Download pdf - Thoughts about DNS for DDoS

Transcript
Page 1: Thoughts about DNS for DDoS

A Specula*on on DNS DDOS Geoff Huston

APNIC

Some thoughts about

for

Page 2: Thoughts about DNS for DDoS

Well–guess-fromthesnippetsthathavebeenreleased…ItwasaMiraia9ackItusedacompromiseddevicecollec<onItusedarangeofa9ackvectors

TCPSYN,TCPACK,GRE,…OneofthesewasDNS

What we know about the October DYN a9ack…

Page 3: Thoughts about DNS for DDoS

DDOS A9acks

Arenothingnew–unfortunately

AndourresponseisoLenrespondinglikeforlike

•  Buildthickerandthickerbunkersofbandwidthandprocessingcapacitythatcanabsorbthea9acks

•  Andleavetheundefendedopenspaceastoxicwasteland!

ButusingtheDNSfora9acksopenssomenewpossibili<es…

Page 4: Thoughts about DNS for DDoS

What we understand about direct DNS DDOS a9acks

Thesearenotreflec<on/amplifica<ona9acksTheyaredirectedattheauthorita<venameservers/rootserversItloadstheauthorita<veserverswithquerytraffic

Itcansaturatethecarriage/switchinginfrastructureoftheserverItcanexhausttheserveritselfofresourcessoitdrops“legi<mate”queries

Thea9ackquerieslookexactlylikeotherqueriesthatareseenattheseservers

Sofrontendpa9ernmatchingandfilteringmaynotworkTheqnameislikelytobe<random>.targetsoastodefeatcachesandsimplefiltersThesequerieslookjustlikeChrome’sbehaviour!

Page 5: Thoughts about DNS for DDoS

The intended outcome of the a9ack

• Becausethe<random>.targetqnameformwilldefeattherecursiveresolvercachingfunc<on,thequeryispassedtotheauthnameservertoresolve

• Withanadequatelyhighqueryvolume,theauthorita<veserverwillstarttodiscardqueriesduetoresourcestarva<on

•  TheresultisthatthetargetnamewillfadeawayontheInternetasrecursiveresolvers’cacheentriesexpire,andtheycannotrefreshtheircachefromtheauthorita<veservers

Page 6: Thoughts about DNS for DDoS

Possible Mi*ga*ons – 1

”ABiggerBunker”AddmoreFoo

•  Moreauthorita<venameservers•  Morebandwidthtoauthorita<venameservers

•  MoreCPUandmemorytoauthorita<venameservers

•  i.e.deploymore”foo”andtryandabsorbthea9ackattheauthorita<venameserverinfrastructurewhiles<llanswering“legi<mate”queries

Page 7: Thoughts about DNS for DDoS

Possible Mi*ga*ons - 2

LongerTTLs:•  LowTTL’smaketheauthserversmorevulnerablebecauserecursivesneedtorefertoauthorita<vesmorefrequently

•  WithalongerTTL,thea9ackwills<llhappen,butthelegitrecursivesmaynotgetacacheexpirysoquickly

•  Therecursiveresolverswills<llservecachednamesfromtheircacheevenwhentheauthorita<venameserverisoffline

•  A9ackerswillneedtoa9ackforlongerintervalstocausewidespreadvisibledamage

But..•  NobodylikestocementtheirDNSwithlongTTLs•  Andcurrentrecursiveresolversdon’tseemtohonourlongerTTLs

anyway!

Page 8: Thoughts about DNS for DDoS

Possible Mi*ga*ons – 3

Filterqueries:•  Trytogetafixonthe<random>namecomponentinthequeries•  Setofafrontendqueryfilterandblockthesequeries

•  But•  Thisisjusttailchasing!

Page 9: Thoughts about DNS for DDoS

Possible Mi*ga*ons - 4

Whatifthea9ackingdevicesarepassingthequeriesdirectlytotheauthorita<venameservers?FilterIPaddresses!

Page 10: Thoughts about DNS for DDoS

All resolvers might be equal, but some resolvers are more equal than others!

