How To Attack Isc.Org.Org With A Dnet On A Network With A Pnet On The Same Day As A Dbus On A Pc Or Ipnet On An Ipnet.Org On A 2.5Th Gen.Net



Similar documents
How to launch and defend against a DDoS

DDoS Mitigation at CloudFlare

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Defeating DNS Amplification Attacks. Ralf Weber Senior Infrastructure Architect

DDoS attacks & other online vulnerabilities

DNSSEC and DNS Proxying

DNS at NLnet Labs. Matthijs Mekking

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

Internet-Praktikum I Lab 3: DNS

DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques

CSE 127: Computer Security. Network Security. Kirill Levchenko

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

How To Understand A Network Attack

DNS SECURITY TROUBLESHOOTING GUIDE

DDoS attacks in CESNET2

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Domain Name System (DNS) Fundamentals

Defending against DNS reflection amplification attacks

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

How To Protect A Dns Authority Server From A Flood Attack

How To Mitigate A Large Volume Of Dns Amplification Attacks

what s in a name? taking a deeper look at the domain name system mike boylan penn state mac admins conference

Domain Name System (DNS) Session-1: Fundamentals. Ayitey Bulley

netkit lab dns Università degli Studi Roma Tre Dipartimento di Informatica e Automazione Computer Networks Research Group Version Author(s)

Attack and Defense Techniques

The role of JANET CSIRT

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies DENOG 5 14 th November 2013

Use Domain Name System and IP Version 6

How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Enabling DNS for IPv6 CSD Fall 2011

Unbound a caching, validating DNSSEC resolver. Do you trust your name server? Configuration. Unbound as a DNS cache (SEC-less)

Identifying Patterns in DNS Traffic

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

Characterization and Analysis of NTP Amplification Based DDoS Attacks

Motivation. Domain Name System (DNS) Flat Namespace. Hierarchical Namespace

DNS Resolving using nslookup

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

DNS amplification attacks

IERG 4080 Building Scalable Internet-based Services

DDoS attacks on electronic payment systems. Sean Rijs and Joris Claassen Supervisor: Stefan Dusée

Measuring the Web: Part I - - Content Delivery Networks. Prof. Anja Feldmann, Ph.D. Dr. Ramin Khalili Georgios Smaragdakis, PhD

DNS (Domain Name System) is the system & protocol that translates domain names to IP addresses.

Domain Name System (DNS) RFC 1034 RFC

Analysis of a DDoS Attack

Reducing the Impact of Amplification DDoS Attack

NTP Reflection DDoS Attack Explanatory Document

CONSUL AS A MONITORING SERVICE

19. DDoS Mechanisms ENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

DDoS Mitigation Solutions

Regional cyber security considerations for network operations. Eric Osterweil Principal Scientist, Verisign

A Very Incomplete Diagram of Network Attacks

DNS Conformance Test Specification For Client

Local DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. SEED Labs Local DNS Attack Lab 1

How to Enable Internet for Guest Virtual Machine using Wi-Fi wireless Internet Connection.

DDoS. Artūrs Lavrenovs

KAREL UCAP DNS AND DHCP CONCEPTS MANUAL MADE BY: KAREL ELEKTRONIK SANAYI ve TICARET A.S. Organize Sanayi Gazneliler Caddesi 10

Security of IPv6 and DNSSEC for penetration testers

SSAC Advisory SAC008 DNS Distributed Denial of Service (DDoS) Attacks

Denial of Service Attacks

A versatile platform for DNS metrics with its application to IPv6

DNSSEC Applying cryptography to the Domain Name System

How to Add Domains and DNS Records

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

The Domain Name System from a security point of view

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies APNIC th August 2013

DDoS Mitigation. Krassimir Tzvetanov NANOG 64. A10 Networks, Inc.

