DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques



Similar documents
honeytarg Chapter Activities

Phishing and Banking Trojan Cases Affecting Brazil

Development of an IPv6 Honeypot

LACNIC 25 CSIRTs Meeting Havana, Cuba May 4 th, 2016

Preventing your Network from Being Abused by Spammers

CERT.br: Mission and Services

SpamPots Project: Using Honeypots to Measure the Abuse of End-User Machines to Send Spam

Cybersecurity and Incident Response Initiatives: Brazil and Americas

Domain Name System. DNS is an example of a large scale client-server application. Copyright 2014 Jim Martin

The role of JANET CSIRT

How To Attack Isc.Org.Org With A Dnet On A Network With A Pnet On The Same Day As A Dbus On A Pc Or Ipnet On An Ipnet.Org On A 2.5Th Gen.Net

Defeating DNS Amplification Attacks. Ralf Weber Senior Infrastructure Architect

The Brazilian Internet Steering Committee CGI.br Internet Governance Model in Brazil

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

The Importance of a Multistakeholder Approach to Cybersecurity Effectiveness

How to Enable Internet for Guest Virtual Machine using Wi-Fi wireless Internet Connection.

Domain Name System (DNS) Fundamentals

Creating a master/slave DNS server combination for your Grid Infrastructure

CSE 127: Computer Security. Network Security. Kirill Levchenko

Incident Response and Early Warning Initiatives in Brazil

Enabling DNS for IPv6 CSD Fall 2011

How-to: DNS Enumeration

Domain Name System Security

Defending against DNS reflection amplification attacks

Domain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley

Identifying Patterns in DNS Traffic

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE

DNS SECURITY TROUBLESHOOTING GUIDE

Internet-Praktikum I Lab 3: DNS

Configuring DNS on Cisco Routers

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

CONSUL AS A MONITORING SERVICE

what s in a name? taking a deeper look at the domain name system mike boylan penn state mac admins conference

How To Understand A Network Attack

DDOS ATTACKS: PREPARATION-DETECTION-MITIGATION

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

netkit lab dns Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version Author(s)

DOMAIN NAME SECURITY EXTENSIONS

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example

Harness Your Internet Activity!

DDOS ATTACKS: PREPARATION-DETECTION-MITIGATION. Mohammad Fakrul Alam. bdhub. SANOG 21 January 27 - Feb 4, 2013 Cox's Bazar, Bangladesh

Measuring the Web: Part I - - Content Delivery Networks. Prof. Anja Feldmann, Ph.D. Dr. Ramin Khalili Georgios Smaragdakis, PhD

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

Acquia Cloud Edge Protect Powered by CloudFlare

Unbound a caching, validating DNSSEC resolver. Do you trust your name server? Configuration. Unbound as a DNS cache (SEC-less)

PTTMetro - PTT.br The Brazilian Metropolitan IXP Project

CloudFlare advanced DDoS protection

DNS Best Practices. Mike Jager Network Startup Resource Center

SSAC Advisory SAC008 DNS Distributed Denial of Service (DDoS) Attacks

5 DNS Security Risks That Keep You Up At Night (And How To Get Back To Sleep)

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

DNS Tampering and Root Servers

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

Attack and Defense Techniques

The curse of the Open Recursor. Tom Paseka Network Engineer

ICT statistics production and policymaking in Brazil

Domain Name System (DNS) RFC 1034 RFC

CERT.AZ description as per RfC 2350

Distributed Denial of Service Attacks

Forouzan: Chapter 17. Domain Name System (DNS)

DDoS attacks in CESNET2

INFORMATION SECURITY GOVERNANCE READINESS IN GOVERNMENT INSTITUTION

Table of Contents. Confidential and Proprietary

OrchSec: An Orchestrator-Based Architecture For Enhancing Network Monitoring and SDN Control Functions

DNS at NLnet Labs. Matthijs Mekking

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

DNS amplification attacks

DNS Pharming Attack Lab

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

Transcription:

DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques Klaus Steding-Jessen jessen@cert.br! Computer Emergency Response Team Brazil - CERT.br Network Information Center Brazil - NIC.br Brazilian Internet Steering Committee - CGI.br

