How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Similar documents
page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

DDoS attacks in CESNET2

The Continuing Denial of Service Threat Posed by DNS Recursion (v2.0)

Blocking DNS Messages is Dangerous

Managing Security Incidents. in an IPv6 World

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

DNS amplification attacks

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

LAB II: Securing The Data Path and Routing Infrastructure

How To Block A Ddos Attack On A Network With A Firewall

2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative

How To Understand A Network Attack

How to launch and defend against a DDoS

ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE

/ Staminus Communications

Current Counter-measures and Responses by the Domain Name System Community

Fireware How To Dynamic Routing

How To Protect A Dns Authority Server From A Flood Attack

Acquia Cloud Edge Protect Powered by CloudFlare

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING

CloudFlare advanced DDoS protection

CS 356 Lecture 16 Denial of Service. Spring 2013

Internet Infrastructure Security Technology Details. Merike Kaeo

Harness Your Internet Activity!

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

NETNOD Autumn 2014 October 2, 2014

DDoS Mitigation Solutions

Strategies to Protect Against Distributed Denial of Service (DD

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

Security Toolsets for ISP Defense

SSAC Advisory on DDoS Attacks Leveraging DNS Infrastructure

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

DOMAIN NAME SECURITY EXTENSIONS

DOMAIN NAME SYSTEM (DNS)

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Denial of Service Attacks

Use Domain Name System and IP Version 6

Arbor s Solution for ISP

The ISP Column A monthly column on things Internet. NTP for Evil. The Evolution of Evil. March 2014 Geoff Huston

TECHNICAL WHITE PAPER. Infoblox and the Relationship between DNS and Active Directory

Characterization and Analysis of NTP Amplification Based DDoS Attacks

How Cisco IT Protects Against Distributed Denial of Service Attacks

A S B

SSAC Advisory SAC008 DNS Distributed Denial of Service (DDoS) Attacks

The curse of the Open Recursor. Tom Paseka Network Engineer

Introduction TELE 301. Routers. Firewalls

LACNIC 25 CSIRTs Meeting Havana, Cuba May 4 th, 2016

BGP Best Practices for ISPs Prefix List, AS PATH filters, Bogon Filters, Anycast, Mailing Lists, INOC DBA

DDoS Attacks Can Take Down Your Online Services

Reducing the impact of DoS attacks with MikroTik RouterOS

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

DNS Best Practices. Mike Jager Network Startup Resource Center

DDoS Overview and Incident Response Guide. July 2014

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies DENOG 5 14 th November 2013

Introduction to Firewalls

Denial Of Service. Types of attacks

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

Prolexic Quarterly Global DDoS Attack Report Q1 2013

How To Mitigate A Ddos Attack

TDC s perspective on DDoS threats

Attacks Against the Cloud: A Mitigation Strategy. Cloud Attack Mitigation & Firewall on Demand

FortiDDos Size isn t everything

Yahoo Attack. Is DDoS a Real Problem?

JPCERT/CC Internet Threat Monitoring Report [January 1, March 31, 2015]

Reducing the Impact of Amplification DDoS Attack

Approaches for DDoS an ISP Perspective.

Analysis of a DDoS Attack

Seminar Computer Security

How To Protect Your Network From A Ddos Attack On A Network With Pip (Ipo) And Pipi (Ipnet) From A Network Attack On An Ip Address Or Ip Address (Ipa) On A Router Or Ipa

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS

DESTINATION BASED RTBH FILTERING AT ATTACK ORIGINATING INTERNET SERVICE PROVIDER

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

Cisco Network Foundation Protection Overview

Prolexic Quarterly Global DDoS Attack Report Q Q saw significant increases in average DDoS attack bandwidth and packet-per-second rates

DDoS Basics. internet: unique numbers that identify areas and unique machines on the network.

Ralph Dolmans A solution for the DNS amplification attack problem

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks

Firewalls and Intrusion Detection

Identifying Patterns in DNS Traffic

Service Description DDoS Mitigation Service

Infoblox Inc. All Rights Reserved. Securing the critical service - DNS

Cloud Security In Your Contingency Plans

Unicast Reverse Path Forwarding

Attack and Defense Techniques

Distributed Denial of Service Attack Tools

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Oblivious DDoS Mitigation with Locator/ID Separation Protocol

NTP Reflection DDoS Attack Explanatory Document

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Mitigating Denial of Service Attacks. Why Crossing Fingers is Not a Strategy

Transcription:

DNS Amplification Are YOU Part of the Problem? (RIPE66 Dublin, Ireland - May 13, 2013) Merike Kaeo Security Evangelist, Internet Identity merike@internetidentity.com

INTRO Statistics on DNS Amplification Attacks in 2012/2013 March / April Measurements on Open Recursive Resolvers How To Close Open Recursive Resolvers What Other Basic Network Hygiene Can Help?

DNS AMPLIFICATION ATTACK WHAT IS IT? Attacker sends a small request with the expectation of invoking a much larger response Open Resolver BOOM! (4) Open resolvers send DNS response to target name server Unfortunate Target (2) Open resolver asks authoritative bad.<tld> for record malicious record (1) Attack traffic sends DNS query for record malicious record in domain bad.<tld> to open recursive servers and set source IP to <target IP address> Authoritative bad.<tld> (3) Authoritative bad.<tld> responds with record malicious record

GROWING TRENDS Reflective DDoS attacks use IP addresses of legitimate users Combining spoofed addresses with legitimate protocol use makes mitigation extremely difficult what do you block and where? Recent trends have been utilizing DNS as attack vector since it is a fundamentally used Internet technology Exploit unmanaged open recursive resolvers Exploit large response profile to some standard queries (DNSSEC) Utilize resources of large hosting providers for added attack bandwidth Many other Internet protocols also susceptible

HOW BAD IS THE PROBLEM? Largest in 2012 Event Time Start: Aug 1, 2012 00:33:00 UTC A:ack Types: DNS Flood, GET Flood, UDP Fragment Flood, ICMP Flood DesInaIon Ports: 80,443,53 Industry VerIcal: Financial Peak Bandwidth: 42.2 Gbps Peak pps: 2.1 Mpps Source: Prolexic Trending data points to an increase of DNS attacks that can be observed in the comparison of Q1 2012 (2.50 percent), Q4 2012 (4.67 percent), and Q1 2013 (6.97 percent). This represents an increase of over 200 percent in the last year. Source: Prolexic Quarterly Global DDoS Attack Report Q1 2013

WHY DOES THE DNS AMPLIFICATION WORK SO WELL? Victims cannot see actual originator of attack Lots of DNS packets from a wide variety of real DNS servers Victims cannot block the BotNet making the spoofed queries DNS servers are answering seemingly normal requests Originating ISPs aren t impacted Originating ISPs only see small amounts of traffic Filtering attack traffic is difficult in practice The open resolvers are themselves not infected not malicious Depending on architecture, may block legitimate traffic

WHY WOULD PEOPLE RUN OPEN RESOLVERS? Deliberate Services Google, OpenDNS, DynDNS, Amazon Route53 Ensure reliability and stability Many are not deliberate why do they exist? Evil DNS servers run by criminals on bulletproof hosts Everyone else Hosting companies Small/medium ISPs Enterprises, SMBs Default device configuration

WHAT NEEDS TO BE DONE Ensure no unmanaged open recursive resolvers exist Equipment vendors need ship default as CLOSED BCPs should not show recursive resolver configurations as open Get everyone to participate in stopping ability to spoof IP addresses ISPs need to do ingress filtering (BCP38/BCP84) Enterprises/SMBs need to implement egress filters Equipment vendors need to have better defaults for helping alleviate spoofing Sponsoring research/studies to get definitive data on where IP address spoofing is possible may help MIT Spoofer Project (http://spoofer.csail.mit.edu)

PROJECTS THAT HELP DETERMINE OPEN RESOLVERS Measurement Factory http://dns.measurement-factory.com/surveys/openresolvers.html has been running tests for open recursive resolvers since 2006 have daily reports of open resolvers per AS number send DNS query to a target IP address for a name in test.openresolver.org domain (target IP addresses tested no more than once every three days) The Open Resolver project http://openresolverproject.org started in March 2013 active scans run on a weekly basis that get some added information

THE MEASUREMENT FACTORY [On main page go to Results then DNS survey results and finally Open Resolvers ]

MEASUREMENT FACTORY DATA Data from May 7, 2013 that show worst offenders of open recursive resolvers from measurement factory. Summary of data that listed open resolvers per AS the first 100 with the most open resolvers listed Number of Open Resolvers in an AS 0% 18% 25% 17% 40% ARIN RIPE APNIC LACNIC AfriNIC h:p://dns.measurement- factory.com/surveys/openresolvers/asn- reports/

OPEN RESOLVER PROJECT

OPEN RECURSIVE RESOLVER PROJECT STATS 40,000,000 35,000,000 30,000,000 25,000,000 20,000,000 15,000,000 10,000,000 5,000,000 Responded Diff IP Response Correct Answer SrcPort Not UDP/53 RecursionAvail 0

OPEN RECURSIVE RESOLVER PROJECT RCODE STATS 35,000,000 30,000,000 25,000,000 20,000,000 15,000,000 10,000,000 5,000,000 RCODE=0 RCODE=1 RCODE=2 RCODE=3 RCODE=4 RCODE=5 0

OPEN RECURSIVE RESOLVER PROJECT RCODE STATS(2) 3,500,000 3,000,000 2,500,000 2,000,000 1,500,000 1,000,000 500,000 RCODE=1 RCODE=2 RCODE=3 RCODE=4 RCODE=5 0

CLOSING RECURSIVE RESOLVERS RFC 5358 (BCP 140): Preventing Use of Recursive Nameservers in Reflector Attacks http://www.ietf.org/rfc/rfc5358.txt BIND http://www.zytrax.com/books/dns/ch9/close.html Team CYMRU Pointers to BIND implementations and Microsoft http://www.team-cymru.org/services/resolvers/instructions.html

DNS RESPONSE RATE LIMITING (DBS RRL) http://www.redbarn.org/dns/ratelimits

WHAT OTHER BASIC NETWORK HYGIENE HELPS? Ingress Filtering (BCP38/BCP84) Using simple filters Using urpf - http://www.cisco.com/en/us/docs/ios/sec_data_plane/configuration/guide/ sec_cfg_unicast_rpf.html - http://www.juniper.net/techpubs/en_us/junos9.4/topics/concept/unicast-rpfex-series.html - https://tools.ietf.org/html/draft-savola-bcp84-urpf-experiences-03 Transit Route Filters Peering Route Filters IX Specific Set next-hop self on border routers Do not redistribute connected routes into IGP/BGP

INGRESS/EGRESS FILTERS INGRESS SMB Customer ISP Deploy an?- spoofing filters as close to poten?al source as possible router bgp <AS#> neighbor <IP> remote-as <AS#> neighbor <IP> prefix-list customer in ip prefix-list customer permit <netblock> ip prefix-list customer deny <everything else> ipv6 access-list extended DSL-ipv6-Inbound permit ipv6 2001:DB8:AA65::/48 any deny ipv6 any any log interface atm 0/0 ipv6 traffic-filter DSL-ipv6_Inbound in INGRESS EGRESS Home Customer ipv6 access-list extended DSL-ipv6-Outbound permit ipv6 2001:DB8:AA65::/48 any deny ipv6 any any log interface atm 0/0 ipv6 traffic-filter DSL-ipv6_Outbound out

DON T BE PART OF THE PROBLEM (PLEASE) Test to determine whether you have unmanaged open resolvers in your environment http://www.thinkbroadband.com/tools/dnscheck.html http://dns.measurement-factory.com/cgi-bin/openresolverquery.pl Ensure that you are helping stop spoofed traffic as close to the source as possible You don t need to use urpf simple filters work Added References: http://www.cisco.com/web/about/security/intelligence/dns-bcp.html https://devcentral.f5.com/tech-tips/articles/building-a-resilient-secure-dnsinfrastructure#.uyij55usm_u

Questions?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information