SlideShare a Scribd company logo

Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2015]

APNIC
APNIC

A lightning talks presentation at APRICOT 2015.

Internet
1 of 16
Water Torture: A Slow Drip DNS DDoS Attack on QTNet Kei Nishida, Network Center Kyushu Telecommunication Network Co.,Inc
2 About QTNet • Company Name  Kyushu Telecommunication Network Co., Inc. (QTNet, for short)  Telecommunicasions carrier in Kyushu , Japan • Services  Wide-Area Ethernet  FTTH  Internet Access,VoIP,TV Q
3 What is Water Torture? • A type of Distributed denial-of-service attack to DNS Servers. • Authoritative DNS servers is the target of this attack. • However, as a side effect, Cache DNS Server(Internet service providers DNS server) ‘s load is increased. • Since January 2014, this attack has been reported around the world.  Attack is ongoing. January 2014 bps
Overview of the Attack part 1 4 Open Resolvers Cache DNS Server Authoritative DNS Server (example.com) AttackerBotnets DNS Query abcdefg1.example.com abcdefg2. example.com abcdefg3. example.com and so on 1. the Attacker command his botnets. 2. So many bots send to send a small number of random queries to open resolvers(Customer Broadband routers). 3. Open resolvers send random queries to Cache DNS Server. 4. Cache DNS Servers send random queries to Authoritative DNS Server. 1. 2. 3. 4.
Overview of the Attack part 2 5 • Authoritative DNS servers go down with many DNS queries which are sent by Cache DNS Servers(Internet service providers DNS servers) • Cache DNS Server(Internet Service providers DNS server) go down with many DNS queries which are sent by Open resolvers = customer broadband routers.
QTNet Case -Overview 6 • From 29 May. 2014, queries from botnets grown up. • QTNet Cache DNS Server was effected by these traffic.  Alarm occurs the system resources of Cache DNS Server has reached the limit value.  Some customers informed that they could not access some web sites by their devices. • To Block the Attack, we tried some measures.
QTNet Case -Traffic from Botnets 7 29 May 30 1 June31 • The areas which are colored indicate the specific botnet ip address. • 1/2 traffic was came from non specific botnet ip address. Traffic of 53 port destination from Internet to QTNet Network non specific specific
QTNet Case -Traffic from Botnets 8 • Is a tendency of traffic has changed from June 14. Traffic of 53 port destination from Internet to QTNet Network non specific 10 Jun 11 12 13 14 15
QTNet Case –Cache DNS Server 9
QTNet Case –How to Block the Attack 1 10 • We put the zones which is target of attack on Cache DNS Servers. Like this. $TTL xxxxxx @ IN SOA localhost. localhost. ( 2014052900 ; Serial [yyyymmddhh] xxh ; Refresh[xxh] xxh ; Retry [xxh] xxd ; Expire [xxd] xxd ) ; Minimum[xxd] IN NS localhost. • Cache DNS Server could reply “NXDOMAIN” without contacting to Authoritative DNS Server. However,…  The zone of target was changed frequently.  Our operators had to monitor the attack and put the zones manually 24 hours a day.
QTNet Case –How to Block the Attack 2 11 • We use the iptables module (hashlimit) on Cache DNS Servers.  The packets to the same authoritative DNS server from the cache DNS Server, setting a certain threshold by hashlimit.  The packets which are over the limits are rejected with icmp-port-unreachable message. So, Cache DNS Server can reply “SERVFAIL” without contacting to Authoritative DNS Server. Iptables Overview
QTNet Case – Additional measures 12 • The fundamental problems are open resolvers and traffic from the botnets. • We are asking customers to update their broadband router’s firmware(so as not be open resolvers).
QTNet Case – Additional measures 13 • We think IP53B.  Block the destination port 53(udp) traffic from the internet to QTNet customer(dynamic ip address only).
Summary 14 • QTNet could block “Water Torture: A Slow Drip DNS DDoS Attack “ by iptables hashlimit module.  Operation of "allow list" is necessary. • The fundamental problems are open resolvers and traffic from the botnets. • Some vendors have released the DNS protocol base block functions, not Layer-3 base block. We are expecting that these functions goes well.
References 15 • Yasuhiro Orange Morishita@JPRS: About Water Torture  http://2014.seccon.jp/dns/dns_water_torture.pdf (accessed Jun 7th 2015) • SECURE64 BLOG -Water Torture: A Slow Drip DNS DDoS Attack  https://blog.secure64.com/?p=377 (accessed Jun 7th 2015)
Thank you!

