Thoughts about DNS for DDoS

  • View
    201

  • Download
    0

Embed Size (px)

Transcript

  • A Specula*on on DNS DDOSGeoff Huston

    APNIC

    Some thoughts about

    for

  • Wellguess-fromthesnippetsthathavebeenreleasedItwasaMiraia9ackItusedacompromiseddevicecollec
  • DDOS A9acks

    Arenothingnewunfortunately

    AndourresponseisoLenrespondinglikeforlike

    Buildthickerandthickerbunkersofbandwidthandprocessingcapacitythatcanabsorbthea9acks

    Andleavetheundefendedopenspaceastoxicwasteland!

    ButusingtheDNSfora9acksopenssomenewpossibili

  • What we understand about direct DNS DDOS a9acks

    Thesearenotreflec

  • The intended outcome of the a9ack

    Becausethe.targetqnameformwilldefeattherecursiveresolvercachingfunc

  • Possible Mi*ga*ons 1ABiggerBunkerAddmoreFoo

    Moreauthorita

  • Possible Mi*ga*ons - 2

    LongerTTLs: LowTTLsmaketheauthserversmorevulnerablebecauserecursivesneedtorefertoauthorita

  • Possible Mi*ga*ons 3

    Filterqueries: Trytogetafixonthenamecomponentinthequeries Setofafrontendqueryfilterandblockthesequeries

    But Thisisjusttailchasing!

  • Possible Mi*ga*ons - 4

    Whatifthea9ackingdevicesarepassingthequeriesdirectlytotheauthorita

  • All resolvers might be equal, but some resolvers are more equal than others!

    8,000 distinct IP addresses (2.3% of all seen IP addrs) for resolvers serve 90% of all experiments

  • Possible Mi*ga*ons - 4

    FilterFilterFilter(IPsources)Only8,000discreteIPaddressesaccountformorethan90%oftheusersDNSqueriesThesearethemainrecursiveresolversusedbymostoftheinternetsoitsprobablygoodtoanswerthem!PutallothersourceIPaddressqueriesonalowerpriorityresolu

  • Possible Mi*ga*ons - 5

    Whatifthedevicesarepassingthequeriesviarecursiveresolvers?

  • Possible Mi*ga*ons - 5

    Getassistance!UseDNSSECandapplyNSECAggressivecaching* Thea9ackwillgenerateNXDOMAINanswers SowhynotgettherecursiveresolversclosertotheindividualdevicestoanswertheNXDOMAINquerydirectly

    Thiscanbedonewiththecombina

  • If only

    Piecemealsolu