8,000 distinct IP addresses (2.3% of all seen IP addrs) for resolvers serve 90% of all experiments

Page 11: Thoughts about DNS for DDoS

Possible Mi*ga*ons - 4

“FilterFilterFilter”(IPsources)Only8,000discreteIPaddressesaccountformorethan90%oftheusers’DNSqueriesThesearethemainrecursiveresolversusedbymostoftheinternet–soitsprobablygoodtoanswerthem!PutallothersourceIPaddressqueriesonalowerpriorityresolu<onpathwithintheauthorita<venameserverDividequeriersintoseparatequeuesof“Friends”and“Strangers”:JustlikeSMTP!

Page 12: Thoughts about DNS for DDoS

Possible Mi*ga*ons - 5

Whatifthedevicesarepassingthequeriesviarecursiveresolvers?

Page 13: Thoughts about DNS for DDoS

Possible Mi*ga*ons - 5

Getassistance!UseDNSSECandapplyNSECAggressivecaching*•  Thea9ackwillgenerateNXDOMAINanswers•  SowhynotgettherecursiveresolversclosertotheindividualdevicestoanswertheNXDOMAINquerydirectly

•  Thiscanbedonewiththecombina<onofDNSSECandNSECsigning,usingtheNSECspanresponsetothenrespondtofurtherquerieswithinthespanwithoutreferencetotheauthorita<veservers

•  ThismeansthattherecursivesystemabsorbstheDNSquerya9ackanddoesnotreferthequeriesbacktotheauthservers

*draL-iei-dnsop-nsec-aggressiveuse-05

Page 14: Thoughts about DNS for DDoS

If only…

•  Piecemealsolu<onsdeployedinapiecemealfashionwillseea9ackerspickoffthevulnerableagainandagain•  Andthelongtermanswerisnotbiggerandthickerwalls,astheIoTvolumeswillalwaysbehigher• Weneedtothinkagainhowtoleveragetheexis<ngDNSresolu<oninfrastructuretobemoreresilient•  Andforthatweprobablyneedtotalkaboutthisopenlyandconstruc<velyandseeifwecanbesmarterandmakeamoreresilientDNSinfrastructure•  AndforthatweprobablyneedtotalkabouttheDNSandDNSSECandhowitworks,andhowitcanworkforustodefendthesea9acks


