Insights into DNS Attacks and Remediation Strategies

harness your internet activity n.w
1 / 35
Embed
Share

This content delves into various aspects of DNS attacks, including observations on attack categories, trends, and remediation techniques. It discusses the use of open resolvers/proxies, bot-based attacks, and the stress on DNS infrastructure. The importance of rate limiting and testing efficiency in combating internet attack traffic is also highlighted.

  • DNS attacks
  • Remediation strategies
  • Internet security
  • Rate limiting
  • Open resolvers
rayaanacharya
mal_roc Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Harness Your Internet Activity

  2. Drilling down into Drilling down into DNS DNS DDoS Data DDoS Data Amsterdam, May 2015 Ralf Weber

  3. 2014 Random Subdomain Attacks 2014 Data 3

  4. 2015 Quieter in Some Ways Millions of Unique Names 6000 2015 Data 5000 4000 3000 All quiet??? All quiet??? 2000 1000 0 JAN FEB MAR APR 4

  5. Observations 4 major categories of attacks distinguished by: Randomization algorithms Use of open DNS proxies or bots Traffic patterns intensity, duration, ToD Domains attacked LOTS of other attack activity out in the long tail 5

  6. Observations Use of open resolvers/proxies still predominates Installed base around 17M Trend toward more stealthy attacks Only send enough traffic to bring down authorities Highly distributed attacks 1000s of open resolvers Often low intensity per IP Interesting recent example: www.appledaily.com 6

  7. Observations Bot based attacks Tend to be few IPs - tens to hundreds High to very high intensity per IP - Up to 1000s of QPS/IP - Long tail with lower QPS Recent interesting example: rutgers.edu 7

  8. Remediation is Needed Considerable stress on DNS infrastructure: Resolvers Queries require recursion Working around failed or slow authorities Stress concentrates as authorities fail Authorities Unexpopected spikes exceed provisioned limits New rate limiting approaches Limit traffic to authorities Ingress filtering Drop incoming queries based on policy 8

  9. Testing Efficiency of Rate Limiting Authoritative Server Internet Attack Traffic ISP Resolver User traffic

  10. Testing Efficiency of Rate Limiting Authoritative Server Internet Authoritative Outbund rate limiting Attack Traffic ISP Resolver Inggess policy based filtering User traffic

  11. Setup for Testing Rate Limiting Test impact of outbound rate limiting different software BIND Power DNS Unbound Vantio CacheServe Auth Server only answers at a certain rate Two domains (one at 100qps, one at 1 qps) Domains only have one authoritative server Normal User traffic gets 100% replies Insert Attack Traffic This will overflow the auth server rate 11

  12. Test Method: HW, Resolvers, Traffic Sources Server HW Intel E5-2690V2, 20 cores/40 threads, 128 GB, 4TB disks 10 Gig Ethernet, 4G Internet connection dnsperf - simulate normal customer traffic 10kqps: normal traffic, sampled from Euro ISP 100 qps: traffic for 2 domains (99 + 1) being attacked tcpreplay simulate attack traffic 2 * 5,000 qps for two domains, result is Nxdomain 12

  13. Test Method: Execution Run all traffic for 15 minutes Do a couple of runs to Preload cache Rule out problems at one point in time This is running over the Internet Packet Loss is expected Test server to auth has a ~150ms round trip Count packets At machine running dnsperf At authoritative server 13

  14. Test Diagram Redwood City, CA good traffic 10kqps background 100qps for test domains Regensberg, Germany 2 domains being attacked dnsperf Authoritative Servers Resolver tcpreplay 100qps 1qps other attack traffic 2 * 5000 qps for two domains resolutions Rate limits should not be hit for normal traffic Rate limits should not be hit for normal traffic Resolver and authoritative servers Resolver and authoritative servers record traffic record traffic 14

  15. Run good traffic: User results 10000000 1000000 100000 Bind PowerDns Unbound Vantio 10000 1000 100 10 1 Noerror NXDomain Lost Servfail 15

  16. Run good traffic: Test domains results 100000 10000 1000 Bind PowerDns Unbound Vantio 100 10 1 Noerror Lost Servfail 16

  17. Run good traffic: Authoritiative Server Results 18000 16000 14000 12000 Bind PowerDns Unbound Vantio 10000 8000 6000 4000 2000 0 Noerror NXDomain Dropped 17

  18. System Stats Bind Power DNS Vantio Unbound 18

  19. Run attack traffic Compare with normal 10000000 1000000 100000 Bind PowerDns Unbound Vantio Unprotected Bind 10000 1000 100 10 1 Noerror NXDomain Lost Servfail 19

  20. Run protected attack traffic: User results 10000000 1000000 100000 Bind PowerDns Unbound Vantio 10000 1000 100 10 1 Noerror NXDomain Lost Servfail 20

  21. Run good traffic: User results 10000000 1000000 100000 Bind PowerDns Unbound Vantio 10000 1000 100 10 1 Noerror NXDomain Lost Servfail 21

  22. Run protected attack traffic: Test domains results 100000 Bind 10000 PowerDns 1000 Unbound 100 Vantio Ingress filter with Vantio 10 1 Noerror Lost Servfail 22

  23. Run good traffic: Test domains results 100000 10000 1000 Bind PowerDns Unbound Vantio 100 10 1 Noerror Lost Servfail 23

  24. Run protected attack traffic: Authoritiative Server Results 200000 This line goes up to: 417960 180000 160000 140000 Bind 120000 100000 PowerDns 80000 Unbound 60000 Vantio 40000 20000 Ingress filter with Vantio 0 Noerror NXDomain Dropped 24

  25. Run good traffic: Authoritiative Server Results 18000 16000 14000 12000 Bind PowerDns Unbound Vantio 10000 8000 6000 4000 2000 0 Noerror NXDomain Dropped 25

  26. System Stats Bind Unbound Vantio Power DNS 26

  27. Results: Resolver Traffic 9,000,000 queries Test run 3 5 7 3 5 3 5 7 8 9 Resolver Vantio Type Good Attack Attack Good Attack Good Attack Attack Good Attack No Error 8987622 8988291 8978049 8989007 8986967 8986205 8985913 7497150 8982254 8975942 NXDomain Lost Servfail 12248 11576 20668 9477 8767 11537 11571 19291 17309 17114 74 100 1142 94 2868 231 371 5436 287 901 56 33 ingress filter PDNS 141 1422 1398 2027 2145 Bind unprotect Unbound 1478123 150 6043 27

  28. Results: Attack domains Auth Noerror 8997 Auth Software CS7 Test Run 3 5 7 3 5 3 5 7 8 9 Type Good Attack Attack Good Attack Good Attack Attack Good Attack No Error 89970 1450 899950 Lost Servfail NXDomain Auth Dropped 0 0 0 0 30 0 0 88550 145 8998 8995 99 9000 56 332 16401 910 93684 80790 ingress filter PDNS 50 71 0 0 0 0 89929 807 90000 560 3310 90000 4311 1395 87798 16317 62131 Bind 0 2 0 0 0 89438 86530 7683 94315 6670 unprotect Unbound 160 2538256 0 6 0 0 0 85584 48110 417843 28

  29. Take aways Random subdomain attacks can affect normal user traffic Outbound rate limiting protections works great for non affected traffic Outbound rate limiting does not protect the attacked domain Ingress list based filtering does 29

  30. Recent Attacks: www.appledaily.com.tw April 30 2015 Alexa Rank 574 Attack lasted ~10 hours Used open home gateways Also widely publicized attacks Summer 2014 30

  31. Flying Under the Radar {random}.www.appledaily.com.tw sample 40 mins of traffic Total queries 735M Total clients 10.6M Attack queries 37.9M (5.15%of total) Attack clients 79.7 thousand (0.75% of total) Average QPS per attacking client = .2 31

