Upload
apnic
View
709
Download
0
Tags:
Embed Size (px)
Citation preview
• 2 Terabytes of data analyzed per day
– Anonymized from ISPs worldwide
– Estimate about 3% of ISP DNS resolver traffic
• Team of data scientists
• Algorithms searching for:
– DDoS
– Bots
– Malware
– Machine generated traffic
– Etc
3
Nominum Research
• DNS-based DDoS attacks increasing
– DNS Amplification
– Random subdomain attacks – focus of this presentation
• Attack vectors
– Open home gateways
– NEW - Bot malware
• Stress on DNS worldwide
4
Introduction
5
DNS Queries – One Day’s Data 02/09/15
88%
12%
DNS Queries
"Good" Queries
Malicious Queries
80%
15%
5%
Malicious Queries
Random Subdomain
Amplification
Bot Command & Control
7
Random Subdomain Attacks
RANDOM TARGET NAME
Example query:
wxctkzubkb..liebiao.800fy.com
• Queries with random subdomains - answer NXD
• Lots of work for resolvers - recursion
• Lots of works for authoritative servers - large spikes
nbpdestuvjklz.pay.shop6996.com.
1lHecqrP.xboot.net.
hxdfmo.iyisa.com.
a6ca.cubecraft.net.
8
Different Kinds of “Random”
Different Random Label Patterns = Different Attacks
Alexa 1000 Names Rank
baidu.com. 5
blog.sina.com.cn. 13
xlscq.blog.163.com. 56
amazon.co.uk. 65
www.bet365.com. 265
www.lady8844.com. 389
d3n9cbih5qfgv5.cloudfront.net. 458
www.appledaily.com.tw. 565
asus.com. 702
9
Popular Names are Attacked
Attacks on popular names
must be handled carefully:
Fine Grained Policy, Whitelists
About 9% of names attacked are popular
Attack on asus.com (computers and phones)
– 190 legitimate subdomains
Attack on mineplex.com (minecraft gaming site)
– 78 legitimate subdomains
~ 2% of queries are to legitimate subdomains
10
Need to Protect Good Traffic to Popular Domains
Attacks Using Open DNS Proxies
1
Internet
Query with
randomized
subdomains 2
Authoritative
ServerCompromised
hosting
Recursive
queries
Open DNS Proxy
(Home Gateway)
3NXD
responses
ISP
Target
Web Site
Attacks Using Open DNS Proxies
ISP
Resolver
-
5
10
15
20
25
30
Mill
ions
Open Resolvers
13
Open Resolvers Are Declining
Feb 13 2014 Jan 28 2015
Open Resolver Project Data
Actual
Trend
Attacks Using Bots
Internet
2
Authoritative
Server
Recursive
queries
Bot infected
devices
3NXD
responses
ISP
Target
Web Site
ISP
ResolverQueries
with randomized
subdomains
1
1. Bots scan networks for home gateways or
other vulnerable devices
2. Attempt to login with default passwords
3. Load malware on gateway
4. Malware sends huge volumes of specially
crafted DNS queries
15
What’s Happening?
Other vectors are possible:
Bots with loaders
Rompager
16
Bots are Everywhere! 02/09/15
Threat Type Query CountSpybot 1,679,616 Vobfus 925,323 Nitol 883,376 Gamarue 878,672 VBInject 864,944 Spambot 613,449 Ramnit 418,984 Bladabindi 90,486 Palevo 60,324 Sdbot 59,314
Threat Type Query CountDorkbot 52,935 Morto 35,912 Sality 35,711 Virut 32,027 SMSsend 16,000 Jeefo 14,645 Gbot 11,853 GameOver 9,407 Phorpiex 5,875 Buzus 5,123
Bots that can install additional software
on a compromised host
17
“Things” Generate Intense Attack Traffic
0
2
4
6
8
10
Mill
ions
Query Counts from Attacking IPsOne hours data – APAC provider network
# IPs involved in attack1 206
200 IPs sourced ~83M queries
15 IPs sourced ~61M queries
1 IP sourced ~ 9M queries
18
2 Days Attack Data
0
75
150
225
300
Number of IPs used in attack per hour
Nov 16
19:00
Nov 18
8:00
19
Example Attack Data
0%
20%
40%
60%
80%
Attack Queries as a Percentage of Total Traffic
Nov 16
19:00
Nov 18
8:00
70% of queries
from attack
20
Why These Attacks Hurt
BorderHome
GatewayResolver Authority
Spoofed IP
Query (UDP): Ivatsnkb.web.pay1.cn
Proxy query,
translate IPRecursion
NXDNXD
NXDSpoofed IP
Proxy query,
translates IP
Spoofed IP
Query (UDP): Ivatsnkb.web.pay1.cn
Proxy query,
translate IPRecursion
Truncate
Bad Case
Worse Case
Response
Rate
LimitingRetry TCP
NXDNXD
NXD
Proxy query,
translates IPSpoofed IP
Attacker
21
Response Rate Limiting can Aggravate
Proxy query,
translate IPRecursion
Truncate
Response
Rate
Limiting
BorderHome
GatewayResolver AuthorityAttacker
Retry TCP
Authority
Fails
High traffic
with
TCP overhead
Resolver doesn’t
get responses,
tries new Authorities,
cascading failures
Spoofed IP
Randomized queries
Resolver stress
TCP overhead
• Every RSD requires recursion
• “Normal” incoming queries are 80% cached
• Equivalent load is:
1/(1- 0.8) = 5
• For 8,000 QPS of attack traffic equivalent load is:
8,000 x 5 = 40,000 QPS
22
Some Simple Math
Very rough estimate of additional workload
• Attacks on popular domains complicate filtering
• Home Gateways mask spoofed source IP
• Bots operate wholly within provider networks
– Filtering DNS at borders won’t work
• Observed tendency for cascading failures
• RRL by authorities increases work for resolvers &
authorities
– This seems to have gone away for now
23
Attacks Cause Many Problems
• Block bad traffic at ingress to resolvers
– Minimize work
– Eliminate stress on entire DNS hierarchy
• Near-real time block lists and fine grained policy
– Protect good traffic - whitelist legitimate labels for “core”
domains
24
Solution