Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Similar documents
Check Point DDoS Protector Simple and Easy Mitigation

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Radware DefensePro DDoS Mitigation Release Notes Software Version Last Updated: December, 2017

Securing Online Businesses Against SSL-based DDoS Attacks. Whitepaper

Check Point DDoS Protector Introduction

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

DoS Cyber Attack on a Government Agency in South America- February 2012 Anonymous Mobile LOIC in Action

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Imperva Incapsula Product Overview

DDoS Detection&Mitigation: Radware Solution

Basic Concepts in Intrusion Detection

Radware s Attack Mitigation Solution Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Fregata. DDoS Mitigation Solution. Technical Specifications & Datasheet 1G-5G

Chapter 7. Denial of Service Attacks

Use Cases. E-Commerce. Enterprise

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

Inline DDoS Protection versus Scrubbing Center Solutions. Solution Brief

Are You Fully Prepared to Withstand DNS Attacks?

Integrated Web Application Firewall & Distributed Denial of Service (DDoS) Mitigation Solution

haltdos - Web Application Firewall

Comprehensive datacenter protection

A10 DDOS PROTECTION CLOUD

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

Security Whitepaper. DNS Resource Exhaustion

August 14th, 2018 PRESENTED BY:

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

DDoS on DNS: past, present and inevitable. Töma Gavrichenkov

Enterprise Overview. Benefits and features of Cloudflare s Enterprise plan FLARE

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

Intelligent and Secure Network

TOLLY. Radware, Inc. Radware, Inc. commissioned. DefensePro Test Summary. Throughput Benchmark and Attack Mitigation Evaluation.

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Fighting the Shadows: How to Stop Real-world Cybersecurity Application Threats That You Can t See

Corrigendum 3. Tender Number: 10/ dated

Denial of Service (DoS)

DDoS Protection in Backbone Networks

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Rethinking Perimeter Security: New Threats Require Real-Time Protection A DefensePro Technology Paper By Avi Chesla - VP, Security & Management

Automating Security Response based on Internet Reputation

CSE 565 Computer Security Fall 2018

A proposal of a countermeasure method against DNS amplification attacks using distributed filtering by traffic route changing

Attack Prevention Technology White Paper

Security Annex for DDoS Additional Terms for DDoS Protection

War Stories from the Cloud Going Behind the Web Security Headlines. Emmanuel Mace Security Expert

Computer Security: Principles and Practice

Chapter 10: Denial-of-Services

EFFECTIVE SERVICE PROVIDER DDOS PROTECTION THAT SAVES DOLLARS AND MAKES SENSE

DefensePro. Release Notes

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

Cisco Service Control Service Security: Outgoing Spam Mitigation Solution Guide, Release 4.1.x

Denial of Service and Distributed Denial of Service Attacks

Mobile LOIC Counter Measures

Practical Guide to Choosing a DDoS Mitigation Service WHITEPAPER

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

Yuri Gushin & Alex Behar

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

CSE 565 Computer Security Fall 2018

ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

COMPUTER NETWORK SECURITY

TESTING DDOS DEFENSE EFFECTIVENESS AT 300 GBPS SCALE AND BEYOND

Attack Fingerprint Sharing: The Need for Automation of Inter-Domain Information Sharing

SmartWall Threat Defense System - NTD1100

RSA INCIDENT RESPONSE SERVICES

Cybersecurity. Anna Chan, Marketing Director, Akamai Technologies

BIG-IP otse vastu internetti. Kas tulemüüri polegi vaja?

IronPort C100 for Small and Medium Businesses

(Distributed) Denial-of-Service. in theory and in practice

IBM Cloud Internet Services: Optimizing security to protect your web applications

Marshal s Defense-in-Depth Anti-Spam Engine

DOMAIN NAME SECURITY EXTENSIONS

WHITE PAPER Hybrid Approach to DDoS Mitigation

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

BIG-IP Application Security Manager : Implementations. Version 13.0

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

TCP/IP Networking. Training Details. About Training. About Training. What You'll Learn. Training Time : 9 Hours. Capacity : 12

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Multi-vector DDOS Attacks

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

IP Reputation Exchange security research

BUILDING A NEXT-GENERATION FIREWALL

Large-scale DNS. Hot Topics/An Analysis of Anomalous Queries

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

II. Principles of Computer Communications Network and Transport Layer

HP High-End Firewalls

Cisco Firepower with Radware DDoS Mitigation

Cloudflare Advanced DDoS Protection

DNS Review Quiz. Match the term to the description: A. Transfer of authority for/to a subdomain. Domain name DNS zone Delegation C B A

