(DNS, and DNSSEC and DDOS) Geoff Huston APNIC

Similar documents
Re-engineering the DNS One Resolver at a Time. Paul Wilson Director General APNIC channeling Geoff Huston Chief Scientist

CSE 565 Computer Security Fall 2018

August 14th, 2018 PRESENTED BY:

Your projected and optimistically projected grades should be in the grade center soon o Projected: Your current weighted score /30 * 100

Rolling the Root KSK. Geoff Huston. APNIC Labs. September 2017

Quad9: A Free, Secure DNS Resolver. Nishal Goburdhan Internet Infrastructure Analyst Packet Clearing House

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

DDOS RESILIENCY SCORE (DRS) "An open standard for quantifying an Organization's resiliency to withstand DDoS attacks" Version July

How we measure IPv6. Geoff Huston, Joao Damas George Michalson APNIC. George Michaelson. Geoff Huston. Joao Damas. APNIC Labs

HP High-End Firewalls

(Distributed) Denial-of-Service. in theory and in practice

The ISP Column A column on things Internet. Three DNS articles: 1. DDOS and the DNS. Geoff Huston November 2017

Introduction to Network. Topics

A Question of Protocol

Cloudflare Advanced DDoS Protection

UDP-based Amplification Attacks and its Mitigations

Chapter 7. Denial of Service Attacks

Threat Pragmatics. Target 6/19/ June 2018 PacNOG 22, Honiara, Solomon Islands Supported by:

DNS: Useful tool or just a hammer? Paul DNS-OARC 06 Oct 2013, Phoenix

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

The ISP Column A column on things Internet. Three DNS articles: 3. Helping Resolvers to help the DNS. RFC8192 Aggressive NSEC Caching

Are You Fully Prepared to Withstand DNS Attacks?

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

IPv6: Are we really ready to turn off IPv4? Geoff Huston APNIC

2008 DNS Cache Poisoning Vulnerability Cairo, Egypt November 2008

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

The Protocols that run the Internet

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

CSC 6575: Internet Security Fall 2017

CSC 574 Computer and Network Security. DNS Security

Security Whitepaper. DNS Resource Exhaustion

IPv6: Are we really ready to turn off IPv4?

DOMAIN NAME SECURITY EXTENSIONS

Denial of Service and Distributed Denial of Service Attacks

Improving DNS Security and Resiliency. Carlos Vicente Network Startup Resource Center

Some DNSSEC thoughts. DNSOPS.JP BOF Interop Japan Geoff Huston Chief Scientist, APNIC June 2007

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

FRNOG 25 Meeting: BIND9 Recursive Client Rate limiting

Internet Engineering Task Force (IETF) Request for Comments: Category: Best Current Practice ISSN: March 2017

Exit from Hell? Reducing the Impact of Amplification DDoS Attacks Marc Kührer, Thomas Hupperich, Christian Rossow, and Thorsten Holz

SYN Flood Attack Protection Technology White Paper

DDoS attack patterns across the APJ cloud market. Samuel Chen CCIE#9607 Enterprise Security Architect, Manager - APJ

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

HP High-End Firewalls

Memcached amplification: lessons learned. Artyom Gavrichenkov

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

DNSSEC Deployment Issues

BIG-IP DNS Services: Implementations. Version 12.0

The Internet is not always a friendly place In fact, hosts on the Internet are under constant attack How to deal with this is a large topic

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Dan Boneh, John Mitchell, Dawn Song. Denial of Service

CS 161 Computer Security

BIG-IP DNS Services: Implementations. Version 12.1

Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

Who s Asking? Geoff Huston, Joao Damas APNIC. Roy Arends ICANN

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Measuring the effects of DNSSEC deployment on query load

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder. System and Network Engineering July 2014

DDoS Beasts and How to Fight Them. Artyom Gavrichenkov

USING TRANSACTION SIGNATURES (TSIG) FOR SECURE DNS SERVER COMMUNICATION

DNS Security Strategies

Root Servers. Root hints file come in many names (db.cache, named.root, named.cache, named.ca) See root-servers.org for more detail

