DNS Authentication-as-a-Service Preventing Amplification Attacks

Transcription

1 DNS Authentication-as-a-Service Preventing Amplification Attacks Amir Herzberg Bar-Ilan University Haya Shulman Technische Universität Darmstadt

2 Denial of Service Attacks: Statistics Reported bandwidths of DoS attacks 100Gbps in Gbps in 2011 and Gbps (in 2013 against Spamhaus and Cloudflare) >300Gbps in Hong Kong last week DNS most common amplifier Small requests large responses Amplification factor > 100%

3 Amplification Reflection DDoS Attacks Attacks from multiple sources (DDoS attacks) Often use reflection Attacker sends requests from spoofed address of victim Responses sent to victim Typically with amplification responses larger than requests

4 Abusing DNS in Amplification DNS is most commonly abused amplifier Small requests (<100 bytes) produce large responses (>1000 bytes) Reflection

5 Limitations of Existing Defences Request rate limiting: limit #requests per interval Distribute requests btw multiple servers No alarm triggered - each receives low volume Dedicated infrastructure: reroute traffic via dedicated links Expensive Challenge-response authentication: number of proposals

6 Challenge-Response Authentication Trigger subsequent query If valid, respond, otherwise ignore Mechanisms for triggering subsequent query Retransmission timeout: ignore 1 st request, compliant resolver will resend Problem: attacker can also retransmit Transition to TCP: respond with TC bit, resolver resends request over TCP Problems: overhead on the name servers, no support at some clients, potential problems with FW, [USENIX13]

7 Cookie-Based Challenge-Response Authentication DNS records for triggering subsequent query Referral with a CNAME or NS and a cookie Cookie encodes the source IP address of the requester Check address in IP header matches IP in cookie [ICDCS06, AborNetworks-patent-09] IP for foo.bar? Referral via CNAME or NS Ask foo.bar at IP for foo.bar? == ?

8 Cookie-Based Challenge-Response Authentication Problems: Simple to subvert capture the cookie and distribute to bots Same resolver may send queries from different addresses NAT devices Load balancing Forwarders

9 Our Proposal: DNS Request Authentication Protocol: design challenge-response over DNS Correct challenge in second request authenticates valid source Ignore requests from invalid sources Cluster resolvers into connected components Differentiate malicious vs benign sources

10 DNS Authentication Protocol

11 DNS Authentication Protocol Challenges receives requests from clients Verifier uses multiple IP addresses Controller records reports from verifier and challenger in the DB

12 DNS Authentication Protocol Attacking strategies Either spoofed IP in 1 st step Or spoofed in 2 nd step

13 Attack Strategies and Detection

14 Construction of Clusters DNSSEC prevents attacks On-path (MitM) attacks (NSA, GCHQ,?) Off-path attacks [HS12,HS13a-c,SW14] Vulnerable name servers DNSSEC provides evidences Enables forensic analysis, detection of attacks see [SW14] DNSSEC would facilitate security protocols ROVER, DANE

15 Malicious Components Attacker can spoof IP of victim in 1 st request But, cannot echo valid challenge in 2 nd request malicious components never have arrow from victim to attacker

16 Detection Accuracy Effectiveness on real networks: more addresses for verifier higher detection accuracy Average size 2 11 Cloud-based deployment

17 DNS Authentication As A Service Cloud based deployment Abundance of addresses and resources Configuration options: protect one domain vs protect multiple domains Detect anomalies and thwart name server specific attacks no direct communication to name servers Vulnerable operating systems or DNS software Much more difficult to take down

18 Conclusions DNS frequently abused in DDoS attacks Provides reflection+amplification Existing proposal do not offer adequate protection or too expensive Our approach: differentiate legitimate source vs malicious Minimal additional latency activate only during attacks

19 Questions? Thank you!