Protect vital DNS assets and identify malware

FIREWALL BEST PRACTICES TO BLOCK

CIS 551 / TCOM 401 Computer and Network Security

Configuring Access Rules

Single Network: applications, client and server hosts, switches, access links, trunk links, frames, path. Review of TCP/IP Internetworking

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

Intrusion Detection - Snort

An Introduction to DDoS attacks trends and protection Alessandro Bulletti Consulting Engineer, Arbor Networks

Transcription:

Protecting DNS Critical Infrastructure Solution Overview Radware Attack Mitigation System (AMS) - Whitepaper

Table of Contents Introduction...3 DNS DDoS Attacks are Growing and Evolving...3 Challenges of Protecting DNS DDoS Attacks...5 Radware Solution for DNS DDoS Attacks...5 DefensePro Meets the Challenges of DNS DDoS Mitigation Tools...8 Summary - The World s Best Mitigation Tool for DNS DDoS Attacks...9 Smart Network. Smart Business. 2

Introduction DNS is a critical infrastructure of the Internet as every web transaction involves a DNS service provided by the Internet service provider. A successful attack against DNS services that manages to disrupt these services will halt all other Internet-based services. Although carriers and service providers provision various mitigation tools, the current DNS infrastructure is still vulnerable and is subject to an increasing variety of attacks that are becoming ever more sophisticated and difficult to mitigate. Therefore, securing DNS service requires rethinking on perimeter security with dedicated tools to identify and mitigate these new breed of attacks on DNS services. This paper outlines the recent DDoS attacks on DNS services and the challenges of mitigating those attacks. It presents Radware s DDoS DNS attack mitigation solution and its unique differentiators that make it the world best mitigation tool for DNS service attacks. DNS DDoS Attacks are Growing and Evolving DNS is a carrier and service provider critical to the infrastructure as every web transaction involves a DNS query for name-to-ip-address resolution prior to accessing the requested website. Degrading, or even shutting down the DNS service of a service provider, has an immediate impact on Internet-based services, and it can result in eliminating legitimate users from accessing the Internet. Attackers understand that service providers take security measurements to protect their DNS infrastructure and therefore, they generate more sophisticated attacks with increased impact on the service. This section discusses the recent attack techniques deployed by attackers aiming to disrupt the DNS service: DNS Flood Attack - Utilizing multiple sources of compromised computers, called Botnets, the attacker generates a distributed, volumetric denial of service attack that floods the DNS servers. Since DNS service is typically carried over UDP, it is more vulnerable to volumetric attacks. According to the DNS standard, the DNS servers process every request, which results in a DNS servers overload. This behavior allows the attacker to successfully compromise DNS service, utilizing a surprisingly small amount of Botnets. IRC Servers Bot (Infected Host) Bot (Infected Host) DNS Query Misuse of Service Resources BOT Command DNS Query Bot (Infected Host) DNS Query Attacker Bot (Infected Host) DNS Query DNS Server Smart Network. Smart Business. 3

DNS Amplification Attack - A standard DNS request is natively smaller than the DNS reply. In a DNS amplification attack, the attacker carefully selects a DNS query that results in a lengthy reply that is up to 80 times longer than the request. This results in an increased load on the DNS servers, compared to the regular DNS flood attacks. DNS Recursive Attack This is an attack amplification method of DNS flood attacks, where the attacker generates a distributed, volumetric denial of service attack that floods the DNS servers. However, in this attack, the attacker turns on the recursive flag within the DNS query packet. When the recursive flag is turned on, it forces the DNS server to perform the name resolution itself, rather than redirecting the request to another server, and to reply to the sender with the resolution. In a DNS recursive attack, the attacker slightly changes the requested domain name in every DNS query so that the DNS server would not be able to reply with a cached result, forcing the server to lookup for the domain name multiple times. This results in a severe load on the DNS service, until it s not available for legitimate users. 4. Legitimate users cannot receive service from DNS servers 3. Root name servers are overloaded with requests legitimate users root name servers Internet 1. Botnets generate DNS requests with recursive flag on Botnets ISP DNS servers 2. DNS servers send every request to the root name servers and wait for reply Diagram of DNS Recursive Attack Smart Network. Smart Business. 4

