A Specula*on on DNS DDOS Geoff Huston
APNIC
Some thoughts about
for
Well–guess-fromthesnippetsthathavebeenreleased…ItwasaMiraia9ackItusedacompromiseddevicecollec<onItusedarangeofa9ackvectors
TCPSYN,TCPACK,GRE,…OneofthesewasDNS
What we know about the October DYN a9ack…
DDOS A9acks
Arenothingnew–unfortunately
AndourresponseisoLenrespondinglikeforlike
• Buildthickerandthickerbunkersofbandwidthandprocessingcapacitythatcanabsorbthea9acks
• Andleavetheundefendedopenspaceastoxicwasteland!
ButusingtheDNSfora9acksopenssomenewpossibili<es…
What we understand about direct DNS DDOS a9acks
Thesearenotreflec<on/amplifica<ona9acksTheyaredirectedattheauthorita<venameservers/rootserversItloadstheauthorita<veserverswithquerytraffic
Itcansaturatethecarriage/switchinginfrastructureoftheserverItcanexhausttheserveritselfofresourcessoitdrops“legi<mate”queries
Thea9ackquerieslookexactlylikeotherqueriesthatareseenattheseservers
Sofrontendpa9ernmatchingandfilteringmaynotworkTheqnameislikelytobe<random>.targetsoastodefeatcachesandsimplefiltersThesequerieslookjustlikeChrome’sbehaviour!
The intended outcome of the a9ack
• Becausethe<random>.targetqnameformwilldefeattherecursiveresolvercachingfunc<on,thequeryispassedtotheauthnameservertoresolve
• Withanadequatelyhighqueryvolume,theauthorita<veserverwillstarttodiscardqueriesduetoresourcestarva<on
• TheresultisthatthetargetnamewillfadeawayontheInternetasrecursiveresolvers’cacheentriesexpire,andtheycannotrefreshtheircachefromtheauthorita<veservers
Possible Mi*ga*ons – 1
”ABiggerBunker”AddmoreFoo
• Moreauthorita<venameservers• Morebandwidthtoauthorita<venameservers
• MoreCPUandmemorytoauthorita<venameservers
• i.e.deploymore”foo”andtryandabsorbthea9ackattheauthorita<venameserverinfrastructurewhiles<llanswering“legi<mate”queries
Possible Mi*ga*ons - 2
LongerTTLs:• LowTTL’smaketheauthserversmorevulnerablebecauserecursivesneedtorefertoauthorita<vesmorefrequently
• WithalongerTTL,thea9ackwills<llhappen,butthelegitrecursivesmaynotgetacacheexpirysoquickly
• Therecursiveresolverswills<llservecachednamesfromtheircacheevenwhentheauthorita<venameserverisoffline
• A9ackerswillneedtoa9ackforlongerintervalstocausewidespreadvisibledamage
But..• NobodylikestocementtheirDNSwithlongTTLs• Andcurrentrecursiveresolversdon’tseemtohonourlongerTTLs
anyway!
Possible Mi*ga*ons – 3
Filterqueries:• Trytogetafixonthe<random>namecomponentinthequeries• Setofafrontendqueryfilterandblockthesequeries
• But• Thisisjusttailchasing!
Possible Mi*ga*ons - 4
Whatifthea9ackingdevicesarepassingthequeriesdirectlytotheauthorita<venameservers?FilterIPaddresses!
All resolvers might be equal, but some resolvers are more equal than others!
8,000 distinct IP addresses (2.3% of all seen IP addrs) for resolvers serve 90% of all experiments
Possible Mi*ga*ons - 4
“FilterFilterFilter”(IPsources)Only8,000discreteIPaddressesaccountformorethan90%oftheusers’DNSqueriesThesearethemainrecursiveresolversusedbymostoftheinternet–soitsprobablygoodtoanswerthem!PutallothersourceIPaddressqueriesonalowerpriorityresolu<onpathwithintheauthorita<venameserverDividequeriersintoseparatequeuesof“Friends”and“Strangers”:JustlikeSMTP!
Possible Mi*ga*ons - 5
Whatifthedevicesarepassingthequeriesviarecursiveresolvers?
Possible Mi*ga*ons - 5
Getassistance!UseDNSSECandapplyNSECAggressivecaching*• Thea9ackwillgenerateNXDOMAINanswers• SowhynotgettherecursiveresolversclosertotheindividualdevicestoanswertheNXDOMAINquerydirectly
• Thiscanbedonewiththecombina<onofDNSSECandNSECsigning,usingtheNSECspanresponsetothenrespondtofurtherquerieswithinthespanwithoutreferencetotheauthorita<veservers
• ThismeansthattherecursivesystemabsorbstheDNSquerya9ackanddoesnotreferthequeriesbacktotheauthservers
*draL-iei-dnsop-nsec-aggressiveuse-05
If only…
• Piecemealsolu<onsdeployedinapiecemealfashionwillseea9ackerspickoffthevulnerableagainandagain• Andthelongtermanswerisnotbiggerandthickerwalls,astheIoTvolumeswillalwaysbehigher• Weneedtothinkagainhowtoleveragetheexis<ngDNSresolu<oninfrastructuretobemoreresilient• Andforthatweprobablyneedtotalkaboutthisopenlyandconstruc<velyandseeifwecanbesmarterandmakeamoreresilientDNSinfrastructure• AndforthatweprobablyneedtotalkabouttheDNSandDNSSECandhowitworks,andhowitcanworkforustodefendthesea9acks