DNS Authentication-as-a-Service Preventing Amplification Attacks

AN TOÀN LỚP 4: TCP/IP ATTACKS NGUYEN HONG SON PTITHCM

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Memcached amplification: lessons learned. Artyom Gavrichenkov

Registry Vulnerabilities An Overview

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

SpaceNet AG. Internet Business Produkte für den Mittelstand. Produkt- und Firmenpräsentation. DENOG6, , Darmstadt

ICANN and Technical Work: Really? Yes! Steve Crocker DNS Symposium, Madrid, 13 May 2017

Enterprise D/DoS Mitigation Solution offering

DNS Anycast Statistic Collection

DDoS made easy. IP reflection attacks for fun and profit. Gert Döring, SpaceNet AG, München. DECIX/ECO security event,

TESTING DDOS DEFENSE EFFECTIVENESS AT 300 GBPS SCALE AND BEYOND

Closed book. Closed notes. No electronic device.

DNS/DNSSEC Workshop. In Collaboration with APNIC and HKIRC Hong Kong. Champika Wijayatunga Regional Security Engagement Manager Asia Pacific

THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

DDoS on DNS: past, present and inevitable. Töma Gavrichenkov

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

DNS(SEC) client analysis

DNS SECURITY BEST PRACTICES

CS 161 Computer Security

CS Paul Krzyzanowski

Capability Analysis of Internet of Things (IoT) Devices in Botnets & Implications for Cyber Security Risk Assessment Processes (Part One)

Putting it all together

Computer Security. 11. Network Security. Paul Krzyzanowski. Rutgers University. Spring 2018

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

Denial of Service (DoS)

DDoS MITIGATION BEST PRACTICES

Background Traffic to Quarantined Network Blocks administered by APNIC

Trends in IoT DDoSbotnets

Denial of Service. Serguei A. Mokhov SOEN321 - Fall 2004

DNS Attacks. Haythem EL MIR, CISSP CTO, NACS

DNSSEC: what every sysadmin should know to keep things working

That KSK Roll. Geoff Huston APNIC Labs

Update on experimental BIND features to rate-limit recursive queries

DNSSEC operational experiences and recommendations. Antti Ristimäki, CSC/Funet

Transcription:

D* (DNS, and DNSSEC and DDOS) Geoff Huston APNIC

How to be bad 2

How to be bad Host and application-based exploits abound And are not going away anytime soon! And there are attacks on the Internet infrastructure itself These attacks don t compromise a service, but are intended to totally overwhelm the service or the local network such that nothing works! 3

How to be bad SYN TCP-based DDOS attacks: TCP SYN flooding attacks Try and exhaust the server s resources by saturating the server with TCP SYN packets Can be circumvented at the server with the use of SYN cookies This attack was effective when servers allocated memory for a TCP process control block upon receipt of the first TCP SYN packet. SYN cookies change the server behaviour to pass the initial server state to connecting client within the initial TCP sequence number, and no state is retained on the server. 4

How to be badder SYN SYN+ACK TCP-based DDOS attacks: TCP SYN/ACK reflection attacks Use a spoofed source address in the initial SYN packet The server s SYN/ACK response will be directed to the victim s address This has limited attack leverage because the SYN and SYN/ACK packets are the same length SYN/ACK packets do not reserve state at the victim they normally just generate a RST, if anything at all Widespread use of BCP38 filters would limit the extent to which course address spoofing is possible Reflection attacks without amplification are of limited use! 5

How to be more bad UDP-based DDOS attacks: UDP is far easier to use for a DDOS attack Use a bot army to send UDP packets directly to a UDP-based server Or use spoofed sources to generate a reflection / amplification attack There are a number of cases in UDP applications where the response can be far larger than the query: SNMP, NTP, chargen, finger, DNS Reflection/Amplification attacks can transform a small query UDP stream into a massive response stream This has far more potential than TCP-based attacks! 6

