amplification attacks Matsuzaki Yoshinobu <maz@iij.ad.jp> 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 1
amplification attacks Attacks using IP spoofed dns query generating a traffic overload bandwidth attack similar to smurf attacks Components are: IP spoofing amp 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 2
IP spoofing + amp IP spoofing IP spoofed dns query to use reflections amp UDP (no 3way handshake) good amplification ratio =~ 60 distributed by full/stub-resolver (dns cache) 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 3
reflection Sender IP spoofed packet src: victim dst: reflector reflector reply packet src: refle dst: ctor victim victim 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 4
amplification 1. multiple replies Sender 2. bigger reply Sender 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 5
amplification ANY?xxx.example.com Sender xxx.example.com IN TXT XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 6
amplification attack Attacker IP spoofed queries replies victim 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 7
attack relations root-servers Command&Control stub-resolvers full-resolvers IP spoofed queries tld-servers example-servers botnet victim 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 8
view of bot #1 Internet performance degradation traffic overload bot #1 queries size: =~60bytes src IP: victim(ip spoofed) dst IP: various( amp) protocol: udp src port: various dst port: 53 QR: standard query QNAME: (specific one) 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 9
view of bot #2 a bot behind NAT box reply src IP: various( amp) dst IP: NAT Router Internet query after NAT NAT table saturation ICMP unreach generation NAT src IP: NAT Router dst IP: various( amp) query before NAT bot #2 src IP: victim(ip spoofed) dst IP: various( amp) 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 10
view of stub-resolver queries Internet full-resolvers victim bot#2(nat) size: =~60bytes src IP: victim bot#2(nat) dst IP: stub-resolver QNAME: (specific one) performance degradation traffic overload if the stub-resolver works as a no-cache mode, all of the queries are relayed to the full-resolvers. stub-resolver replies size: =~4000bytes (ip fragmented) src IP: stub-resolver dst IP: victim bot#2(nat) QNAME: (specific one) 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 11
view of full-resolver queries Internet root-servers tld-servers example-servers victim bot#2(nat) stub-resolvers size: =~60bytes src IP: victim bot#2 stub-resolver dst IP: full-resolver QNAME: (specific one) performance degradation traffic overload if the TTL of the RR is short, # of queries to the *-servers are increased. full-resolver replies size: ~4000bytes (ip fragmented) src IP: full-resolver dst IP: victim bot#2(nat) stub-resolver QNAME: (specific one) 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 12
view of victim Internet traffic overload replies size: =~4000bytes (ip fragmented) src IP: full-resolvers stub-resolvers dst IP: victim victim 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 13
solutions Attacker IP spoofed dns queries resolvers drop IP spoofed packets = Source Address Validation dns replies discard recursive queries from external = Disable Open Recursive victim 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 14
Disable Open Recursive There are many open relay resolvers. ISP cache servers customers dns servers DSL routers (dns proxy as stub-resolver) 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 15
Source Address Validation BCP38/RFC2827 All providers of Internet connectivity are urged to implement filtering described in this document to prohibit attackers from using forged source addresses... 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 16
IIJ/AS2497 s case IIJ to Introduce Source Address Validation to all its Connectivity Services http://www.iij.ad.jp/en/pressrelease/2006/0308.html IIJ is adopting urpf and ACLs. 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 17
IIJ s policy peer ISP upstream ISP IIJ/AS2497 customer ISP single homed static customer multi homed static customer urpf strict mode urpf loose mode 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 18
CISCO urpf configuration urpf strict mode interface GigabitEthernet0/0 ip verify unicast source reachable-via rx urpf loose mode interface GigabitEthernet0/0 ip verify unicast source reachable-via any 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 19
Juniper urpf configuration urpf strict mode interface { ge-0/0/0 { unit 0 { family inet { rpf-check; } } } } urpf loose mode interface { ge-0/0/0 { unit 0 { family inet { rpf-check { mode loose; } } } } } 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 20
reference AL-1999.004 DoS attacks using the http://www.auscert.org.au/render.html?it=80 The Continuing DoS Threat Posed by Recursion http://www.us-cert.gov/reading_room/-recursion033006.pdf SAC008 Distributed DDoS Attacks http://www.icann.org/committees/security/dns-ddos-advisory- 31mar06.pdf 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 21
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 22