Recommended

Network Security DNS, DDOS and Firewallscs161/sp15/slides/... · Network Security DNS, DDOS and Firewalls April 15, 2015 Lecture by Kevin Chen Slides credit: Vern Paxson, Dawn Song
Network Security DNS, DDOS and Firewallscs161/sp15/slides/... · Network Security DNS, DDOS and Firewalls April 15, 2015 Lecture by Kevin Chen Slides credit: Vern Paxson, Dawn Song Documents
Anycast vs. DDoS: Evaluating Nov. 2015 Root DNS event
Anycast vs. DDoS: Evaluating Nov. 2015 Root DNS event Documents
Protecting DNS Critical Infrastructure Solution Overviewdocs.alexomar.com/biblioteca/Protecting Critical...presents Radware’s DDoS DNS attack mitigation solution and its unique differentiators
Protecting DNS Critical Infrastructure Solution Overviewdocs.alexomar.com/biblioteca/Protecting Critical...presents Radware’s DDoS DNS attack mitigation solution and its unique differentiators Documents
DYN SECONDARY DNS - oracle.com · Created Date: 9/1/2017 3:33:31 PM Title: DYN SECONDARY DNS Keywords: DNS, DYN, Oracle, Cloud, Digital Business, DDoS
DYN SECONDARY DNS - oracle.com · Created Date: 9/1/2017 3:33:31 PM Title: DYN SECONDARY DNS Keywords: DNS, DYN, Oracle, Cloud, Digital Business, DDoS Documents
NEAR REAL TIME DNS REPORTING MITIGATES DDOS ATTACKS · One major Service Provider wanted to minimize the risk of internal DDoS attacks on its subscriber Domain Name System (DNS)—the
NEAR REAL TIME DNS REPORTING MITIGATES DDOS ATTACKS · One major Service Provider wanted to minimize the risk of internal DDoS attacks on its subscriber Domain Name System (DNS)—the Documents
DNS DDoS mitigation using Amazon Route 53 and AWS Shield
DNS DDoS mitigation using Amazon Route 53 and AWS Shield Technology
DNS, DNSSEC and DDOS
DNS, DNSSEC and DDOS Documents
DNS Hizmetine Yönetlik DoS/DDoS Saldırıları
DNS Hizmetine Yönetlik DoS/DDoS Saldırıları Documents
DNS DNS SPS ThreatAvertdnsops.jp/event/20180627/DNSセキュリティはDNSで... · 2018-09-11 · DNS DNS " " SPS ThreatAvert DNS " DDoS ( $30 5+ 2018*6-27, ! " %&#1 '.46)/2 ©Akamai
DNS DNS SPS ThreatAvertdnsops.jp/event/20180627/DNSセキュリティはDNSで... · 2018-09-11 · DNS DNS " " SPS ThreatAvert DNS " DDoS ( $30 5+ 2018*6-27, ! " % '.46)/2 ©Akamai Documents
Enhanced Secure DNS: A Defense Against DDOS Attacks
Enhanced Secure DNS: A Defense Against DDOS Attacks Documents
Drilling Down Into DNS DDoS
Drilling Down Into DNS DDoS Internet
DDoS Defenders: Don't Take DNS for Granted · and global reach of DNS makes it the perfect target for Distributed Denial of Service (DDoS) and other sophisticated attacks. Front-page
DDoS Defenders: Don't Take DNS for Granted · and global reach of DNS makes it the perfect target for Distributed Denial of Service (DDoS) and other sophisticated attacks. Front-page Documents
DDoS Resilience in the Fast DNS Infrastructure...not limited to a specific industry. On October 21, 2016, Internet of Things-fueled DDoS attacks on Dyn Managed DNS infrasture prevented
DDoS Resilience in the Fast DNS Infrastructure...not limited to a specific industry. On October 21, 2016, Internet of Things-fueled DDoS attacks on Dyn Managed DNS infrasture prevented Documents
Dynamically Selecting Defenses to DDoS for DNS (extended) · on the DNS server. The main threat of a DDoS attack is to exhaust some resource at the target victim. As an example, in
Dynamically Selecting Defenses to DDoS for DNS (extended) · on the DNS server. The main threat of a DDoS attack is to exhaust some resource at the target victim. As an example, in Documents
Surving DNS DDos Attacks 2017 v1 - Secure64 · server - that incorporates DDoS countermeasures directly into the operating system, allowing it to remain responsive to legitimate DNS
Surving DNS DDos Attacks 2017 v1 - Secure64 · server - that incorporates DDoS countermeasures directly into the operating system, allowing it to remain responsive to legitimate DNS Documents
Estrategias de mitigación de amenazas a las aplicaciones. INFOSECURITY... · Estrategias de mitigación de amenazas a las aplicaciones. ... DNS, SIP DDoS Network ... • DNS DOS:
Estrategias de mitigación de amenazas a las aplicaciones. INFOSECURITY... · Estrategias de mitigación de amenazas a las aplicaciones. ... DNS, SIP DDoS Network ... • DNS DOS: Documents
DDoS Resilience in the Fast DNS Infrastructure · DDoS Resilience in the Fast DNS Infrastructure Akamai operates an authoritative DNS service similar to Dyn Managed DNS. Akamai architected
DDoS Resilience in the Fast DNS Infrastructure · DDoS Resilience in the Fast DNS Infrastructure Akamai operates an authoritative DNS service similar to Dyn Managed DNS. Akamai architected Documents
DNS DNS SPS ThreatAvert‚»キュリティは... · 2018. 9. 11. · DNS DNS " " SPS ThreatAvert DNS " DDoS ( $30 5+ 2018*6-27, ! " %&#1 '.46)/2 ©Akamai Technologies, 2018
DNS DNS SPS ThreatAvert‚»キュリティは... · 2018. 9. 11. · DNS DNS " " SPS ThreatAvert DNS " DDoS ( $30 5+ 2018*6-27, ! " % '.46)/2 ©Akamai Technologies, 2018 Documents