Recommended

DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
Himanshu Prabhakar
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
Joseph Bugeja
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
Rohan Bharadwaj
 
computer misuse n criminal law
computer misuse n criminal lawcomputer misuse n criminal law
computer misuse n criminal law
Hamza Cheema
 
Domain name system presentation
Domain name system presentationDomain name system presentation
Domain name system presentation
Anchit Dhingra
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
Rand W. Hirt
 
An introduction to denial of service attack
An introduction to denial of service attackAn introduction to denial of service attack
An introduction to denial of service attack
Mohammad Reza Mousavinasr
 
Web security
Web securityWeb security
Web security
Jatin Grover
 

Recommended

DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
Himanshu Prabhakar
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
Joseph Bugeja
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
Rohan Bharadwaj
 
computer misuse n criminal law
computer misuse n criminal lawcomputer misuse n criminal law
computer misuse n criminal law
Hamza Cheema
 
Domain name system presentation
Domain name system presentationDomain name system presentation
Domain name system presentation
Anchit Dhingra
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
Rand W. Hirt
 
An introduction to denial of service attack
An introduction to denial of service attackAn introduction to denial of service attack
An introduction to denial of service attack
Mohammad Reza Mousavinasr
 
Web security
Web securityWeb security
Web security
Jatin Grover
 
Subnet Masks
Subnet MasksSubnet Masks
Subnet Masks
swascher
 
system Security
system Security system Security
system Security
Gaurav Mishra
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?
Bhavin Shah
 
Network attacks
Network attacksNetwork attacks
Network attacks
Manjushree Mashal
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
Sam Bowne
 
Ip address presentation
Ip address presentationIp address presentation
Ip address presentation
muhammad amir
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack ppt
OECLIB Odisha Electronics Control Library
 
Network Security Issues
Network Security IssuesNetwork Security Issues
Network Security Issues
AfreenYousaf
 
Spoofing
SpoofingSpoofing
Spoofing
Greater Noida Institute Of Technology
 
IDS n IPS
IDS n IPSIDS n IPS
IDS n IPS
SAurabh PRajapati
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name System
ABDUL GAFOOR K V
 
IT system and network administrator
IT system and network administratorIT system and network administrator
IT system and network administrator
Muhammad Nasir ( MCSA/ MCTS / MCITP)
 
Attack on computer
Attack on computerAttack on computer
Attack on computer
Rabail khan
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
NAT and PAT
NAT and PATNAT and PAT
NAT and PAT
Muuluu
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
Security BSides London
 
Security threats and safety measures
Security threats and safety measuresSecurity threats and safety measures
Security threats and safety measures
Dnyaneshwar Beedkar
 
Lecture 22 What inside the Router.pptx
Lecture 22 What inside the Router.pptxLecture 22 What inside the Router.pptx
Lecture 22 What inside the Router.pptx
HanzlaNaveed1
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
Jignesh Patel
 
Bridging in Networking
Bridging in NetworkingBridging in Networking
Bridging in Networking
Muhammad Arshad
 
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesPseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
APNIC
 
Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году
Qrator Labs
 

More Related Content

What's hot

Subnet Masks
Subnet MasksSubnet Masks
Subnet Masks
swascher
 
NAT and PAT
NAT and PATNAT and PAT
NAT and PAT
Muuluu
 
Lecture 22 What inside the Router.pptx
Lecture 22 What inside the Router.pptxLecture 22 What inside the Router.pptx
Lecture 22 What inside the Router.pptx
HanzlaNaveed1
 

What's hot (20)

Subnet Masks
Subnet MasksSubnet Masks
Subnet Masks
 
system Security
system Security system Security
system Security
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?
 
