Harness Your Internet Activity!



Similar documents
How To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address

Acquia Cloud Edge Protect Powered by CloudFlare

CloudFlare advanced DDoS protection

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

DDoS attacks in CESNET2

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

The curse of the Open Recursor. Tom Paseka Network Engineer

THE MASTER LIST OF DNS TERMINOLOGY. v 2.0

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Defeating DNS Amplification Attacks. Ralf Weber Senior Infrastructure Architect

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

The Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends

Distributed Denial of Service Attacks

page 1 DNS Rate Limiting W. Matthijs Mekking matthijs@nlnetlabs.nl 28 Feb 2013 Stichting NLnet Labs

Infoblox Inc. All Rights Reserved. Securing the critical service - DNS

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

DNS Cache Poisoning Vulnerability Explanation and Remedies Viareggio, Italy October 2008

Ralph Dolmans A solution for the DNS amplification attack problem

How To Protect A Dns Authority Server From A Flood Attack

ANATOMY OF A DDoS ATTACK AGAINST THE DNS INFRASTRUCTURE

Securing an Internet Name Server

Domain Name System (DNS) RFC 1034 RFC

Use Domain Name System and IP Version 6

DNSSEC and DNS Proxying

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies DENOG 5 14 th November 2013

THE MASTER LIST OF DNS TERMINOLOGY. First Edition

Introduction to Network. Topics

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

Defending your DNS in a post-kaminsky world. Paul Wouters <paul@xelerance.com>

How To Manage Dns On An Elfiq Link Load Balancer (Link Balancer) On A Pcode (Networking) On Ipad Or Ipad (Netware) On Your Ipad On A Ipad At A Pc Or Ipa

The secret life of a DNS query. Igor Sviridov <sia@nest.org>

The Future of DNS. Johan Ihrén Netnod. October 15,

DOMAIN NAME SECURITY EXTENSIONS

Chapter 25 Domain Name System Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

F5 Intelligent DNS Scale. Philippe Bogaerts Senior Field Systems Engineer mailto: Mob.:

ISP Systems Design. ISP Workshops. Last updated 24 April 2013

Internet Measurement Research

White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

Domain Name Abuse Detection. Liming Wang

Akamai CDN, IPv6 and DNS security. Christian Kaufmann Akamai Technologies APNIC th August 2013

How to launch and defend against a DDoS

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE

DoS/DDoS Attacks and Protection on VoIP/UC

PowerDNS Introduction

DDoS attacks on electronic payment systems. Sean Rijs and Joris Claassen Supervisor: Stefan Dusée

Firewalls and Intrusion Detection

DEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager

Application and service delivery with the Elfiq idns module

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Part 5 DNS Security. SAST01 An Introduction to Information Security Martin Hell Department of Electrical and Information Technology

Where is Hong Kong in the secure Internet infrastructure development. Warren Kwok, CISSP Internet Society Hong Kong 12 August 2011

Internet Security [1] VU Engin Kirda

CS 348: Computer Networks. - DNS; 22 nd Oct Instructor: Sridhar Iyer IIT Bombay

Firewalls 1 / 43. Firewalls

Network Layers. CSC358 - Introduction to Computer Networks

Defending against DNS reflection amplification attacks

Chapter 4 Firewall Protection and Content Filtering

Evaluation Guide. Powerful & Immediate Business Web Security via the Cloud

DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques

A Survey of cctld DNS Vulnerabilities. ITU cctld Workshop March 3, 2003

Domain Name System :49:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

SSAC Advisory SAC008 DNS Distributed Denial of Service (DDoS) Attacks

Security perimeter white paper. Configuring a security perimeter around JEP(S) with IIS SMTP

Preventing DNS Amplification Attacks using white- and greylisting

dnsperf DNS Performance Tool Manual

How To Block A Ddos Attack On A Network With A Firewall

DNS. The Root Name Servers. DNS Hierarchy. Computer System Security and Management SMD139. Root name server. .se name server. .

