DDOS attack

Victim

A = Agent R = Router G = Gateway

A

A

A

A

A

DNS

R

R

R

R

Net A

Net B

Net C

DNS

DNS

R

R

R

R

R

R

G

SCOLD System Foils DDOS Attack

Victim

A = Agent AG = Alternate Gateway

R = Router PS = Proxy Server

G = Gateway

A

A

A

A

A

R

R

R

R

Net A

Net B

Net C

ClientDNS

R

PS1

R

R

R

R

G

SCOLDCoordinator

1

PS2

PS3

Blocked byIDS

AG

2

3

45 6

Victim DNSServer

78910

1112

13

14IP IP

My task: Enhance DNS Software, BIND, to meet the needs of SCOLD

Three important areas of change in DNS BIND version 9.2.2:– New program, nsreroute, that proxy server runs

to send a DNS message to client DNS server– Enhancement of BIND server software for

handling incoming nsreroute message. Includes using SSL for authentication between client DNS server and proxy server.

– Enhancement of BIND server software for handling subsequent query for host in victim domain, including retrieval and caching of ALT data type

New DNS Functionality

1)When victim detects attack, it issues alert to SCOLD coordinator, which tells proxy server to run nsreroute

2)nsreroute sends messages to all client DNS servers for each client in list of input

3)Client DNS server authenticates message sender4)Upon successful authentication, client DNS server

writes zone for victim’s domain to disk, adds new entry to server configuration file, and reloads zones

5)Client DNS server redirects next query for host in victim zone to victim DNS server through a SCOLD-aware proxy server via IP tunnel

6)Subsequent queries for same host use cached results from previous query

How to implement this?

• Use GNU GDB debugger, with DDD GUI, to trace BIND code

• Use nsupdate client program written by the Internet Software Consortium (ISC) as a starting point for creating nsreroute

• Use OpenSSL to implement SSL and public key cryptography for server/sender authentication

• Add a new resource record, ALT (99), to refer to proxy server IP addresses

New client program nsreroute

From command line, runnsreroute input_file

where input_file contains

reroute client.clientnet1.com. victimDNSserver1.victimnet.com. victimDNSserver2.victimnet.com.<victim DNS1 address> <victim DNS2 address> <proxy server1 address> <proxy server2 address>… <proxy serverN address>reroute client.clientnet2.com. victimDNSserver1.victimnet.com. victimDNSserver2.victimnet.com.<victim DNS1 address> <victim DNS2 address> <proxy server1 address> <proxy server2 address>… <proxy serverN address>

.

.

.reroute client.clientnetX.com. victimDNSserver1.victimnet.com. victimDNSserver2.victimnet.com.<victim DNS1 address> <victim DNS2 address> <proxy server1 address> <proxy server2 address>… <proxy serverN address>

Step 1: nsreroute gets all authoritative DNS servers for client domain

DNS1

Authoritative DNS servers for clientnet.com

DNS2(primary master

name server)

DNS3

Example input:

reroute client.clientnet.com. victimdns1.victimnet.com. victimdns2.victimnet.com. 128.198.60.190 128.198.60.191 202.40.60.81 144.85.20.14 162.112.11.72

Proxy server

Alert from victim

Q: Want NS records for clientnet.com

A: DNS1, DNS2, DNS3

Step 2: nsreroute sends message (“reroutemsg”) to each DNS server at DNS server’s port #53

DNS1

Authoritative DNS servers for clientnet.com

DNS2(primary master

name server)

DNS3

Proxy serverTCP

TCP

TCP

#53

#53

#53

DNS Message Format

Header

Question

Answers

Authority

Additional

Basic reroutemsg structure

opcode = 7

reroutemsg

authority section =

victimdns1.victimnet.com

victim_dns

list =

victimdns2.victimnet.com

victim_dns2

list =

rdataset

type = 1

private1 =

rdataset_proxy

type = 99

private1 =

rdataset2

type = 1

private1 =

rdataset_proxy2

type = 99

private1 =

rdata_victim

128.198.60.190

rdata_proxy[0]

202.40.60.81

rdata_victim2

128.198.60.191

rdata_proxy2[0]

202.40.60.81

rdata_proxy[1]

144.85.20.14

rdata_proxy[2]

162.112.11.72

rdata_proxy2[1]

144.85.20.14

rdata_proxy2[2]

162.112.11.72

Step 3: client DNS server authenticates proxy server via SSL over TCP using DNS server port #5300

DNS1

Authoritative DNS servers for clientnet.com

DNS2(primary master

name server)

DNS3

Proxy serverTCP

TCP

TCP

• Exchange certificates

• Proxy server verifies authenticity of DNS server cert.

