Ralph Dolmans A solution for the DNS amplification attack problem

Similar documents

Preventing DNS Amplification Attacks using white- and greylisting

How To Protect A Dns Authority Server From A Flood Attack

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Harness Your Internet Activity!

Denial of Service Attacks

DNSSEC and DNS Proxying

How to launch and defend against a DDoS

Firewall Firewall August, 2003

How to Add Domains and DNS Records

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

Internet Measurement Research

MDaemon configuration recommendations for dealing with spam related issues

Chapter 8 Monitoring and Logging

Defending against DNS reflection amplification attacks

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

DoS/DDoS Attacks and Protection on VoIP/UC

Spam Management Service Users Guide

Linux MDS Firewall Supplement

How To Set Up Comendo.Comendo.Org For A Spammer To Send To Your Domain Name From Your Domain From Yourdomain.Com Or Yourdomain From Yourmail.Com To Yourdomain (For A Domain Name)

STARTER KIT. Infoblox DNS Firewall for FireEye

DNS amplification attacks

How To Understand A Network Attack

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

Green House Data Spam Firewall Administrator Guide

3 Days Course on Linux Firewall & Security Administration

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Spam Protection by using Sender Address Verification Extension (SAVE)

Potential Targets - Field Devices

Icebox - Sendio SPAM Filter

Icebox - Sendio SPAM Filter

Author: Kai Engert, kaie at redhat dot com or kaie at kuix dot de For updates to this document, please check

Reducing the Impact of Amplification DDoS Attack

Network Security and Penetration Testing

Administering the Web Server (IIS) Role of Windows Server

SERVICE LEVEL AGREEMENT

About Firewall Protection

DNS Response Policy Zones Roadmap to Accellerate Adoption

Firewall Server 7.2. Release Notes. What's New in Firewall Server 7.2

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

WHM Administrator s Guide

Attack and Defense Techniques

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

From Network Security To Content Filtering

UNIVERSITY OF BOLTON CREATIVE TECHNOLOGIES COMPUTING AND NETWORK SECURITY SEMESTER TWO EXAMINATIONS 2014/2015 NETWORK SECURITY MODULE NO: CPU6004

Firewall implementation and testing

PIKA µfirewall Cloud Management Guide

SOFTWARE ENGINEERING 4C03. Computer Networks & Computer Security. Network Firewall

Defeating DNS Amplification Attacks. Ralf Weber Senior Infrastructure Architect

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Internet Services. Amcom. Support & Troubleshooting Guide

Configuring Security for SMTP Traffic

H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

Manage a Firewall Using your Plesk Control Panel Contents

Asia Web Services Ltd. (vpshosting.com.hk)

Use Domain Name System and IP Version 6

BorderWare Firewall Server 7.1. Release Notes

How To Attack Isc.Org.Org With A Dnet On A Network With A Pnet On The Same Day As A Dbus On A Pc Or Ipnet On An Ipnet.Org On A 2.5Th Gen.Net

Load Balance Router R258V

Grandstream Networks, Inc. UCM6100 Security Manual

s and anti-spam Page 1

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

SMTP Settings. Magento Extension User Guide. Official extension page: SMTP Settings. User Guide: SMTP Settings

A D M I N I S T R A T O R V 1. 0

DNS Best Practices. Mike Jager Network Startup Resource Center

Instructions for Activating and Configuring the SAFARI Montage Managed Home Access Software Module

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

IPV6 SERVICES DEPLOYMENT

SonicOS 5.9 / / 6.2 Log Events Reference Guide with Enhanced Logging

IETF DPRIVE WG: Encrypting DNS

MS 10972A Administering the Web Server (IIS) Role of Windows Server

The Trivial Cisco IP Phones Compromise

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies DENOG 5 14 th November 2013

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

The story of dnsdist - or - Do we need a DNS Delivery Controller?

Evaluation Guide. Powerful & Immediate Business Web Security via the Cloud

Comprehensive Anti-Spam Service

Effect of anycast on K-root

10972-Administering the Web Server (IIS) Role of Windows Server

DRC INSIGHT and TSM Management and Capacity/Load Testing Training for NeSA Technology Assessment Contacts. September 16-17, 2014

CIS 433/533 - Computer and Network Security Firewalls

Networks. Connecting Computers. Measures for connection speed. Ethernet. Collision detection. Ethernet protocol

Copyright International Business Machines Corporation All rights reserved. US Government Users Restricted Rights Use, duplication or disclosure

Inbound Load Balance. User Manual

Non-authoritative answer: home.web.cern.ch canonical name = drupalprod.cern.ch. Name: drupalprod.cern.ch Address:

AASTMT Acceptable Use Policy

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Transcription:

Ralph Dolmans A solution for the DNS amplification attack problem July 4 th, 2013

Context Spamhaus was attacked with 300Gbps Every day attacks are getting bigger Sites can be held hostage, banks cannot talk Global problem, the end of the Internet? Research Project 2, Ralph Dolmans 2

Annoy people by sending bricks Send an unsolicited brick by mail Annoying for the receiver, but only obstructive when done by many people at once Research Project 2, Ralph Dolmans 3

Easy way to send lots of bricks Research Project 2, Ralph Dolmans 4

1: Sender verification Factory contacts customers to verify order Dramatic change in order process More work for bricks factory employees More time needed to handle requests = Three way handshake, DNS over TCP Research Project 2, Ralph Dolmans 5

2: Prevent sender address spoofing Validation at postal sorting center, only process orders when the delivery address is in the area in which the mail is posted Only works when all postal sorting centers can be trusted = BCP38 Research Project 2, Ralph Dolmans 6

3: Rate limiting Limit the number of orders the factory handles per customer address Factory can falsely drop orders, thereby losing money Factory can falsely allow orders, thereby still sending unsolicited bricks = DNS Response Rate Limiting (DNS RRL) Research Project 2, Ralph Dolmans 7

Shipping to intended users only Research Project 2, Ralph Dolmans 8

DNS parallel Bricks factory = Authoritative name server (ANS) Local reseller = Recursive resolver (RRNS) Local customer = User of a specific resolver Research Project 2, Ralph Dolmans 9

DNS amplification attacks Same solution: ANS handles orders coming from RRNS RRNS only handles orders coming from local users Instead of dropping unwanted orders, the ANS could apply a rate limit to enable debugging Research Project 2, Ralph Dolmans 10

Whitelists RRNS needs whitelist of customers RRNS providers know the IPs of their network ANS needs global whitelist of RRNS servers There are no list containing all resolvers, so we need a method to create this list Research Project 2, Ralph Dolmans 11

Generating a global list of resolvers We cannot simply scan IP space as is done by http://openresolverproject.org/ Log source address in requests at ANS Introducing integrity using a simple CNAME handshaking dialogue Research Project 2, Ralph Dolmans 12

Simple CNAME handshake Research Project 2, Ralph Dolmans 13

Custom ANS software Implemented using python + twisted ping val.stopddosattacks.org 1200+ resolvers in the MySQL database so far Research Project 2, Ralph Dolmans 14

ANS whitelist check Using standard firewall instead of changing DNS software (BIND, NSD, PowerDNS) Firewall rules for ANS: Accept packet when source on whitelist Rate limit packer otherwise Does this perform? Research Project 2, Ralph Dolmans 15

Iptables + ipset whitelist Ipset for the whitelisted IPs Benchmarks: Average latency, handling 10 million requests, 200K per second CPU load for 1 million whitelisted IPs Research Project 2, Ralph Dolmans 16

Iptables + ipset latency Research Project 2, Ralph Dolmans 17

Iptables + ipset CPU usage Research Project 2, Ralph Dolmans 18

Promotion and education Next step: Educate people about the attacks Collect as many resolvers as possible Encourage the use of whitelists on ANSs Two websites: http://stopddosattacks.org http://reliablenameservers.org Research Project 2, Ralph Dolmans 19

Stopddosattacks.org Check your connection (RRNS) Check your website (ANS) Encourage participation by providing badges Research Project 2, Ralph Dolmans 20

Research Project 2, Ralph Dolmans 21

Reliablenameservers.org Check you website Corporate and green feeling Encourage participation by providing back-links Research Project 2, Ralph Dolmans 22

Problem solved, any questions? Research Project 2, Ralph Dolmans 23