Identifying Patterns in DNS Traffic

Similar documents
page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

DNS Best Practices. Mike Jager Network Startup Resource Center

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Defending against DNS reflection amplification attacks

How To Attack Isc.Org.Org With A Dnet On A Network With A Pnet On The Same Day As A Dbus On A Pc Or Ipnet On An Ipnet.Org On A 2.5Th Gen.Net

Recommendations for dealing with fragmentation in DNS(SEC)

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

Preventing DNS Amplification Attacks using white- and greylisting

How To Understand A Network Attack

DOMAIN NAME SECURITY EXTENSIONS

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Use Domain Name System and IP Version 6

DNS amplification attacks

Attack and Defense Techniques

Stateful Firewalls. Hank and Foo

Remote DNS Cache Poisoning Attack Lab

How To Understand The Effect Of A Domain Name Extension On A Network Attack On A Domain Names Server (Dns)

How to launch and defend against a DDoS

SSAC Advisory SAC008 DNS Distributed Denial of Service (DDoS) Attacks

dnsperf DNS Performance Tool Manual

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

Internet-Praktikum I Lab 3: DNS

How To Mitigate A Large Volume Of Dns Amplification Attacks

Large-scale DNS and DNSSEC data sets for network security research

Defeating DNS Amplification Attacks. Ralf Weber Senior Infrastructure Architect

Passive Monitoring of DNS Anomalies

DDoS Mitigation Techniques

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

An Intrusion Detection System for Kaminsky DNS Cache poisoning

DNS FLOODER V1.1. akamai s [state of the internet] / Threat Advisory

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

DNS Cache-Poisoning: New Vulnerabilities and Implications, or: DNSSEC, the time has come!

Linux firewall. Need of firewall Single connection between network Allows restricted traffic between networks Denies un authorized users

Network Security DNS, DDOS and Firewalls

CSE 127: Computer Security. Network Security. Kirill Levchenko

Using the Domain Name System for System Break-ins

Decoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs

The Domain Name System from a security point of view

Domain Name System (DNS) RFC 1034 RFC

Domain Name System. DNS is an example of a large scale client-server application. Copyright 2014 Jim Martin

Security of IPv6 and DNSSEC for penetration testers

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

The role of JANET CSIRT

DNS security: poisoning, attacks and mitigation

Network Security. DNS (In)security. Radboud University, The Netherlands. Autumn 2015

DNS at NLnet Labs. Matthijs Mekking

FAQ (Frequently Asked Questions)

Acquia Cloud Edge Protect Powered by CloudFlare

How To Protect A Dns Authority Server From A Flood Attack

Denial of Service (DoS) attacks and countermeasures. Pier Luigi Rotondo IT Specialist IBM Rome Tivoli Laboratory

SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure

DNSSEC Applying cryptography to the Domain Name System

CloudFlare advanced DDoS protection

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

Depth-in-Defense Approach against DDoS

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

Visualization for Network Traffic Monitoring & Security

Computer Networks: DNS a2acks CS 1951e - Computer Systems Security: Principles and Prac>ce. Domain Name System

1. Firewall Configuration

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

An Efficient Filter for Denial-of-Service Bandwidth Attacks

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies DENOG 5 14 th November 2013

Table of Contents DNS. How to package DNS messages. Wire? DNS on the wire. Some advanced topics. Encoding of domain names.

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Firewalls. configuring a sophisticated GNU/Linux firewall involves understanding

OrchSec: An Orchestrator-Based Architecture For Enhancing Network Monitoring and SDN Control Functions

CS5008: Internet Computing

Ralph Dolmans A solution for the DNS amplification attack problem

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

INLICHTINGEN DIENSTEN INLICHTINGEN DIENSTEN

DNS Amplification Attacks. Preliminary release Randal Vaughn and Gadi Evron March 17, 2006

Attack and Defense Techniques 2

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

Reducing the impact of DoS attacks with MikroTik RouterOS

Chapter 11 Cloud Application Development

Characterization and Analysis of NTP Amplification Based DDoS Attacks

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

A43. Modern Hacking Techniques and IP Security. By Shawn Mullen. Las Vegas, NV IBM TRAINING. IBM Corporation 2006

Transcription:

Identifying Patterns in DNS Traffic Pieter Lexis System and Network Engineering Thu, Jul 4 2013

Reflection and Amplification Attacks DNS abused as DDoS Tool Spamhaus hit with 300 Gigabit/second DDoS Reflected Amplification Attack Send DNS query with spoofed source address to name server Name server replies with a large(r) message to the victim Flood the link to the victim 1 of 22

Reflection and Amplification Attacks Prevention Firewalling on simple patterns BCP 38 (Network Ingress Filtering) [3] Resolvers RFC 5358 ( Preventing Use of Recursive Nameservers in Reflector Attacks ) [1] Firewalling based on IP addresses Authoritative Response Rate Limiting [10] Most Promising Doesn t block all attacks [8] DNS Dampening [2] 2 of 22

Research Question How to analyse a large data set of DNS messages? How to recognize patterns in the data? What types of behaviour can be detected in traffic to and from authoritative DNS servers and how can this detection be used to mitigate denial-of-service attacks? 3 of 22