Challenges of Protecting DNS DDoS Attacks As described above, DDoS attacks on DNS servers become more complicated to mitigate, and today s attack mitigation tools must be able to meet unique challenges in order to successfully block DNS attacks: Mitigation tools must have deep knowledge of DNS traffic behavior Sophisticated attackers take advantage of the DNS protocol behavior in order to generate more powerful attacks with greater potential to hurt the DNS service, such as the DNS recursive attack. To mitigate such attacks, every single field in the DNS protocol must be carefully analyzed, utilizing a deep knowledge of the DNS protocol, and solid understanding of DNS traffic behavior. Mitigating high rate of DNS packets DNS DDoS attacks involve a large volume and high rate of flood packets. The mitigation device must be able to process a high volume of traffic, usually several million packets per second,in order to block all attack packets, while still providing enough bandwidth to process legitimate DNS traffic. Accurate Mitigation Failure to distinguish between legitimate DNS traffic and attack DNS traffic results in false positives, for example, legitimate users who cannot access any Internet service. The impact of false positives on the Internet service provider is significant, including reputation degradation and loss of revenues. Therefore, today s mitigation tools must be accurate, and provide service to legitimate users even under attack. Provide best quality of experience, even under attack In addition to mitigation accuracy, the mitigation tools are required to continue and provide best quality of experience to legitimate users, even under attack. This requires a very low latency from the mitigation tools and the ability to provide a device that is based on hardware engines and accelerators, rather than a software-only based device. Radware Solution for DNS DDoS Attacks The Radware solution for DDoS DNS attacks is based on its DNS flood attacks protection feature, part of Radware s renowned Behavioral DoS module in its DefensePro product line. The DNS attack mitigation solution can be divided into three phases: the detection phase, creating a real-time signature phase, and the mitigation phase. DNS QPS A records base line MX records base line PTR records base line AAAA records base line Rate Analysis per DNS Query Type TIME Rate analysis per DNS query type Smart Network. Smart Business. 5

Detection Phase During the detection phase, DefensePro monitors all inbound DNS traffic on UDP port 53 and learns the baseline of normal DNS traffic behavior. For each DNS query, it updates the baselines per query type, query rate, and rate invariant as well as its relative share among all DNS queries. The DNS attack mitigation continuously generates a degree-of-attack score, using a fuzzy-logic 1 engine. The fuzzy logic module is a multi-dimension decision engine that detects attacks in real-time, based on evaluation of real-time network data with current baselines. When the degree of attack score exceeds the value that is considered as an attack, the system moves to the mitigation phase. VOIP Mail (SMTP worms, spam outbreak) TEXT records SRV/NAPTR MX records Other records A records AAAA records DNS query distribution analysis Query floods PTR records IPv6 Query floods Recursive query floods Creating Real-Time Signature To successfully mitigate a DDoS DNS attack, DefensePro creates an automatic, real-time signature that blocks the DNS DDoS attack without any human interaction. Using samples of real-time traffic that deviates from the baseline traffic, DefensePro is looking for characteristic parameters of the ongoing anomaly in the suspicious traffic. The following parameter types, as well as others, are analyzed by the automatic signature creation module: Packet checksums Packet size Packet Identification number TTL (Time to Live) Fragment offset Source IP address Destination IP address Ports numbers DNS Qname domain name DNS Query ID query identification number DNS Query count (Qcount) Once the values of these parameters are flagged as abnormal, the system creates a real-time signature based on the suspicious parameters, and it activates a signature optimization mechanism called the closed-feedback loop. The closed-feedback module is responsible for creating the narrowest, but still effective, signature-blocking rule. Each one of the suspicious flagged parameters can include multiple values, detected by the automatic signature generation mechanism. The closed-feedback module knows how to tailor these values through AND/OR logical relationships. The more AND logical relationships are constructed between different values and parameter types, the more accurate and narrow the blocking signature rule is considered to be. In order to create the logical relationship rules between the detected signature values, the closed-feedback module uses the following feedback cases: Positive feedback: The traffic anomaly was reduced as a result of the decided blocking signature rules created by the module, the system continues to use the same action and tailors more attack characteristic parameters (i.e., signature types and values), through as many AND logical relationships as possible. 1 To read more on Radware s Fuzzy Logic engine, download: http://www.radware.com/thank_you_download.aspx?id=5557 Smart Network. Smart Business. 6