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

The curse of the Open Recursor. Tom Paseka Network Engineer

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

How To Understand The Effect Of A Domain Name Extension On A Network Attack On A Domain Names Server (Dns)

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Rough Outline. Introduction Why DNSSEC DNSSEC Theory Famous last words. Universiteit van Amsterdam, Sep 2006.

Creating a master/slave DNS server combination for your Grid Infrastructure

CDN SERVICE ICSS ROUTE MANAGED DNS DEUTSCHE TELEKOM AG INTERNATIONAL CARRIER SALES AND SOLUTIONS (ICSS)

CS 356 Lecture 16 Denial of Service. Spring 2013

DNS. Some advanced topics. Karst Koymans. (with Niels Sijm) Informatics Institute University of Amsterdam. (version 2.6, 2013/09/19 10:55:30)

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example

Chapter 2 Application Layer

CompTIA Exam N CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ]

How-to: DNS Enumeration

Don t get DDoSed and Confused. Patrick Sullivan, CISSP, GSLC, GWAPT, GCIH Managed, Security Services

Coordinación. The background image of the cover is desgned by GUIDE TO DNS SECURITY 2

Hunting down a DDOS attack

Real Life DoS/DDOS Threats and Benefits of Deep DDOS Inspection. Oğuz YILMAZ CTO Labris Networks

Large-scale DNS and DNSSEC data sets for network security research

DDOS ATTACKS: PREPARATION-DETECTION-MITIGATION. Mohammad Fakrul Alam. bdhub. SANOG 21 January 27 - Feb 4, 2013 Cox's Bazar, Bangladesh

Configuring DNS on Cisco Routers

Table of Contents DNS. How to package DNS messages. Wire? DNS on the wire. Some advanced topics. Encoding of domain names.

DDoS Attacks & Mitigation

Transcription:

Surviving a DDoS Attack: What every host needs to know Maria Karaivanova, Business Development David Koston, Platform www.cloudflare.com

DDoS Attacks are becoming massive, and easier to initiate!2

Major Attacks against CloudFlare Customers 309 Gbps 400 Gbps 65 Gbps Feb 2012 Mar 2013 Feb 2014!3

1.5 million customers!4

!5

!6

!7

Monday, March 18th, 2013!8

!9

March 18th-21st Annoyance attacks, 10-80Gbps!10

Wednesday, March 20th ~75Gbps attack!11

Then, it got real!12

March 24th - 25th traffic Peaks of the attack reached 309Gbps!13

Monday, February 10th, 2014!14

400Gbps, Globally Distributed Attack!15

Breaking Down the Attacks!17

DDoS mechanics!18

IP Spoofing Hi, I m 1.2.3.4, and I need this info Attacker Here s your info Network Server 1.2.3.4!19

25.5% of networks allow spoofing spoofer.cmand.org!20

Spamhaus Attack: 309Gbps UDP DNS!21

Getting to 309Gbps 10 Mbps X 30900 = 309000 Mbps!22

An easier way: DNS Amplification 64 Bytes Attacker 3,363 Bytes Open DNS Resolver 50x Target Website!23

dig ANY isc.org @63.217.84.76 +edns=0 +notcp +bufsize=4096!24

64 byte query!25

$ dig ANY isc.org @63.217.84.76 +edns=0 +notcp +bufsize=4096!; <<>> DiG 9.8.3-P1 <<>> ANY isc.org @63.217.84.76 +edns=0 +notcp +bufsize=4096 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20458 ;; flags: qr rd ra; QUERY: 1, ANSWER: 26, AUTHORITY: 4, ADDITIONAL: 12!;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN ANY!;; ANSWER SECTION: isc.org. 7147 IN SOA ns-int.isc.org. hostmaster.isc.org. 2013073000 7200 3600 24796800 3600 isc.org. 7147 IN NS ns.isc.afilias-nst.info. isc.org. 7147 IN NS ord.sns-pb.isc.org. isc.org. 7147 IN NS ams.sns-pb.isc.org. isc.org. 7147 IN NS sfba.sns-pb.isc.org. isc.org. 7 IN A 149.20.64.69 isc.org. 7147 IN MX 10 mx.pao1.isc.org. isc.org. 7147 IN TXT "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04f8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 7147 IN TXT "$Id: isc.org,v 1.1835 2013-07-24 00:15:22 dmahoney Exp $" isc.org. 7 IN AAAA 2001:4f8:0:2::69 isc.org. 7147 IN NAPTR 20 0 "S" "SIP+D2U" "" _sip._udp.isc.org. isc.org. 3547 IN NSEC _adsp._domainkey.isc.org. A NS SOA MX TXT AAAA NAPTR RRSIG NSEC DNSKEY SPF isc.org. 7147 IN DNSKEY 256 3 5 BQEAAAABwuHz9Cem0BJ0JQTO7C/a3McR6hMaufljs1dfG/inaJpYv7vH XTrAOm/MeKp+/x6eT4QLru0KoZkvZJnqTI8JyaFTw2OM/ItBfh/hL2lm Cft2O7n3MfeqYtvjPnY7dWghYW4sVfH7VVEGm958o9nfi79532Qeklxh x8pxwdeaaru= isc.org. 7147 IN DNSKEY 257 3 5 BEAAAAOhHQDBrhQbtphgq2wQUpEQ5t4DtUHxoMVFu2hWLDMvoOMRXjGr hhcefvazih7yjhf8zgfw6hd38hxg/xylyco6krpbdojwx8ymxla5/ka+ u50wil8zr1r6ktbsyvmf/qx5rinbpclw+vt +U8eXEJmO20jIS1ULgqy3 47cBB1zMnnz/4LJpA0da9CbKj3A254T515sNIMcwsB8/2+2E63/zZrQz Bkj0BrN/9Bexjpiks3jRhZatEsXn3dTy47R09Uix5WcJt+xzqZ7+ysyL KOOedS39Z7SDmsn2eA0FKtQpwA6LXeG2w+jxmw3oA8lVUgEf/rzeC/bB ybnso70aeftd isc.org. 7147 IN SPF "v=spf1 a mx ip4:204.152.184.0/21 ip4:149.20.0.0/16 ip6:2001:04f8::0/32 ip6:2001:500:60::65/128 ~all" isc.org. 7147 IN RRSIG SPF 5 2 7200 20130828233259 20130729233259 50012 isc.org. XDoOYzkTHEV1W1V4TT50SsqXn4cxNhPvEuz3iFjq/oskLY9UOaK4GYDO GqHAjwNT0B6pUakKTQ3GvBjUBufPcEauCOl7L7kb8/cC6zYifUCoW0pS moiqxmyqfrpdtzyva894myuonggmmb6qw68hgpvvc6hzgwx9bomjvfyx uos= isc.org. 7147 IN RRSIG DNSKEY 5 2 7200 20130828230128 20130729230128 12892 isc.org. COfF8fU6a8TBUG97SI/X+u2eKv7/mw+ixD3IWBnr3d3cWZmzF1sV8bWT YbuJebwnJMgN5OfB9PLsN+4QT617OjBe1dUF2M9jZeBiWsSsvvrdHnHM P8KwX6eayByDUoFsYe9VAH6C94XmOVXTQ7h7Cr0ytaVSXUytqFZV+DGn v3kqsi50v3ykfnpa JDqqs0treWjwV/SPlqWVqEAoU/KMZMtYpCEMbHVP 8nbRP3jj/10WLccPtjHhiw4Ka9Sk4o+b7BMYCgXGXlhaap21SUqkytHt 8RJdVxxd5Cj7Bi+O4LXODlS4bAZEDG7UoHR27MzXtvMZogsNyyNUKHSs FtUvBg== isc.org. 7147 IN RRSIG DNSKEY 5 2 7200 20130828230128 20130729230128 50012 isc.org. Mbr/QqJPoIuf3K5jCuABUIG0/zSHQ8iWZpqvHx7olVBEmTxhi3/vW+IE DW6VCE1EpZclSIlMMRZUnbBnVSpe0rZ13BxoLlRQqvsbC3jD15Se41WB DscD0S63C0GLqI9IhSyVugtlpqhA3CaluSqtABHbAktPP05Rm00tST2Y A5Q= isc.org. 3547 IN RRSIG NSEC 5 2 3600 20130828233259 20130729233259 50012 isc.org. V7G42xY7TY9wF1vsBlRFuJ2ror/QjftLoRrDCMfqFW6kb5ZswjKt5zho 4o2sIrylTqad68O+lMxrDcg+7c2D8Hdh84SC0DEkjunBXkGBtLtaJvO5 zmn+d/ OgUY5O7wtkerybJwZeiHcFxIkMRIcvsPKJYZWKCdaaCWibne7c w1s= isc.org. 7147 IN RRSIG NAPTR 5 2 7200 20130828233259 20130729233259 50012 isc.org. gwdvd0kacaygscgtrs4ikkhbbidfjfqs4druf4kupx2etl9fj1yrqoqk QFB5kBrzJLKh1IF4YpV+KYVUF82l3AtpsohpUH5Uyc3yD3r1CUDVyVvc T9qUrIuRpZLInD2kBLmDaG76MRz4Fz+NAkdXmwxZJhgTrfMLy+Uw/Ktk H7w= isc.org. 7 IN RRSIG AAAA 5 2 60 20130828233259 20130729233259 50012 isc.org. dfzio0vgt0mpttapoua3tfwdxspeuog127qedlqlgtxkgn1ppv/bd6r0 WktMagZY9rSqmjfXNPlF3Q+7YeTpMssQhHqjE/tDoj9q9r8RXuBLJ1+a VRq3+xMbxb5EXAyQVZw24LIuloqNprXePRUGCXNINSWd7VZEIDNqhu9C g7u= isc.org. 7147 IN RRSIG TXT 5 2 7200 20130828233259 20130729233259 50012 isc.org. WtB3SYzcOKpNbOtBlnmtsI0DCbDB4Kiv/HBY24PTZyWF/3tI8l+wZ+/p MfJ/SblbAzT67DO5RfxlOhr8UlRKVa70oqinQp5+rqiS67lv1hGO6ArO k +J0jLTis9Uz32653dgAxlgjEdWDKAg4F12TaHirAXxyI8fos5WNl/h4 GLo= isc.org. 7147 IN RRSIG MX 5 2 7200 20130828233259 20130729233259 50012 isc.org. BSXC42oV6MCF0dX2icyxnvyijhy569BJCoanm5VrIIuiNeTeo261FQJx 7ofFCWa4fKOoa+EZ0qloNPfDiczStr8MmK8Lznu6+8IRfdmcG/kURuSi JdvDa0swxjmCm9aYu2nhoyHs+jqbJ+9+fneI0iDUX1fiM+9G2K9BjLru NxU= isc.org. 7 IN RRSIG A 5 2 60 20130828233259 20130729233259 50012 isc.org. Gmb8tt8d7kxx4HsA8L6IdFYGGSJCA8PTWexUP3CBLna39e4a6gVzjoNd dei7b5mysaujzbexnx3dsagpjitjyfmml8ay0uo0tgyjqatyzwppv5lw xqkvc092bpjx9iekw+dc57f3m9loahjlmih7wyfn8jxqeg1lswjn0e35 Qvc= isc.org. 7147 IN RRSIG NS 5 2 7200 20130828233259 20130729233259 50012 isc.org. RBvXLeTH0726iKvElmBZYUE+AWG3s2YRxKxuCnrhg7o9qIQGKXvEXrb3 wjec/74ky2fw+rrz4f0qxodnpm+frpwipbcprf0sufdq82opqdwab2cm 0D9N95y1t9hYfSeHEsEEk2yWgLymd9/S24XCmwuVVZ7ZeYQmVEVkF7Jt V3A= isc.org. 7147 IN RRSIG SOA 5 2 7200 20130828233259 20130729233259 50012 isc.org. iidnh6tvmap0h2cduli8ihme+zbtq2+d3yckrqbc9trfa0ponaaz97af 15EIKyIpjiVybkP2DNLm5nkpNsgA+Ur+YQ6pr0hZKzbDkBllBIW4C0LV DsjzPX3qLPH4G3x/20M+TeGe4uzPB5ImPuw0VxB8g8ZP5znvdiZG6qen jas=!;; AUTHORITY SECTION: isc.org. 7147 IN NS ns.isc.afilias-nst.info. isc.org. 7147 IN NS ord.sns-pb.isc.org. isc.org. 7147 IN NS ams.sns-pb.isc.org. isc.org. 7147 IN NS sfba.sns-pb.isc.org.!;; ADDITIONAL SECTION: ns.isc.afilias-nst.info. 56648 IN A 199.254.63.254 ns.isc.afilias-nst.info. 56652 IN AAAA 2001:500:2c::254 ord.sns-pb.isc.org. 31018 IN AAAA 2001:500:71::30 ord.sns-pb.isc.org. 31018 IN A 199.6.0.30 ams.sns-pb.isc.org. 31018 IN AAAA 2001:500:60::30 ams.sns-pb.isc.org. 31018 IN A 199.6.1.30 sfba.sns-pb.isc.org. 31018 IN AAAA 2001:4f8:0:2::19 sfba.sns-pb.isc.org. 31018 IN A 149.20.64.3 mx.pao1.isc.org. 3547 IN AAAA 2001:4f8:0:2::2b mx.pao1.isc.org. 3547 IN A 149.20.64.53 _sip._udp.isc.org. 7147 IN SRV 0 1 5060 asterisk.isc.org.!26

3,363 byte response!27

1 laptop + 5-7 compromised servers + 3 networks which allow spoofing + 9Gbps of DNS requests to + 0.1% of all open resolvers - 300Gbps+ of DDoS attack traffic!28

Attack 2: 400Gbps UDP NTP!29

An EVEN easier way: NTP Amplification 64 Bytes Attacker 13184 Bytes NTP Server with MONLIST 206x Target Website!31

1 laptop + 1 compromised server + 1 network which allowed spoofing + 1.94Gbps of MONLIST to + 4,529 open NTP servers - 400Gbps+ of DDoS attack traffic!32

What s Next?? DNS 8x! EDNS 53x! NTP 206x! SNMP 650x!33

Protecting your network!34

28 million open DNS resolvers, lock yours down openresolverproject.org!35

Turn off MONLIST on your NTP servers openntpproject.org!36

Prevent IP Spoofing (network hygiene) BCP38 (ingress filtering): RFC2827 http://bcp38.info! BCP84 (for multi-homed networks): RFC3704 http://rfc-editor.org/rfc/rfc3704.txt!37

Use a global network!38

Anycast Dilutes Attacks 300Gbps of attack traffic / 24 locations = 12.5 Gbps per location!39

Hide Origin IPs Use separate IPs for HTTP, DNS, SMTP, etc! Public DNS should route to your EDGE s public IPs! Keep actual web device IPs protected!40

Filter traffic by IP and protocol No UDP packets should be able to hit your HTTP server! No HTTP packets should be able to hit your SMTP server!41

Protect your infrastructure Internal switches, routers, and other devices should be locked down from any external access.! All traffic should flow through EDGE devices which handle attacks.!42

Build relationships upstream Understand what your data center and bandwidth providers do about DDoS! Know who to call when trouble strikes! Share your IP/Protocol architecture with them!43

Questions?!44

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information