DDoS on DNS: past, present and inevitable. Töma Gavrichenkov

Similar documents
DDoS Beasts and How to Fight Them. Artyom Gavrichenkov

draft-moura-dnsop-authoritativerecommendations-03

DNS Survival Guide. Artyom Gavrichenkov

CSCE 463/612 Networks and Distributed Processing Spring 2018

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

The ISP Column A column on things Internet. Three DNS articles: 3. Helping Resolvers to help the DNS. RFC8192 Aggressive NSEC Caching

When the Dike Breaks: Dissecting DNS Defenses During DDoS

Computer Security: Principles and Practice

DDoS Beasts and How to Fight Them. Artyom Gavrichenkov

When the Dike Breaks: Dissecting DNS Defenses During DDoS

CSE 565 Computer Security Fall 2018

Chapter 7. Denial of Service Attacks

Using DNS Service for Amplification Attack

Cloudflare Advanced DDoS Protection

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

Computer Networks - Midterm

DoH and DoT experience. Ólafur Guðmundsson Marek Vavrusa

Measuring Global DNS Propagation Times Using RIPE Atlas. Bachelor Thesis by Tim Wattenberg RIPE Regional Meeting Almaty, Kazakhstan

Spoof Detection for Preventing DoS Attacks against DNS Servers

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

CSCE 463/612 Networks and Distributed Processing Spring 2018

DNS LLQ. IETF 91 Honolulu Tom Pusateri. Updated: 11/12/14 1

DOMAIN NAME SECURITY EXTENSIONS

(DNS, and DNSSEC and DDOS) Geoff Huston APNIC

Overview. Last Lecture. This Lecture. Next Lecture. Scheduled tasks and log management. DNS and BIND Reference: DNS and BIND, 4 th Edition, O Reilly

August 14th, 2018 PRESENTED BY:

Internet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice ISSN: March 2017

Managing Caching DNS Server

Impact of security vulnerabilities in timing protocols on Domain Name System (DNS)

Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist

BEST PRACTICES FOR IMPROVING EXTERNAL DNS RESILIENCY AND PERFORMANCE

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

Network Working Group Request for Comments: Category: Best Current Practice October 2008

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

IoT - Next Wave of DDoS? IoT Sourced DDoS Attacks A Focus on Mirai Botnet and Best Practices in DDoS Defense

Protecting Against DNS Cache Poisoning Attacks

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

COMPUTER NETWORK SECURITY

DNS. A Massively Distributed Database. Justin Scott December 12, 2018

DENIAL OF SERVICE ATTACKS

DNS & Iodine. Christian Grothoff.

THE AUTHORITATIVE GUIDE TO DNS TERMINOLOGY

(Distributed) Denial-of-Service. in theory and in practice

UDP-based Amplification Attacks and its Mitigations

Network Security. Thierry Sans

TESTING DDOS DEFENSE EFFECTIVENESS AT 300 GBPS SCALE AND BEYOND

Intended status: Best Current Practice Expires: February 12, S. Krishnaswamy. Parsons. August 11, 2016

Internet2 DDoS Mitigation Update

Chapter 2 Application Layer. Lecture 5 DNS. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Memcached amplification: lessons learned. Artyom Gavrichenkov

Technical White Paper June 2016

Stratum Filtering for DDoS Resilient Clouds

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

Closed book. Closed notes. No electronic device.

DNS Security. Ch 1: The Importance of DNS Security. Updated

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

How to Configure Route 53 for F-Series Firewalls in AWS

Comprehensive datacenter protection

CS519: Computer Networks. Lecture 6: Apr 5, 2004 Naming and DNS

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

CS Paul Krzyzanowski

Computer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Best Practice - Protect Against TCP SYN Flooding Attacks with TCP Accept Policies

Protocol Layers, Security Sec: Application Layer: Sec 2.1 Prof Lina Battestilli Fall 2017

Domain Name System.

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Are You Fully Prepared to Withstand DNS Attacks?

Improving DNS Security and Resiliency. Carlos Vicente Network Startup Resource Center

Internet Engineering Task Force (IETF) Request for Comments: 7706 Category: Informational ISSN: November 2015

Imma Chargin Mah Lazer

Introducing the Global Site Selector

CSC 6575: Internet Security Fall 2017

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

Distributed Denial of Service (DDoS)

Measuring the IPv6 Internet by active DNS and HTTP measurements (work in progress)

How to Configure DNS Sinkholing in the Firewall

Fixing URL-based Redirect Errors for AWS Route 53 and S3

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Chapter 8 roadmap. Network Security

Configuring DNS. Finding Feature Information

Super Fast Packet Filtering with ebpf and XDP Helen Tabunshchyk, Systems Engineer, Cloudflare

DNS: Useful tool or just a hammer? Paul DNS-OARC 06 Oct 2013, Phoenix

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

Check Point DDoS Protector Simple and Easy Mitigation

Memcached amplification: lessons learned. Artyom Gavrichenkov

Homework 3 1 DNS. A root. A com. A google.com

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

network security s642 computer security adam everspaugh

Application Layer. Applications and application-layer protocols. Goals:

Denial of Service Protection Standardize Defense or Loose the War

Domain Name System (DNS) Session-1: Fundamentals. Joe Abley AfNOG Workshop, AIS 2017, Nairobi

Homework Problems. 1. Stallings Problem 2.4 from the Problems section, not the Review Questions. 2. Stallings Problem 2.7.

Agenda. Review DNS Fundamentals DNS Security Summary 1/22

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz

DDOS RESILIENCY SCORE (DRS) "An open standard for quantifying an Organization's resiliency to withstand DDoS attacks" Version July

Transcription:

DDoS on DNS: past, present and inevitable Töma Gavrichenkov <ag@qrator.net>

DNS DDoS types Volumetric: amplification, other floods Water torture and the likes

DNS DDoS problem statement DNS is built on top of UDP*, and a DNS request fits in a packet The structure of a DNS query is simple

DNS lookup 10:00:34.510826 IP (proto UDP (17), length 56) 192.168.1.5.63097 > 8.8.8.8.53: 9508+ A? facebook.com. (30) 10:00:34.588632 IP (proto UDP (17), length 72) 8.8.8.8.53 > 192.168.1.5.63097: 9508 1/0/0 facebook.com. A 31.13.72.36 (45)

DNS DDoS problem statement DNS is built on top of UDP*, and a DNS request fits in a packet The structure of a DNS query is simple An attacker capable of generating spoofed queries will make a userspace DNS application process all those fake requests, rendering a DNS server unavailable L7-wise.

Water torture An attacker capable of generating spoofed queries will make a userspace DNS application process all those fake requests, rendering a DNS server unavailable L7-wise. This is what happened in October 2016 with Dyn.

DNS DDoS problem statement An attacker capable of generating spoofed queries will make a userspace DNS application process all those fake requests, rendering a DNS server unavailable L7-wise. Luckily, DNS protocol allows switching to TCP, and in TCP, we have a handshake to verify the source IP address, hence, blocklists apply. Though, enough bandwidth and inspection power is required

Typical DNS Server RX/TX: low* Request rate: low* Load average: low* * when compared to HTTPS servers, of course

Distributed Denial of Service: DNS L2-L3: Gigabits of traffic L7: typical HTTP request rate An average botnet is ready to bring an HTTPS server down Most of the time, DNS servers are not capable of handling the same load

A good news! A DNS response gets cached on resolvers! Which means that, even while the authoritative server is down, it ll be served for a while.

A good news! A DNS response gets cached on resolvers! Which means that, even while the authoritative server is down, it ll be served for a while. Q: How long does it take for the cache to expire?

Caching at resolvers DNS RR TTL Two possible caveats: Do resolvers reduce TTL? Do resolvers ignore TTL values less than X?

Observation 1: Measuring Global DNS Propagation Times Using RIPE Atlas https://ripe77.ripe.net/ presentations/ 50-Measuring-DNS- Propagation-Times- RIPE-77.pdf Resolvers reduce TTL in numerous ways

Observation 2: An In-Depth Look at the Dropbox EDGE Network https://blogs.dropbox.com/tech/2018/10/dropbox-traffic-infrastructureedge-network/ myriad embedded devices: from video cameras to smart fridges DNS TTL is a lie

Putting it together Our best hypothesis so far: Recursive resolvers either stick to TTL or reduce it Which is no wonder: they may get e.g. power cycled Stub resolvers ignore the concept of TTL completely At least some of them E.g. IoT devices may resolve a domain name on boot and remember it until power-off

Some stub resolvers ignore the concept of TTL completely We can set TTL to comparatively low values only if we know our stub resolvers well! Recursive resolvers either stick to TTL or reduce it We can set TTL to quite high values and serve data from cache even if the authoritative is down!

TTL Guidance We can set TTL to comparatively low values only if we know our stub resolvers well! Browsers, OS caches, mobile devices, This is by the way the only case which allows for an on-demand DDoS mitigation We can set TTL to quite high values and serve data from cache even if the authoritative is down! How reliable is that?

Observation 3: Dissecting DNS Defenses During DDoS https://www.isi.edu/ ~johnh/papers/ Moura18b.pdf 35%-70% of clients are served

Serve stale? https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale If the authority for the data is unavailable when attempting to refresh the data past the given interval, the record MAY be used as though it is unexpired + EDNS option for better signaling Works well for popular sites and applications Less popular ones: may try to populate caches?

Recommendations for Authoritative Servers Operators https://tools.ietf.org/html/ draft-moura-dnsop-authoritative-recommendations Routing policies may be different under normal conditions and under a DDoS attack Purposefully degraded resolvers ( lightning rods ) were useful in mitigating the 2015 root server DDoS Though this affects general availability Two sets of DNS servers? A) Low latency, B) Anycast? In case of an attack, servers of class A may just be brought down

Q&A mailto: Töma Gavrichenkov <ag@qrator.net>

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback