DNS amplification attacks

Similar documents

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

CS 356 Lecture 16 Denial of Service. Spring 2013

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

CSCE 465 Computer & Network Security

How To Protect A Dns Authority Server From A Flood Attack

Strategies to Protect Against Distributed Denial of Service (DD

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Denial of Service Attacks

Blocking DNS Messages is Dangerous

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Security Technology White Paper

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

H3C Firewall and UTM Devices DNS and NAT Configuration Examples (Comware V5)

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

SSAC Advisory SAC008 DNS Distributed Denial of Service (DDoS) Attacks

DDoS Attacks & Mitigation

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

NETNOD Autumn 2014 October 2, 2014

TDC s perspective on DDoS threats

CS5008: Internet Computing

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

co Characterizing and Tracing Packet Floods Using Cisco R

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

A Very Incomplete Diagram of Network Attacks

GregSowell.com. Mikrotik Security

JPCERT/CC Internet Threat Monitoring Report [January 1, March 31, 2015]

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

DDoS Basics. internet: unique numbers that identify areas and unique machines on the network.

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

Chapter 8 Security Pt 2

DDoS attacks in CESNET2

Sample Configuration Using the ip nat outside source static

Source-Connect Network Configuration Last updated May 2009

DoS/DDoS Attacks and Protection on VoIP/UC

LAN TCP/IP and DHCP Setup

IPv6 Security from point of view firewalls

How to launch and defend against a DDoS

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Use Domain Name System and IP Version 6

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

NTP Reflection DDoS Attack Explanatory Document

Analysis of a DDoS Attack

How Cisco IT Protects Against Distributed Denial of Service Attacks

Chapter 15. Firewalls, IDS and IPS

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Firewalls and Intrusion Detection

- Introduction to Firewalls -

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

DDoS Protection on the Security Gateway

Distributed Denial of Service(DDoS) Attack Techniques and Prevention on Cloud Environment

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Vulnerabili3es and A7acks

Survey on DDoS Attack in Cloud Environment

Southwest Arkansas Telephone Cooperative Network Management Practices

Firewalls. Ahmad Almulhem March 10, 2012

WAN Traffic Management with PowerLink Pro100

Denial of Service Attacks. Notes derived from Michael R. Grimaila s originals

Campus LAN at NKN Member Institutions

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Attack and Defense Techniques

DDoS Overview and Incident Response Guide. July 2014

DNS, DNSSEC and DDOS. Geoff Huston APNIC February 2014

Firewall Firewall August, 2003

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

Distributed Denial of Service (DDoS)

Firewalls P+S Linux Router & Firewall 2013

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

FIREWALLS IN NETWORK SECURITY

A Sampling of Internetwork Security Issues Involving IPv6

Introduction to Firewalls

DDOS in academic Networks. Herramientas para la seguridad prevención y mitigación de DDOS. CSUC. 3 de Abril 2014

Tech-Note Bridges Vs Routers Version /06/2009. Bridges Vs Routers

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

Survey on DDoS Attack Detection and Prevention in Cloud

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Seminar Computer Security

The ntop Project: Open Source Network Monitoring

Characterization and Analysis of NTP Amplification Based DDoS Attacks

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Arbor s Solution for ISP

LAB II: Securing The Data Path and Routing Infrastructure

Announcements. No question session this week

Unicast Reverse Path Forwarding

Security of IPv6 and DNSSEC for penetration testers

Transcription:

amplification attacks Matsuzaki Yoshinobu <maz@iij.ad.jp> 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 1

amplification attacks Attacks using IP spoofed dns query generating a traffic overload bandwidth attack similar to smurf attacks Components are: IP spoofing amp 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 2

IP spoofing + amp IP spoofing IP spoofed dns query to use reflections amp UDP (no 3way handshake) good amplification ratio =~ 60 distributed by full/stub-resolver (dns cache) 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 3

reflection Sender IP spoofed packet src: victim dst: reflector reflector reply packet src: refle dst: ctor victim victim 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 4

amplification 1. multiple replies Sender 2. bigger reply Sender 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 5

amplification ANY?xxx.example.com Sender xxx.example.com IN TXT XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 6

amplification attack Attacker IP spoofed queries replies victim 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 7

attack relations root-servers Command&Control stub-resolvers full-resolvers IP spoofed queries tld-servers example-servers botnet victim 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 8

view of bot #1 Internet performance degradation traffic overload bot #1 queries size: =~60bytes src IP: victim(ip spoofed) dst IP: various( amp) protocol: udp src port: various dst port: 53 QR: standard query QNAME: (specific one) 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 9

view of bot #2 a bot behind NAT box reply src IP: various( amp) dst IP: NAT Router Internet query after NAT NAT table saturation ICMP unreach generation NAT src IP: NAT Router dst IP: various( amp) query before NAT bot #2 src IP: victim(ip spoofed) dst IP: various( amp) 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 10

view of stub-resolver queries Internet full-resolvers victim bot#2(nat) size: =~60bytes src IP: victim bot#2(nat) dst IP: stub-resolver QNAME: (specific one) performance degradation traffic overload if the stub-resolver works as a no-cache mode, all of the queries are relayed to the full-resolvers. stub-resolver replies size: =~4000bytes (ip fragmented) src IP: stub-resolver dst IP: victim bot#2(nat) QNAME: (specific one) 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 11

view of full-resolver queries Internet root-servers tld-servers example-servers victim bot#2(nat) stub-resolvers size: =~60bytes src IP: victim bot#2 stub-resolver dst IP: full-resolver QNAME: (specific one) performance degradation traffic overload if the TTL of the RR is short, # of queries to the *-servers are increased. full-resolver replies size: ~4000bytes (ip fragmented) src IP: full-resolver dst IP: victim bot#2(nat) stub-resolver QNAME: (specific one) 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 12

view of victim Internet traffic overload replies size: =~4000bytes (ip fragmented) src IP: full-resolvers stub-resolvers dst IP: victim victim 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 13

solutions Attacker IP spoofed dns queries resolvers drop IP spoofed packets = Source Address Validation dns replies discard recursive queries from external = Disable Open Recursive victim 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 14

Disable Open Recursive There are many open relay resolvers. ISP cache servers customers dns servers DSL routers (dns proxy as stub-resolver) 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 15

Source Address Validation BCP38/RFC2827 All providers of Internet connectivity are urged to implement filtering described in this document to prohibit attackers from using forged source addresses... 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 16

IIJ/AS2497 s case IIJ to Introduce Source Address Validation to all its Connectivity Services http://www.iij.ad.jp/en/pressrelease/2006/0308.html IIJ is adopting urpf and ACLs. 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 17

IIJ s policy peer ISP upstream ISP IIJ/AS2497 customer ISP single homed static customer multi homed static customer urpf strict mode urpf loose mode 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 18

CISCO urpf configuration urpf strict mode interface GigabitEthernet0/0 ip verify unicast source reachable-via rx urpf loose mode interface GigabitEthernet0/0 ip verify unicast source reachable-via any 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 19

Juniper urpf configuration urpf strict mode interface { ge-0/0/0 { unit 0 { family inet { rpf-check; } } } } urpf loose mode interface { ge-0/0/0 { unit 0 { family inet { rpf-check { mode loose; } } } } } 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 20

reference AL-1999.004 DoS attacks using the http://www.auscert.org.au/render.html?it=80 The Continuing DoS Threat Posed by Recursion http://www.us-cert.gov/reading_room/-recursion033006.pdf SAC008 Distributed DDoS Attacks http://www.icann.org/committees/security/dns-ddos-advisory- 31mar06.pdf 2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 21

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 22