August 14th, 2018 PRESENTED BY:
APPLICATION LAYER ATTACKS 100% 80% 60% 40% 20% 0% DNS is the second most targeted protocol after HTTP. DNS DoS techniques range from: Flooding requests to a given host. Reflection attacks against DNS infrastructure. Reflect / Amplification attacks. DNS Cache Poisoning attempts. Cybercrime is a persistent threat in today s world and, despite best efforts, no business is immune. Network Solutions TRADITIONAL DDoS MITIGATION 60% 50% 40% 30% 20% 10% 0% Of the customers that mitigate DDoS attacks, many choose a technique that inhibits the ability of DNS to do its job. DNS is based on UDP. DNS DDoS often uses spoofed sources. Using an ACL block legitimate clients. DNS attacks use massive volumes of source addresses, breaking many firewalls.
Volumetric: Brute force / flood attacks. Protocol: Crafted to sit inside the RFCs as valid requests with a different motive. Malformed: Designed to consume CPU and misuse resources. Volumetric Protocol Malformed
Top 10 DNS Attacks 1. Phantom Domain Attacks 2. NX Domain Attacks 3. Random Subdomain Attacks 4. Lock Up Domain Attacks 5. Reflection Attacks 6. Amplification Attacks 7. DNS Tunneling Attacks 8. Malformed Packet Attacks 9. Cache Poisoning Attacks 10. UDP Flood Attacks
Attack: In a phantom domain attack, the DNS resolver is forced to resolve multiple domains that are phantom domains that have been setup as part of the attack. Phantom domains simply do not send responses, causing the server to consume resources while waiting for responses. Mitigation: BIG-IP will time out the connection and release the requests in the queue. Also, common requests to a domain name can be controlled by QPS per domain. This can be done by simple irules.
Attack: In this attack, a flood invalid requests cause a resolver s cache to fill up with NXDomain results, slowing DNS for other users. The DNS server also spends valuable resources as it keeps trying to repeat the recursive query to get a resolution result. Mitigation: These are valid requests so identify IP addresses whose requests are NXDomians and rate limit the number of requests per IP and globally. This is commonly done with an irule.
<randomstring>.www.example.com <anotherstring>.www.example.com Does not exist Exists [Target Site] Attackers Web Bots Open Resolvers Increased outbound NXDOMAIN and SERVFAIL responses Attack: Random subdomain attacks, the attacker commonly uses legitimate domains and tries to exhaust the number of outstanding concurrent DNS queries by flooding the DNS server with requests for multiple nonexistent domains using randomly generated sub domain strings. Mitigation: Can be mitigated via irule found here: https://devcentral.f5.com/wiki/irules.codeshare.ashx
Attack: Deliberately slow resolvers and domains are setup by attackers to establish TCP-based connections with DNS resolvers that request a response. These malicious resolvers instead keep the victim server engaged with random packets. Mitigation: Connection management can be set on the Resolver queue to expect responses within a defined time period (part of the DNS profile). Plus protocol validation will remove all malformed packets at the interface so they're never processed.
[Spamhaus] Attacker Web Bots Open Resolvers Attack: A Reflection attack was used against an anti-spam company called Spamhaus. The attacker was found to be a company called Cyberbunker. By spoofing Spamhaus s IP address, they were able to point nearly 300 gigs of traffic at them. Cyberbunker only used around a thousand bots to take Spamhaus down. Mitigation: Spamhaus hired Cloudflare to set up IP Anycast servers around Europe to spread the load.
By spoofing a UDP source address, attackers can target a common source. By requesting for large record types (ANY, DNSSEC, etc.), a 36 byte request can result in a response over 100 times larger. [Target Site] BIG-IP supports DNS type ACLs. Only allow DNS types you need to support. Drop all unsolicited responses (default behavior). Identify unusually high traffic patterns to specific clients via DNS DoS profiles. Attack: A sophisticated attack is the Amplification attack. The attacker researches what request will get the largest response. Some requests like the any record type or a DNSSEC request can yield responses 100 times larger. Once the query is chosen, the attacker spoofs the address of the target site and floods them with these responses. Mitigation: BIG-IP by default drops all unsolicited replies and allows custom DNS-type ACLs to only allow the types you need to support.