Network attacks
Network attacksNetwork attacks
Network attacks
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
Ip address presentation
Ip address presentationIp address presentation
Ip address presentation
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack ppt
 
Network Security Issues
Network Security IssuesNetwork Security Issues
Network Security Issues
 
Spoofing
SpoofingSpoofing
Spoofing
 
IDS n IPS
IDS n IPSIDS n IPS
IDS n IPS
 
Domain Name System
Domain Name SystemDomain Name System
Domain Name System
 
IT system and network administrator
IT system and network administratorIT system and network administrator
IT system and network administrator
 
Attack on computer
Attack on computerAttack on computer
Attack on computer
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
NAT and PAT
NAT and PATNAT and PAT
NAT and PAT
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
Security threats and safety measures
Security threats and safety measuresSecurity threats and safety measures
Security threats and safety measures
 
Lecture 22 What inside the Router.pptx
Lecture 22 What inside the Router.pptxLecture 22 What inside the Router.pptx
Lecture 22 What inside the Router.pptx
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Bridging in Networking
Bridging in NetworkingBridging in Networking
Bridging in Networking
 

Viewers also liked

Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году
Qrator Labs
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed
Great Bay Software
 

Viewers also liked (14)

Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesPseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
 
Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году
 
From Policy to Practice: Addressing and Routing in 2014 by Geoff Huston [APRI...
From Policy to Practice: Addressing and Routing in 2014 by Geoff Huston [APRI...From Policy to Practice: Addressing and Routing in 2014 by Geoff Huston [APRI...
From Policy to Practice: Addressing and Routing in 2014 by Geoff Huston [APRI...
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
Dns Amplification Zafiyeti
Dns Amplification ZafiyetiDns Amplification Zafiyeti
Dns Amplification Zafiyeti
 
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling Blindspot
 
Network Security in 2016
Network Security in 2016Network Security in 2016
Network Security in 2016
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnet
 
MIRAI: What is It, How Does it Work and Why Should I Care?
MIRAI: What is It, How Does it Work and Why Should I Care?MIRAI: What is It, How Does it Work and Why Should I Care?
MIRAI: What is It, How Does it Work and Why Should I Care?
 
State of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of BotnetsState of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of Botnets
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat Landscape
 

Similar to Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2015]

DMMS presentation25
DMMS presentation25DMMS presentation25
DMMS presentation25
Yuri Alimov
 
DMMS presentation29
DMMS presentation29DMMS presentation29
DMMS presentation29
Yuri Alimov
 

Similar to Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2015] (20)

KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
DMMS presentation25
DMMS presentation25DMMS presentation25
DMMS presentation25
 
Drilling Down Into DNS DDoS
Drilling Down Into DNS DDoSDrilling Down Into DNS DDoS
Drilling Down Into DNS DDoS
 
SFMap (TMA 2015)
SFMap (TMA 2015)SFMap (TMA 2015)
SFMap (TMA 2015)
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
 
Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1
 
ARW03o.ppt
ARW03o.pptARW03o.ppt
ARW03o.ppt
 
UDP Flood Attack.pptx
UDP Flood Attack.pptxUDP Flood Attack.pptx
UDP Flood Attack.pptx
 
DMMS presentation29
DMMS presentation29DMMS presentation29
DMMS presentation29
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
SWIFT: Tango's Infrastructure For Real-Time Video Call Service
SWIFT: Tango's Infrastructure For Real-Time Video Call ServiceSWIFT: Tango's Infrastructure For Real-Time Video Call Service
SWIFT: Tango's Infrastructure For Real-Time Video Call Service
 
DevOops - Lessons Learned from an OpenStack Network Architect
DevOops - Lessons Learned from an OpenStack Network ArchitectDevOops - Lessons Learned from an OpenStack Network Architect
DevOops - Lessons Learned from an OpenStack Network Architect
 
Private cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinPrivate cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austin
 
DDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP Infrastructures
 
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
 
Successes and Challenges of IPv6 Transition at APNIC
Successes and Challenges of IPv6 Transition at APNICSuccesses and Challenges of IPv6 Transition at APNIC
Successes and Challenges of IPv6 Transition at APNIC
 

More from APNIC

More from APNIC (20)

APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 

Recently uploaded

Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 

Recently uploaded (20)

20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 

Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2015]

  • 1. Water Torture: A Slow Drip DNS DDoS Attack on QTNet Kei Nishida, Network Center Kyushu Telecommunication Network Co.,Inc
  • 2. 2 About QTNet • Company Name  Kyushu Telecommunication Network Co., Inc. (QTNet, for short)  Telecommunicasions carrier in Kyushu , Japan • Services  Wide-Area Ethernet  FTTH  Internet Access,VoIP,TV Q
  • 3. 3 What is Water Torture? • A type of Distributed denial-of-service attack to DNS Servers. • Authoritative DNS servers is the target of this attack. • However, as a side effect, Cache DNS Server(Internet service providers DNS server) ‘s load is increased. • Since January 2014, this attack has been reported around the world.  Attack is ongoing. January 2014 bps
  • 4. Overview of the Attack part 1 4 Open Resolvers Cache DNS Server Authoritative DNS Server (example.com) AttackerBotnets DNS Query abcdefg1.example.com abcdefg2. example.com abcdefg3. example.com and so on 1. the Attacker command his botnets. 2. So many bots send to send a small number of random queries to open resolvers(Customer Broadband routers). 3. Open resolvers send random queries to Cache DNS Server. 4. Cache DNS Servers send random queries to Authoritative DNS Server. 1. 2. 3. 4.
  • 5. Overview of the Attack part 2 5 • Authoritative DNS servers go down with many DNS queries which are sent by Cache DNS Servers(Internet service providers DNS servers) • Cache DNS Server(Internet Service providers DNS server) go down with many DNS queries which are sent by Open resolvers = customer broadband routers.
  • 6. QTNet Case -Overview 6 • From 29 May. 2014, queries from botnets grown up. • QTNet Cache DNS Server was effected by these traffic.  Alarm occurs the system resources of Cache DNS Server has reached the limit value.  Some customers informed that they could not access some web sites by their devices. • To Block the Attack, we tried some measures.
  • 7. QTNet Case -Traffic from Botnets 7 29 May 30 1 June31 • The areas which are colored indicate the specific botnet ip address. • 1/2 traffic was came from non specific botnet ip address. Traffic of 53 port destination from Internet to QTNet Network non specific specific
  • 8. QTNet Case -Traffic from Botnets 8 • Is a tendency of traffic has changed from June 14. Traffic of 53 port destination from Internet to QTNet Network non specific 10 Jun 11 12 13 14 15
  • 9. QTNet Case –Cache DNS Server 9
  • 10. QTNet Case –How to Block the Attack 1 10 • We put the zones which is target of attack on Cache DNS Servers. Like this. $TTL xxxxxx @ IN SOA localhost. localhost. ( 2014052900 ; Serial [yyyymmddhh] xxh ; Refresh[xxh] xxh ; Retry [xxh] xxd ; Expire [xxd] xxd ) ; Minimum[xxd] IN NS localhost. • Cache DNS Server could reply “NXDOMAIN” without contacting to Authoritative DNS Server. However,…  The zone of target was changed frequently.  Our operators had to monitor the attack and put the zones manually 24 hours a day.
  • 11. QTNet Case –How to Block the Attack 2 11 • We use the iptables module (hashlimit) on Cache DNS Servers.  The packets to the same authoritative DNS server from the cache DNS Server, setting a certain threshold by hashlimit.  The packets which are over the limits are rejected with icmp-port-unreachable message. So, Cache DNS Server can reply “SERVFAIL” without contacting to Authoritative DNS Server. Iptables Overview
  • 12. QTNet Case – Additional measures 12 • The fundamental problems are open resolvers and traffic from the botnets. • We are asking customers to update their broadband router’s firmware(so as not be open resolvers).
  • 13. QTNet Case – Additional measures 13 • We think IP53B.  Block the destination port 53(udp) traffic from the internet to QTNet customer(dynamic ip address only).
  • 14. Summary 14 • QTNet could block “Water Torture: A Slow Drip DNS DDoS Attack “ by iptables hashlimit module.  Operation of "allow list" is necessary. • The fundamental problems are open resolvers and traffic from the botnets. • Some vendors have released the DNS protocol base block functions, not Layer-3 base block. We are expecting that these functions goes well.
  • 15. References 15 • Yasuhiro Orange Morishita@JPRS: About Water Torture  http://2014.seccon.jp/dns/dns_water_torture.pdf (accessed Jun 7th 2015) • SECURE64 BLOG -Water Torture: A Slow Drip DNS DDoS Attack  https://blog.secure64.com/?p=377 (accessed Jun 7th 2015)