Visualization Means of exploring data Uses the cognitive system to identify patterns Several visualizations for name server statistics exist Used before on resolver logs to identify security issues [6] 4 of 22

Data Packet Captures from authoritative name server from SURFnet 5 days of data 250 Gigabytes 630 million records Convert to JSON Inserted into ElasticSearch cluster { " dns ": { " additional ": [], " answer ": [], " authority ": [], " edns ": { " bufsize ": 4096, " flags ": { "DO": true }, " version ": 0 }, " flags ": { "CD": true }, " opcode ": " QUERY ", " qid ": 34314, " question ": [ { " name ": " ns1. surfnet.nl.", " type ": " AAAA " } ], " rcode ": " NOERROR " }, " dport ": 53, " dst ": " 192.87.106.101 ", " sport ": 55564, " src ": " 203.0.113.77 ", " timestamp_unix ": 1370304171.488599, " udp_len ": 51 } 5 of 22

Tools Rationale Visual Information-Seeking Mantra Overview first, zoom and filter, then details-on-demand. [9] Batch tools Interactive GUI tools 6 of 22

Tools Batch Tool 1 Source Port versus Query ID RFC 5452 (excerpt)[4]... Resolver implementations MUST: o Use an unpredictable source port for outgoing queries from the range of available ports (53, or 1024 and above) that is as large as possible and practicable;... o Use an unpredictable query ID for outgoing queries, utilizing the full range available (0-65535).... 7 of 22

Tools Source Port Findings Bias of port numbers near 32768 (2 15 ) Not a single source NAT Firewall Increases ease of cache-poisoning attacks [5] 9 of 22

Tools Findings Attack Spreading to Defeat Response Rate Limiting Bias in Query IDs Queries are mostly ANY Query Names spread fairly evenly IP Addresses from a DDOS protected hoster 11 of 22 Figure: A bargraph with the frequency of Query Names for this IP Address.

Tools Batch Tool EDNS0 Buffersize Average High buffersizes Might indicate abuse (large buffer large response) Can cause fragmentation [7] 12 of 22

Tools Interactive Tools Show data matching filters Filter on many of the fields/flags Used to zoom into the data 13 of 22

Tools Interactive Tools Aggregated View Frequency of values a field Keeps the previous graph + filters on-screen Movie 14 of 22

Tools Interactive Tools Parallel Coordinates Shows the relationship between fields in messages Select fields to show Re-order axes Show subselections of axes Movie 15 of 22

Conclusion What types of anomalous behaviour can be detected in traffic to and from authoritative DNS servers and how can this detection be used to mitigate denial-of-service attacks? Several different anomalous behaviours detected Source port selection of resolvers is not distributed well Some attackers re-use query IDs There are attacks in the wild that defeat RRL Visual approach works for initial identification, the insights gained could be used to develop new mitigation mechanisms 16 of 22

Future Work More interactivity Details on demand Real-time tools Statistical analysis of visually identified patterns Analyse more DNS message fields 17 of 22

18 of 22 QUESTIONS?

Bibliography (1) [1] J. Damas and F. Neves. Preventing Use of Recursive Nameservers in Reflector Attacks. RFC 5358 (Best Current Practice). Internet Engineering Task Force, Oct. 2008. url: http://www.ietf.org/rfc/rfc5358.txt. [2] Lutz Donnerhacke. DNS Dampening. Accessed: 19 Jun 2013. 23 Sept 2012. url: http://lutz.donnerhacke.de/eng/blog/dns-dampening. [3] P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827 (Best Current Practice). Updated by RFC 3704. Internet Engineering Task Force, May 2000. url: http://www.ietf.org/rfc/rfc2827.txt. 19 of 22

Bibliography (2) [4] A. Hubert and R. van Mook. Measures for Making DNS More Resilient against Forged Answers. RFC 5452 (Proposed Standard). Internet Engineering Task Force, Jan. 2009. url: http://www.ietf.org/rfc/rfc5452.txt. [5] Dan Kaminsky. Black ops 2008: It s the end of the cache as we know it. In: Black Hat USA (2008). [6] Pin Ren, John Kristoff, and Bruce Gooch. Visualizing DNS traffic. In: Proceedings of the 3rd international workshop on Visualization for computer security. ACM. 2006, pp. 23 30. 20 of 22

Bibliography (3) [7] Roland van Rijswijk Deij. DNSSEC and Fragmentation A Prickly Combination. Given at ICANN 45 in Toronto, 17 Oct 2012. 2012. url: http://toronto45.icann.org/meetings/toronto2012/ presentation-dnssec-fragmentation-17oct12-en.pdf. [8] T Rozekrans and J de Koning. Defending against DNS reflection amplification attacks. 2013. url: http: //www.nlnetlabs.nl/downloads/publications/reportrrl-dekoning-rozekrans.pdf. [9] Ben Shneiderman. The eyes have it: A task by data type taxonomy for information visualizations. In: Visual Languages, 1996. Proceedings., IEEE Symposium on. IEEE. 1996, pp. 336 343. 21 of 22

Bibliography (4) [10] Paul Vixie and Vernon Schryver. DNS Response Rate Limiting (DNS RRL). url: http://ss.vix.su/~vixie/isc-tn-2012-1.txt. 22 of 22

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information