Attack: With DNS tunneling, another protocol is encapsulated in a DNS request/ answer. This can be used on nearly any protocol the hacker wished to use, but is most commonly used for HTTP traffic. DNS tunneling software can easily be found on the Internet. Mitigation: RPZ can be utilized to block traffic to known endpoints as well as an irule to look for oversized return traffic.
Clients The BIG-IP system drops malformed DNS packets, and allows you to configure how you track such attacks. IPv4 / IPv6 TCP / UDP Protocol Validation + ACL DNSSEC irules irules DNSSEC GSLB GSLB irules DNS Express Caching Resolver DNS 6-4 DNS LB Pool BIND Attack: Malformed packets can be used as an attack. The attacker sends these malformed packets hoping to consume CPU cycles on the DNS server, limiting or completely interrupting its ability to answer legitimate queries. Mitigation: BIG-IP thwarts these attempts by using a protocol validation engine at the very beginning of the HUD filter. There is also configurable logging to allow the customer to track such attempts.
Implement F5 DNS Express Authoritative DNS DNS Servers Devices Answer DNS Query DNS Express BIG-IP Answer DNS Query Answer DNS Query OS Manage DNS Records Admin Auth Roles Internet Answer DNS Query Answer DNS Query NIC Dynamic DNS DHCP
Scale DNS 200% for App Growth and Denial of Service Protection TRADITIONAL DNS DELIVERY HIGH PERFORMANCE DNS DELIVERY Internet Firewall Local Load Balancing DNS Servers Internet BIG-IP Master DNS 75,000 RPS per DNS server 20M RPS 50M RPS Traditional way to increase DNS capacity Add more DNS servers Load balance between them Only 75K RPS and a lot of OpEx when using BIND F5 Paradigm Shift: DNS Delivery Reimagined DNS Zone transfer for Auth. DNS Hyper-Scale up to 200% with Rapid Response Up to 200x a premium DNS server 500x performance of BIND
Problem: Users disrupt DNS infrastructure Malicious behavior sending DNS DDoS Unintentional / unknowingly via bots and malware Slow response times and high latency Solution: Data Center DMZ Authoritative Zone Transfer Primary DNS Internet BIG-IP App App
Devices DMZ Data Center example.com example.com DNS Servers 123.123.123.123 +Public Key LDNS 123.123.123.123 +Public Key BIG-IP Apps Simple DNSSEC: Protection from cache poisoning and reduce management costs Ensure trusted DNS queries with real-time or static signed responses Implement BIG-IP DNS in front of existing DNS servers Replicate DNS Express and DNSSEC to any BIG-IP w/dns or any other DNS service.
15 steps!!
Regional control improves user experience Data Center DMZ BIG-IP DNS with IP geolocation database BIG-IP BIG-IP BIG-IP DNS BIG-IP Local Traffic Manager Cloud Hosted Apps
Select Your Service or create your own list Response Policy Zone (RPZ) Live Feed Domain Reputation Live updates BIG-IP Mitigate DNS threats by blocking access to malicious IPs. Reduce malware and virus infections. Prevent malware and sites hosting malicious content from ever communicating with a client. Inhibit the threat at the earliest opportunity. Internet activity starts with a DNS request.
BIG-IP DNS and IP Anycast Integration
devcentral.f5.com/codeshare
updated every 5 minutes. Prevents bot command centers.
High-level usage data and inflight DNS query volume information. Customizable fields for log output.
Drill-down capability to identify per-profile query volumes. Covers IPv4, IPv6, and DNS64. Statistics for each engine; DNS Express, Cache, DNS64 and unhandled queries Statistics for each type of DNS query Statistics can be monitored through: GUI SNMP icontrol TMSH BIG-IQ
Advanced DNS Analytics Applications Virtual Servers Query Name Query Type Client IP
PROBLEM: Greater threats and volume loads on DNS infrastructure. 26% increase in DDoS attacks, 40% increase in UDP/DNS attacks* CURRENT SOLUTION: Buy more DNS servers to handle the volumes. Buy better DNS load balancing. App and site outage affects business viability and revenue. $27mil. avg. loss for 24hr. outage from DDoS** Route DNS DDoS volumes to external cloud scrubbing service but unaware of what s dropped.?? Cloud Services Enterprises desire to block user access to IPs with malware and viruses. Some vendors offer DNS Firewall but only one list/no access to DB. Organizations should invest in protecting their DNS infrastructure. Gartner***
DNS BIG-IP DNS (formerly Global Traffic Manager)