Negative feedback: This means that the degree of traffic anomaly was not changed, or was increased. The system stops using the last blocking signature rules and continues to search for more appropriate ones. Attack stopped feedback: If the attack stops, then the system will stop all countermeasures immediately (i.e., remove the signature rule). The real-time signature is applied to suspicious traffic in the next phase. Mitigation Phase During the mitigation phase, DefensePro utilizes the real-time signature to detect suspicious sources of the DNS attack and it performs the following escalation steps to stop the attack: Escalation #1: Signature based Challenge DefensePro challenges DNS A and AAAA queries that match the realtime signature. The purpose of the challenge is to distinguish between legitimate traffic created by legitimate users, and DoS traffic generated by Botnets. Escalation #2: Signature based If after escalation #1, the closed feedback module still reports that the attacks continues, DefensePro performs another escalation, which is to limit the rate of DNS traffic that matches the real-time signature. Escalation #3: Collective Challenge The next escalation step is to challenge all DNS A and AAAA queries traffic, not only from the suspicious sources, but from all users. Again, the purpose of this challenge is to distinguish between legitimate traffic created by legitimate users and DoS traffic generated by Bbotnets. Escalation #4: Collective If the attack continues, the last resort and the last escalation steps is to perform rate limit on all DNS traffic according to the defined maximal query rate. DNS Challenge and the Selective Discard Mechanism As described above, during the escalation steps, DefensePro challenges the DNS sources to verify that they are legitimate users rather than attackers. The challenge is activated on query types A and AAAA, and it is based on RFC definitions. During the challenge, DefensePro ignores the first packet that it receives from a DNS source. According to the DNS standard, a new DNS packet should be retransmitted within limited timeslot containing the same Qname. To issue challenges and to verify that the DNS source response to the challenges, DefensePro uses a statistical table and function, which is called the Selective Discard Mechanism (SDM). Each entry in the SDM table receives a score for each query reaching the table. When a source answers the challenge correctly, its score increases and then gets listed in the internal DNS authentication table. When a source fails to answer a challenge correctly, its score decreases. To minimize the impact on user experience, while challenge operations are being conducted, the protection module uses an authentication table, which stores for a specified period, the source IP addresses that responded properly to the challenge. To avoid misclassification of proxy devices, either as legitimate or as attacking entities, the SDM reduces source scores with each new query that reaches the module and is not challenged. When the score of a source falls below a certain score, it will be challenged again. A proper response to the challenge will raise the source s score and the next few queries from it will not be challenged. Smart Network. Smart Business. 7

Botnet is identified (suspicious traffic is detected) Attack Detection Real-Time Signature Created Signature Challenge Actions Signature Challenge Actions RFC Compliance Checks DNS Challenge Signature Challenge Behavioural Real-Time Signature Technology RT Signature Scope Protection Challenge/Response & Blocking Challenge/Response DNS Challenge/Response & Action Escalation System Diagram: DefensePro 3 phases of DNS attack mitigation DefensePro Meets the Challenges of DNS DDoS Mitigation Tools As described above, there are several very unique challenges that DNS DDoS mitigation tools must meet in order to efficiently and successfully block attacks. DefensePro is the industry-first DNS DDoS mitigation device that meets all these unique challenges: Mitigation tools must have deep knowledge of DNS traffic behavior DefensePro understands DNS traffic and learns it normal behavior continually, so it immediately identifies abnormal DNS traffic. Moreover, DefensePro analyzes every field in DNS traffic to identify abnormal packets and to create its real-time signatures with high accuracy. Mitigating high rate of DNS packets Utilizing its DoS Mitigation Engine (DME), a network processor-based hardware accelerator, DefensePro can challenge 2M DNS queries per second and to process up to 12 million packets per second of attack traffic. The attack traffic does not affect DefensePro capabilities to handle legitimate traffic and it can handle multi-gigabits of legitimate throughput traffic under attack. Smart Network. Smart Business. 8

Mitigation accuracy With unique DNS challenges and accurate analyzing of DNS traffic behavior, DefensePro provides a very accurate distinction between legitimate DNS traffic and attack DNS traffic results, with minimal false positives. This enables the service provider to continue to serve its legitimate users, even under severe attack. Provide best quality of experience, even under attack DefensePro has a unique architecture that is based on several hardware engines and accelerators that guarantee a minimum latency to all processed traffic, and especially to the legitimate traffic. The DNS challenges that are described above are applied by the real-time signature only to suspected sources of attack traffic. This guarantees a best quality of experience to legitimate Internet users, even under attack. Summary - The World s Best Mitigation Tool for DNS DDoS Attacks DefensePro is the world s best mitigation tool for DNS DDoS attacks, as it provides a unique set of patented tools and challenges to successfully mitigate sophisticated, yet volumetric, DNS DDoS attacks. DefensePro not only blocks the attacks, but also provides the best quality of experience to legitimate users during the attack, thanks to its accurate distinguish between attackers and legitimate users. With its unique detection and mitigation phases and the four escalation steps, DefensePro provides the industryfirst complete solution for blocking DNS DDoS attacks from hurting the DNS critical infrastructure. 2013 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Smart Network. Smart Business. 9 PRD-DP-DNS-Solution-WP-02-2013/05-US

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback