ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE

Similar documents
BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

OVERVIEW OF THE DNS AND GLOSSARY OF TERMS

OVERVIEW OF THE DNS AND GLOSSARY OF TERMS

USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

The Canadian Internet Registration Authority (CIRA) manages a 100% up time service - the.ca domain name registry for over 2.

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

STATE OF DNS AVAILABILITY REPORT

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Securing Your Business with DNS Servers That Protect Themselves

Securing Your Business with DNS Servers That Protect Themselves

WHITE PAPER. DNS: Key Considerations Before Deploying Your Solution

Securing Your Business with DNS Servers That Protect Themselves

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

DOMAIN NAME SECURITY EXTENSIONS

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Automated Mitigation of the Largest and Smartest DDoS Attacks

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

State of the Cloud DNS Report

Securing Your Business with DNS Servers That Protect Themselves

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

Service Description DDoS Mitigation Service

Denial of Service Attacks

How To Protect A Dns Authority Server From A Flood Attack

How to Evaluate DDoS Mitigation Providers:

/ Staminus Communications

State of the Cloud DNS Report

Deploying IP Anycast. Core DNS Services for University of Minnesota Introduction and General discussion

At dincloud, Cloud Security is Job #1

DOMAIN NAME SYSTEM (DNS)

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

Current Counter-measures and Responses by the Domain Name System Community

The F5 Intelligent DNS Scale Reference Architecture.

Cloud Security In Your Contingency Plans

The Importance of High Customer Experience

Top Five DNS Security Attack Risks and How to Avoid Them

SSDP REFLECTION DDOS ATTACKS

Why Managed DNS Services

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

Infoblox Inc. All Rights Reserved. Talks about DNS: architectures & security

DDoS attacks in CESNET2

TLP WHITE. Denial of service attacks: what you need to know

Automated Mitigation of the Largest and Smartest DDoS Attacks

100% Malware-Free A Guaranteed Approach

The Domain Name System (DNS) A Brief Overview and Management Guide

Flexible Training Options to Make the Most of Your IPAM Deployment

WHITEPAPER. Designing a Secure DNS Architecture

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

TECHNICAL WHITE PAPER. Infoblox and the Relationship between DNS and Active Directory

Scale your DNS Infrastructure Ensure App and Service Availability. Nigel Ashworth Solution Architect EMEA

DNS FLOODER V1.1. akamai s [state of the internet] / Threat Advisory

What to Look for When Choosing a CDN for DDoS Protection Written by Bizety

Best Practices in DNS Anycast Service-Provision Architecture. Version 1.1 March 2006 Bill Woodcock Gaurab Raj Upadhaya Packet Clearing House

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

High-Performance DNS Services in BIG-IP Version 11

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

The Importance of a Resilient DNS and DHCP Infrastructure

The Future of DNS. Johan Ihrén Netnod. October 15,

Safeguards Against Denial of Service Attacks for IP Phones

FortiDDos Size isn t everything

Application DDoS Mitigation

WAN Traffic Management with PowerLink Pro100

TDC s perspective on DDoS threats

Protecting Critical Websites and Internet Infrastructure using innovative cloud-based. Managed Services

Distributed Denial of Service Attacks

Securing External Name Servers

The secret life of a DNS query. Igor Sviridov <sia@nest.org>

DNS Caching Krytyczna infrastruktura operatora i ostatni element układanki

How to launch and defend against a DDoS

How To Understand The Power Of A Content Delivery Network (Cdn)

F5 and Infoblox DNS Integrated Architecture Offering a Complete Scalable, Secure DNS Solution

allow all such packets? While outgoing communications request information from a

CS 356 Lecture 16 Denial of Service. Spring 2013

Making the Internet fast, reliable and secure. DE-CIX Customer Summit Steven Schecter <schecter@akamai.com>

Securing DNS Infrastructure Using DNSSEC

KASPERSKY DDoS PROTECTION. Protecting your business against financial and reputational losses with Kaspersky DDoS Protection

High Availability with Postgres Plus Advanced Server. An EnterpriseDB White Paper

DDoS Attacks in the United Kingdom

Web Application Defence. Architecture Paper

The OpenDNS Global Network Delivers a Secure Connection Every Time. Everywhere.

Computer Networks: Domain Name System

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

Data Center Content Delivery Network

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques

Harness Your Internet Activity!

DNS Appliance Architecture: Domain Name System Best Practices

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

Securing data centres: How we are positioned as your ISP provider to prevent online attacks.

How Cisco IT Protects Against Distributed Denial of Service Attacks

Bridging the Security Gap for IP Payment Networks

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: Mob.:

Traffic Controller Service. UltraDNS Whitepaper

Transcription:

ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE

ANATOMY OF A DDOS ATTACK AGAINST THE DNS INFRASTRUCTURE The Domain Name System (DNS) is part of the functional infrastructure of the Internet and part of the Internet s trust framework. Without these nameservers, the huge investments in hardware, software and applications that organizations make cannot be found and accessed by customers. Unfortunately, because the DNS is a key piece of infrastructure, it is often targeted by malicious players. Distributed Denial of Service (DDos) attacks targeting the DNS is a specific type of DDoS attack that exposes vulnerabilities in the DNS system. This whitepaper provides an explanation for this specific type of attack. A DDoS attack is used to bring down a system without leveraging the attackers own system. This helps the attacker to avoid discovery. While this form of attack doesn t always attempt to gain access to an organization s data, it can be used maliciously by bad actors to deny resources or inhibit services to a targeted system. Moreover, DDoS attacks in general are on the rise globally and were up 50 per cent in 2013 (Akamai report) with some attacks generating sustained bandwidth in the hundreds of gigabits and for several hours or days. DNS DDoS attacks are a smaller percentage of all DDoS attacks, but fully one-third of companies have reported a customer-impacting attack of this type (source: Arbor 2013 report in security). HOW DOES THE DOMAIN NAME SYSTEM (DNS) WORK? The Domain Name System (DNS) provides the core backbone of the Internet by providing the map between easily-readable hostnames (i.e. www.cira.ca) and IP addresses (192.228.29.1) by way of resource records. It is essential to the operation of the Internet by enabling the use of logical, human-readable names for locations rather than complex IPv4 or IPv6 addresses. It additionally provides mappings to things like mail servers, SIP servers, redirects, digital signatures, and more. The DNS is a distributed database organized as a tree of interconnected nodes (server or server clusters) where each node is a partition of the database. Nodes are delegated to designated authorities and there can be only one authority for a node or group of nodes. The DNS is a critical part of the Internet s trust framework and functionality and as such is often a target for malicious activity. PROTECT YOUR BUSINESS D-Zone Anycast DNS Service www.cira.ca/d-zone 2

Just over 1/3 of companies report DNS DDoS Attacks (Source: Arbor Networks 2013 report on Security). HOW A DNS DDOS ATTACK WORKS Before getting into the mechanics of a DNS-based DDoS attack versus other forms of DDoS attacks, it is worth noting that these attack scenarios can generically describe an attack that applies to the DNS or to an application or web server. The DNS DDoS attack typically uses three elements in the hackers tool chest: spoofing, reflection and amplification. Since the attacker s goal is either to saturate a nameserver, or to target another server, these elements of the attack are typically distributed across many open DNS resolvers Reflection is used to increase the number of queries while amplification comes in when the reflecting server answers the relatively small query with a much larger response. In the case of the DNS, the problem is compounded because a very small query (<100 bytes) can be amplified (to 50X and up) to generate thousands of bytes in response. Let s look a little closer. If the attacker wanted to attack a target DNS server then it would use all the botnet zombies in his network to issue DNS request messages for an amplification record from open recursive servers. If the recursive nameserver has not received a request before then they issue their own request to a compromised server to get the amplification record. The open recursive servers think they are sending a response to the botnet host that generated the query, but it has spoofed the IP address of the attack target. So the organization s server never issued a request but it is now being bombarded with responses. Making matters worse, because the response is amplified, it is broken into fragments that need to be reassembled at the destination, putting further strain on the target. There is another scenario, which we will call amplifier exhaustion. It occurs when the organization isn t the target in the attack, but an unwitting accomplice. Their nameservers are being used in an attack on another server and in the process the bandwidth or resources of the nameserver are being taken up. Maintaining a good DNS architecture is important because it helps protect the organization while also ensuring that it is a good Internet citizen. Scenario 1: Anatomy of a DNS DDoS attack recruiting resources with the goal of bringing down an authoritative nameserver. PROTECT YOUR BUSINESS D-Zone Anycast DNS Service www.cira.ca/d-zone 3

In the example shown we see that without DNSSEC the server provides a 62 byte response to a 72 byte query. With DNSSEC a similar query generates 241 bytes (281 bytes on the wire) to an 83 byte question, or an amplification factor of 341 per cent in this example. Depending on the how the query is crafted a larger amplification is possible with the implication that any DNS server can be used for an attack: Scenario 2: Anatomy of a DNS DDoS attack where the organizations resources are used to bring down someone else s server. THE COMING IMPACT OF DNSSEC DNSSEC is a secure handshake protocol for domain names that is used to validate that a user is connecting to a website or service associated with the domain name. It helps to address manin-the-middle type of attacks. This is distinct from SSL which uses a similar set of protocols to secure the actual communications once they have been initiated. DNSSEC has rapidly gained adoption by top level domain registries and as of 2014 is beginning to gain more rapid traction across the rest of the Internet with players like Comcast and Google actively promoting its benefits. However, as it does, DNSSEC has the potential to further amplify a DDoS attack because the additional bytes for sending keys can further increase the amplification. HELPING TO MITIGATE THE PROBLEM WITH AN ANYCAST DNS INFRASTRUCTURE Several players in the industry are trying to get the (tens of millions of) open recursive DNS resolvers cleaned-up by focusing on the networks that have them and getting the resolvers shut down. However, this is an extremely challenging global problem that is caused by the inadvertent behaviour of both individuals and corporations. Rather than trying to solve the global issue, there is a more immediate and active response that an IT department can take, and that is to add capacity and redundancy to their DNS. One tool for building out the DNS infrastructure is to use anycast servers. Anycast DNS servers enable organizations to deploy a set of DNS servers across the globe that all have the same IP address. Since one of the features of anycast DNS is that queries are responded to by the geographically closest server, attacks against one node will only impact customers in that region. Maintaining two or more anycast clouds on different infrastructure and network connectivity provides for even more inregion redundancy to help mitigate the impact of an attack or other outage. In addition to solving the global risk, if a business has a large domestic component then locating a few high bandwidth international nodes can help to protect your local traffic from an attack that originates off shore. Why? Because the global attack will be soaked-up by the geographically closest off-shore server leaving your domestic ones unaffected. Figure: With DNSSEC (right) and without it in the response query showing the amplification with DNSSEC enabled. Even if a global DNS server is brought down, by the time the attack moves to a new node the old one can be back online. In effect it becomes a world-wide game of whack-a-mole on the DNS servers that aren t delivering content to your most important market or region anyway. PROTECT YOUR BUSINESS D-Zone Anycast DNS Service www.cira.ca/d-zone 4

DEPLOYING AN ANYCAST DNS NETWORK A global company may elect to run one or more anycast clouds to serve its markets. This involves placing enterprise infrastructure and redundancy in the corporate datacenters or branch offices. For very large companies, this approach may be preferred as it gives a high degree of control over the deployment. However, it is costly, and when enterprise-class equipment is used for the DNS, the service is often over-provisioned and represents a non-optimized use of resources. Alternatively, there are DNS service providers that organizations can use to oursource their DNS. In these instances their DNS is on shared equipment with other companies but can be protected by enterprise-class SLAs and service. And finally, because of the way anycast is architected, there is the option to combine some in-house infrastructure with one or more bestof-breed secondary solutions. This provides redundancy and capacity for organizations where access to the website is critical. D-ZONE ANYCAST DNS SERVICE - HELPING IT DEPARTMENTS AND SERVICE PROVIDERS WHO ARE SUPPORTING ORGANIZATIONS WITH A LARGE AMOUNT OF CANADIAN TRAFFIC TO PROTECT AGAINST DDOS ATTACKS The D-Zone Anycast DNS service is the most robust secondary solution for Canadian traffic available on the market today. It provides redundant, high bandwidth nodes located in IXPs in Canada to answer queries for Canadian traffic. This provides very low latency and helps to keep Canadian web traffic inside Canada s borders. In addition to these benefits, it serves global markets and helps protect your traffic from DDoS attacks against the DNS by locating high bandwidth global nodes in International Internet hubs. Since a small number of major attacks originate from within Canada, this helps protect your organization from outages due to malicious activity. Figure: With a single unicast server, when the node goes down or gets hacked, you disappear from the Internet. Anycast allows other nodes in the network to serve traffic. For more information on how the D-Zone Anycast DNS solution can be used by your organization please contact us today by visiting cira.ca/d-zone ABOUT CIRA The Canadian Internet Registration Authority (CIRA) manages Canada s.ca domain name registry as a 100 per cent up time service for Canadians and Canadian organisations. In addition to stewardship over.ca, CIRA develops and implements policies that support Canada s Internet community and the.ca registry internationally. PROTECT YOUR BUSINESS D-Zone Anycast DNS Service www.cira.ca/d-zone 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information