• DNS server verifies proxy server certificate AND checks if proxy cert. is on a list of approved senders

#5300

#5300

#5300

#53

#53

#53

SSL

SSL

SSL

Step 4: After successful authentication, DNS server creates new zone file (“db.victimnet.com”) for victimnet.com domain and loads it into memory:

@ IN SOA clientdns.clientnet.com. root.clientnet.com. (1 ; Serial3h ; Refresh after 3 hours1h ; Retry after 1 hour1w ; Expire after 1 week1h ; Negative caching TTL of 1 hour)

IN NS victimdns1.victimnet.com.IN NS victimdns2.victimnet.com.

victimdns1.victimnet.com. 86400 IN A 128.198.60.190victimdns1.victimnet.com. 86400 IN ALT 202.40.60.81

86400 IN ALT 144.85.20.1486400 IN ALT 162.112.11.72

victimdns2.victimnet.com. 86400 IN A 128.198.60.191victimdns2.victimnet.com. 86400 IN ALT 202.40.60.81

86400 IN ALT 144.85.20.1486400 IN ALT 162.112.11.72

New behavior for client DNS server for handling query for victim domain

G = Gateway

AG = Alternate Gateway

PS = Proxy Server

client.clientnet.com

DNS

G

SCOLDCoordinator

PS AG

Victim DNSServer

Without rerouting zone,query goes to root

. . .

ALT = 202.40.60.81

Query eventually goes to victim’s flooded main gateway

With rerouting zone,query goes to an ALT address

Referral to closerDNS server

Slow

FastQ

A IP tunnel IP

tunnel

(Set up IP tunnels)

1 2

34

a

b

c

Query also requires retrieval and caching of new ALT data type

client.clientnet.com

DNSVictim DNS

ServerQ

First query for victim after victim zone installed on client DNS server

. . .

Answer contains ALT records retrieved from zone database

Cache ALT records

DNS Victim DNSServer

Q

Subsequent queries for victim

Q Q. . .

client.clientnet.com

Answer contains ALT records retrieved from cache database

Answer contains ALT records included in victim DNS server message

Not needed

A A A

A

Time (in seconds) for proxy server and client DNS server to process reroutemsg

2.552.222.172.162.152.152.172.152.192.19

2.972.362.332.302.382.332.292.352.312.29

123456789

10

Client DNS ServerProxy ServerTrial

Tproxy server = TNS lookup + Tsending to client DNS

Tclient DNS = Tns_reroute_start() to reroutedone_action()

Time (in seconds) for query for host in targetnet.csnet.uccs.edu zone. Client DNS server does not have victim’s zone.

0.622.532.412.264.4414.500.280.454.4012.32

123456789

10

TimeTrial

“uccs.edu”server128.198.1.250

Q1

client DNS server128.198.61.52

“edu” DNS serverroot DNS server

R1

“csnet.uccs.edu”server

128.198.60.194

R2Q2

Q3

R3

Q4

R4

“targetnet.csnet.uccs.edu”server

128.198.60.190

Q5Answer

Q = QueryR = Referral

Time (in seconds) for query for host in victim zone. Client DNS server has victim’s reroute zone.

0.330.290.150.130.220.220.220.220.140.22

123456789

10

TimeTrial

Client DNS server128.198.61.52

“targetnet.csnet.uccs.edu”server

128.198.60.190

QueryAnswer

Lessons Learned• Understanding ISC’s BIND code• Tracing named daemon process

– must attach to process, not run process

• Default timeouts hamper tracing• “Clock skew” problems

– made installation take much longer than necessary– interfered with authentication– corrected with ntpdate function in crontab file

• Result of caching “NS 128.198.60.194”– subsequent queries to gandalf failed

• Trying to fork in server• Problems with reliability of my authentication code• In the end, everything works correctly, every time

Future Work• Perform more comprehensive tests

involving other aspects of DNS (TSIG, DNSSEC, DNS dynamic update, using different views, using other kinds of data types, etc.)

• Try to reduce connection time between reroutemsg sender and client DNS server

• Fork in client DNS server• Implement incremental zone reloading• Send reroutemsg to only SOA server and

then do zone transfer to other DNS servers; compare total elapsed times

ConclusionsNew Enhanced BIND v. 9.2.2 has some

greatfeatures:• nsreroute program that remotely installs

victim zones on client DNS machines• New zones help clients communicate with

another member of the SCOLD consortium that is under attack

• Intrusion tolerance works• New ALT data type results in faster

queries over multiple dynamic paths• Multiple-path routing capability results in

larger aggregate bandwidth for the server