  32. Recent Attacks: rutgers.edu April 28, 2015 Alexa Rank 3,805 Many earlier attacks {random}.rutgers.edu Sample 60 mins traffic Total queries Attack queries 1.01 Billion 19.1 Million Total clients Attack clients 11.1 Million 238 Average QPS per client = 22 32

  33. Challenge: Protecting Good Traffic Whitelist to protect legitimate queries www.appledaily.com.tw. liebiao.800fy.com. www.23us.com. wuyangairsoft.com. Blocklist to eliminate malicious traffic *. www.appledaily.com.tw. *. liebiao.800fy.com. *. www.23us.com. *. wuyangairsoft.com. 33

  34. Examples Query: www.appledaily.com.tw. Answered, protected by whitelist Query: avytafkjad.www.appledaily.com.tw. Blocked by blocklist Query: www2.appledaily.com.tw. Answered through normal resolution 34

  35. Summary Constant DNS Based DDoS evolution Open Home Gateways remain a problem Malware-based exploits create broad exposure Not clear where attacks are headed Evidence attackers refining techniques Remediation needs to be undertaken with care Clients want answers!! Critical to protect good traffic 35

Related


Roadmap for DNS Load Balancing Service at CERN - HEPiX Autumn 2020 Workshop

Roadmap for DNS Load Balancing Service at CERN - HEPiX Autumn 2020 Workshop

norbert
Domain Name Service (DNS) in Linux Network Administration

Domain Name Service (DNS) in Linux Network Administration

teey962
Automating DNS Maintenance with Catalog Zones: A New Approach

Automating DNS Maintenance with Catalog Zones: A New Approach

kkai
Domain Name System (DNS) and Content Distribution Networks (CDNs)

Domain Name System (DNS) and Content Distribution Networks (CDNs)

idecl
DNS Forensics & Protection: Analyzing and Securing Network Traffic

DNS Forensics & Protection: Analyzing and Securing Network Traffic

hanish
Unveiling IBDNS: The Intentionally Broken DNS Server

Unveiling IBDNS: The Intentionally Broken DNS Server

nabi_611
DNS Performance and Issues in Information-Centric Networks

DNS Performance and Issues in Information-Centric Networks

jennli
DNS Flag Day and EDNS: A Comprehensive Overview

DNS Flag Day and EDNS: A Comprehensive Overview

tri_m
Unraveling the Mystery of Missing DNSKEY Key Tags by Roy Arends

Unraveling the Mystery of Missing DNSKEY Key Tags by Roy Arends

ben_mar
DNS Testing and Signatures Rollover Analysis

DNS Testing and Signatures Rollover Analysis

naif959
Improving DNS Security with KINDNS Best Practices

Improving DNS Security with KINDNS Best Practices

ceis
DNS Centrality: The Internet's Core Challenge

DNS Centrality: The Internet's Core Challenge

aren_ete
Challenges of DNS Centrality in Internet Infrastructure

Challenges of DNS Centrality in Internet Infrastructure

jessic
The Domain Name System (DNS) Structure

The Domain Name System (DNS) Structure

paj
Proactive Network Protection Through DNS Security Insights

Proactive Network Protection Through DNS Security Insights

rserv
Network Security Fundamentals

Network Security Fundamentals

chae_220
DNS Security Mechanisms

DNS Security Mechanisms

lunau
DNSSEC: Adding Digital Signatures to DNS Responses

DNSSEC: Adding Digital Signatures to DNS Responses

sdaco
DNS Registration: Importance and Process Explained

DNS Registration: Importance and Process Explained

ajas
Investigating Anomalous DNS Queries: A Case Study from DNS-OARC 25, Dallas

Investigating Anomalous DNS Queries: A Case Study from DNS-OARC 25, Dallas

kingcha
DNS and Network Address Translation

DNS and Network Address Translation

ahm_mcq
Enhancing Privacy in DNS Zone Exchanges

Enhancing Privacy in DNS Zone Exchanges

aronoff_j

More Related Content