Names & Addresses. Names & Addresses. Names vs. Addresses. Identity. Names vs. Addresses. CS 194: Distributed Systems: Naming

Teldat Router. DNS Client

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

LAN TCP/IP and DHCP Setup

Securing Your Business with DNS Servers That Protect Themselves

A S B

Network Fundamentals Carnegie Mellon University

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Quality Certificate for Kaspersky DDoS Prevention Software

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Introduction to Network Operating Systems

Network attack and defense

Configuration Notes 0215

Computer Networks: Domain Name System

Deploying IP Anycast. Core DNS Services for University of Minnesota Introduction and General discussion

Single Pass Load Balancing with Session Persistence in IPv6 Network. C. J. (Charlie) Liu Network Operations Charter Communications

Firewall Firewall August, 2003

The Impact of DNSSEC. Matthäus Wander. on the Internet Landscape. Duisburg, June 19, 2015

Security vulnerabilities in the Internet and possible solutions

INTERNET DOMAIN NAME SYSTEM

Application-layer protocols

Application Firewalls

Transcription:

Harness Your Internet Activity

Random Subdomain Attacks Plaguing the Internet

Agenda Brief Intro Covered at last OARC Attack overview Latest data Progress on open dns proxies in home gateways Impact of Response Rate Limiting? Chinese pornography sites Hong Kong news site Testing resolvers (Over) ambitious idea What can we do? Success filtering ingress traffic, some challenges??? 3

Random Subdomain Attacks RANDOM TARGET NAME wxctkzubkb..liebiao.800fy.com three labels qzgziliv. 11hehe.com two labels 4

Random Subdomain Attacks Open DNS Proxies are the Vector for Attacks Compromised hosting Internet Target Web Site Authoritative Server 3 NXD responses 1 Query with randomized subdomains 2 Recursive queries Open DNS Proxy (Home Gateway) ISP ISP Resolver

Latest Data: Unique Names 2000 Millions 1800 1600 1400 1200 1000 800 600 Start of attack activity Jan 28, 2014 400 200 0 6

Impact of Response Rate Limiting Attacker Bad Case Spoofed IP Query (UDP): Ivatsnkb.web.pay1.cn Spoofed IP Border Home Gateway Proxy query, translates IP NXD Proxy query, translate IP Resolver NXD Recursion Authority NXD Worse Case Spoofed IP Query (UDP): Ivatsnkb.web.pay1.cn Spoofed IP Proxy query, translates IP NXD Proxy query, translate IP NXD Recursion Truncate Retry TCP NXD Response Rate Limiting 7

Attacks at Scale Attacker Spoofed IP Randomized queries Border Home Gateway Proxy query, translate IP Resolver Recursion Authority Resolver stress TCP overhead Resolver doesn t get responses, tries new Authorities, cascading failures Retry TCP Truncate Response Rate Limiting Authority Fails High traffic with TCP overhead 8

Hong Kong News Site Sept 28, 2014 UTC Height of Hong Kong democracy protests Distinct shift in tactics 98% of attacks on one domain Typical day 4-6 domains attacked, usually gaming sites Hong Kong online news Passion Times Website offline 13 hours 9

Chinese Pornography Sites Sept 25/26 2014 (UTC) Another shift in tactics 42 domains attacked simultaneously Attack lasted 6 hours Most web sites went down Motive for most attacks remains unclear Monetization is likely very modest Collateral damage across the Internet far exceeds revenue from DDoS for hire 10

Sept 25/26 Attacks Data from 5 providers Volume of attack queries In Millions Small fraction of overall attack activity Nominum est << 5% 80 40 10 45 25 5 11

Sept 25/26 Attacks Data from 5 providers % attack queries 60 30 10 35 20 5 12

Oct 3-6 Attacks In-media is an Independent Hong Kong news site millions 25 15 5 13

Many Problems to Address Home Gateways mask the spoofed source IP Challenges, DNS cookies won t work at either resolvers OR authorities Queries are from legitimate IPs blacklisting eliminates all traffic for those IPs Response Rate Limiting by authorities increases the workload for both resolvers and authorities It was designed for attacks directly on authoritative servers Rate limiting resolvers is counter productive Surrounding recursion with too much logic can be problematic Doesn t address root cause Collateral damage is observed: Servers marked as non-responsive by recursor recovering but still not being used Nameservers serving multiple domains taken out of service by traffic for one domain Tendency for cascading failures Authorities successively fail increasing stress on remaining authorities This in turn increases stress on resolvers 14

Solutions Filter traffic at ingress to the resolver Near real time block lists Randomized subdomains used for attacks Protect good traffic Whitelist Fine grained policy Tie the lists together: Block bad traffic Answer good traffic IDEAS? 15

Testing Resolvers Goal: Understand impact of PRSD on resolvers BIND PowerDNS Undound Vantio Method: Simulate DNS E-E behavior Attack behavior Easy Resolvers Easy Authorities Hard Variability of Internet Very hard Whoops 16

Current Test Plan Authoritative server answers up to threshold, then randomly drops Authoritative server switches to TCP at threshold, then restricts tcp connection slots Authoritative server drops traffic for attack domains, answers other domains Authoritative server doesn t answer, other servers for domain successively fail, vary latency response latency IDEAS? 17