CGI.br and NIC.br Structure GOVERNMENT (Appointed) I. E. CIVIL SOCIETY (Elected) Executive Branch Administrative Support Legal Counsel Pubic Relations Domain Registration IP Assignment Studies and Surveys About ICT use Internet Engineering and New Projects W3C Brazilian Office 1 Ministry of Science and Technology (Coordination) 2 Ministry of Communications 3 Presidential Cabinet 4 Ministry of Defense 5 Ministry of Development, Industry and Foreign Trade 6 Ministry of Planning, Budget and Management 7 National Telecommunications Agency 8 National Council of Scientific and Technological Development 9 National Forum of Estate Science and Technology Secretaries 10 Internet Expert 21 Academia 11 Internet Service Providers 12 Telecommunication Infrastructure Providers 13 Hardware and Software Industries 14 General Business Sector Users 15 Non-governmental Entity 16 Non-governmental Entity 17 Non-governmental Entity 18 Non-governmental Entity 19 Academia 20 Academia

The Brazilian Internet Steering Committee - CGI.br CGI.br is a multi-stakeholder organization created in 1995 by the Ministries of Communications and Science and Technology to coordinate all Internet related activities in Brazil. Among the diverse responsibilities reinforced by the Presidential Decree 4.829, has as the main attributions: to propose policies and procedures related to the regulation of Internet activities to recommend standards for technical and operational procedures to establish strategic directives related to the use and development of Internet in Brazil to promote studies and recommend technical standards for the network and services security in the country to coordinate the allocation of Internet addresses (IP) and the registration of domain names using <.br> to collect, organize and disseminate information on Internet services, including indicators and statistics http://www.cgi.br/english/

CERT.br Activities Incident Handling Coordination Facilitation Support Statistics Training and Awareness Courses Presentations Documents Meetings Network Monitoring Distributed Honeypots SpamPots http://www.cert.br/about/

Agenda DRDoS attacks using big DNS records for amplification Solution Mitigation close open resolvers rate limiting in authoritative DNS servers

Anatomy of a DRDoS Attack using Open Resolvers Recomendações para Evitar o Abuso de Servidores DNS Recursivos Abertos http://www.cert.br/docs/whitepapers/dns-recursivo-aberto/

Big DNS Record Example (70x amplification) ; <<>> DiG 9.7.6-P1 <<>> directedat.asia ANY! ;; global options: +cmd! ;; Got answer:! ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13971! ;; flags: qr rd ra; QUERY: 1, ANSWER: 259, AUTHORITY: 2, ADDITIONAL: 0!! ;; QUESTION SECTION:! ;directedat.asia.!!in!any!! ;; ANSWER SECTION:! directedat.asia.!14226!in!a!204.11.52.123! directedat.asia.!14226!in!a!204.11.52.124! directedat.asia.!14226!in!a!204.11.52.125!! [...]!! ;; Query time: 49 msec! ;; SERVER: 190.90.225.253#53(190.90.225.253)! ;; WHEN: Mon May 6 14:27:09 2013! ;; MSG SIZE rcvd: 4252!

Solution and Possible Mitigations Solution for attacks using IP spoofing is the wide adoption of Ingres/Egress filtering BCP 38: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing http://tools.ietf.org/html/bcp38 Mitigations Fix Open Recursive DNS Servers should answer only to client networks Implement rate limiting in authoritative DNS Servers

CERT.br Effort to Close Open Resolvers in Brazil Partnership with the Open DNS Resolver Project Received the list of all Brazilian open resolver Send notification to all ASNs More than 70 thousand open resolvers Notification sent to network owner with details about how to test and solve the problem Online document in Portuguese with more detailed information and configuration examples http://www.cert.br/docs/whitepapers/dns-recursivo-aberto/

Questions? Klaus Steding-Jessen jessen@cert.br! CGI.br - Brazilian Internet Steering Committee http://www.cgi.br/ NIC.br http://www.nic.br/ CERT.br http://www.cert.br/

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information