How to be most bad UDP-based DDOS attacks: If you are going to use UDP then the DNS is the obvious weapon of choice: Highly suitable for amplification attacks Universally supported, and often permitted through firewalls Promiscuous servers that will attempt to respond to every query Individual responses are readily discarded by the victim, so the attack is useful only effective in very high volume the attack is a form of resource starvation of the network in the region around the victim In this case the victim is usually a DNS name server 7

Don t overthink it! Attacks don t need to extent any more effort than necessary Simple attack forms are more effective than complex ones Code injection is complex so even source address spoofing is harder to install on enlisted bots than simple scripted commands Attacks will stick to simple scripted commands where possible it s a whole lot easier than pulling in an extended hack library for a bunch of potential platforms Do what normal traffic does That way there is no clear signal of an attack traffic profile

Simple Works!

The DNS If you want to cause maximal impact then attacking the DNS is a logical choice Every application uses the DNS It is want to disrupt users and the apps that they run then you need to turn to the DNS and try and disrupt the DNS If you want to be maximally ambitious, then attack the root itself Why would one attack the root of the DNS?

Resolving a DNS Name Your resolver needs need to ask a DNS server for the zone that contains the terminal label for the associated information (resource record) associated with the DNS name But Where exactly is the zone cut? Who are the servers? Resolvers discover this information by performing a top-down iterative search

How to be bad Every DNS resolution procedure starts with a query to the root! If an attacker could prevent the root servers from answering DNS queries then the entire Internet will suffer! 12

It s no surprise that the DNS Root Servers are a highly visible attack target 13

If you can prevent resolvers from getting answers from the root then the resolvers will stop answering all queries as their local cache expires It s no surprise that the DNS Root Servers are a highly visible attack target 14

If you can prevent resolvers from getting answers from the root then the resolvers will stop answering all queries as their local cache expires It s no surprise that the DNS Root Servers are a highly visible attack target 15

If you can prevent resolvers from getting answers from the root then the resolvers will stop answering all queries as their local cache expires It s no surprise that the DNS Root Servers are a highly visible attack target 16

Caching in the DNS The main role of the DNS server system is to answer queries that are not cached in local name caches If it wasn t for caching the DNS would not be here today!

How to be bad To attack a name s servers you need to get past DNS resolvers caches. This means you need to have every query in the DNS attack flow ask for a different non-existent name So how can we defend ourselves from attack? 18

How should we defend the DNS? Larger Server platforms? More Authoritative Servers? More Anycast Instances? Change Server response behaviours? Or 19

How should we defend the DNS? Larger Server platforms? Can t scale * More Authoritative Servers? More Anycast Instances? Change Server response behaviours? Or * Distributed parallel attacks can scale up in intensity more effectively than a single point of service can scale its defence mechanisms 20

How should we defend the DNS? Larger Server platforms? Can t scale * More Authoritative Servers? Err, umm well no * More Anycast Instances? Change Server response behaviours? Or Longer lists of servers for a name make name resolution slower, not faster. So its probably a bad idea 21

How should we defend the DNS? Larger Server platforms? More Authoritative Servers? More Anycast Instances? Change Server response behaviours? Or Can t scale * Err, umm well no * Today s practice for many hosted DNS servers 22

How do we defend the DNS today? As the traffic levels to DNS servers increases both as steady state query levels and instances of attacks, we keep on adding more instances to the existing anycast clouds and spend more money on deploying larger and more distributed servers

The attacks get bigger 24

Our defence is to build bigger walls! 25

But the attackers are our own recursive resolvers! We are scaling the DNS root server infrastructure in order to be resilient against floods of queries about nonexistent random names coming from the existing DNS resolvers, who are scaling their own capabilities to survive the very same query attacks that are being directed against them! 26

How do we defend the DNS today? As the traffic levels to DNS servers increases both as steady state query levels and instances of attacks, we keep on adding more instances to the existing anycast clouds and spend more money on deploying larger and more distributed servers What we are in effect doing is building ever bigger and larger trash processors to handle ever larger amounts of garbage queries to cope with ever larger attacks via the DNS!

How do we defend the DNS today? Can we jump out of this vicious cycle? Can we change the behaviour of the DNS system to improve both its service and its resilience?

DNSSEC changes Everything Before DNSSEC we relied on the assumption that if we asked an IP address of a root server, then the response was genuine With DNSSEC we can ask anyone, and then use DNSSEC validation to assure ourselves that the answer is genuine How can we use this?

Caching NXDOMAIN If we could answer NXDOMAIN queries from recursive resolvers we could reduce the load on the DNS servers For the root zone we ve measured this to be close to 70% NXDOMAIN would be a very significant win: reducing root query traffic providing faster response to these queries reduces the local cache load on recursive resolvers

NSEC caching RFC 8198 A DNSSEC-signed NXDOMAIN response actually describes a range of labels that do not exist, and it s the range that is signed, not the actual query name If resolvers cached this range and the signed response, then they can use the same signed response to locally answer a query for any name that falls within the same label range

NSEC caching For example, if you were to query the root server for the non-existant name www.example. the returned response from the root says that there are NO TLDS between everbank. and exchange. The same response can be used to respond to queries for every TLD between these labels. So we can cache this range response and use it to respond to subsequent queries that fall into the same range 32

Architecturally speaking Rather than have recursive resolvers act as amplifiers for DNS queries for non-existent names, NSEC caching enlists these recursive resolvers to act on behalf of the zone s authoritative servers, and provide the answers for them. This approach uses existing DNS functionality and existing queries there is nothing new in this. The change here is to take advantage of the use of the NSEC response to define a range of names, allowing what is in effect semi-wildcard cache entries that can be used to respond to a range of query labels 33

Impacts Rather than trying to expand the capabilities of the root zone servers, we can leverage the massive number of already deployed recursive resolvers to extend their cache to cover both defined and non-existant root labels We anticipate that this will have a major effect on the DNS by absorbing most of the current root query load at the edge, rather than passing these queries into the root system 34

Impacts Its not just the Root Zone its all signed zones This is a general approach that also provides the same level of projection to other servers in the DNS from the same form of random name query attack 35

Impacts NSEC caching can also help recursive resolvers: Instead of caching non-existent individual names they can cache the NSEC-described range, and refresh the cached NSEC record instead of any individual name This will shrink the demands placed on the local cache, which can improve local cache performance in the recursive resolver 36

There is no silver bullet for DNS DDOS But we can take incremental steps to decrease the effectiveness of some of these DNS DDOS attacks BCP38 source address filtering reduces the ability to mount DNS reflection / amplification attacks that leverage open DNS resolvers Shutting down open DNS resolvers would be good too! DNSSEC zone signing, coupled with resolver DNSSEC validation and resolver use of NSEC caching reduces the effectiveness of various forms of random name DNS query attacks

There is no silver bullet for DNS DDOS But we can take incremental steps to decrease the effectiveness of some of these DNS DDOS attacks BCP38 source address filtering reduces the ability to mount DNS reflection / amplification attacks that leverage open DNS resolvers Shutting down open DNS resolvers would be good too! DNSSEC zone signing, coupled with resolver DNSSEC validation and resolver use of NSEC caching reduces the effectiveness of various forms of random name DNS query attacks APNIC has sponsored the inclusion of this NSEC caching code in the forthcoming Bind 9.12 release. This function will be enabled by default in this release

So, we can improve this situation! But to do that, we all need to take some steps here

So, we can improve this situation! But to do that, we all need to take some steps here How well is New Zealand DNS infrastructure doing with this?

DNSSEC in New Zealand That s impressive!

DNSSEC in New Zealand Count of DNSSEC signed zones in.nz Data Source: idp.nz

DNSSEC in New Zealand Relative Count of DNSSEC signed zones in.nz Yes, just 0.17% of names in.nz are DNSSEC-signed That s totally NOT impressive! Data Source: idp.nz

Thanks!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback