This document discusses DNS DDoS attack types and defenses. It describes the history of major DNS DDoS attacks from 2012 to 2013, including attacks against Spamhaus and GoDaddy. It then analyzes different DNS DDoS attack types like bandwidth consuming attacks, massive query attacks, amplification attacks using open resolvers, and attacks using non-existent domain queries. Finally, it discusses defenses like packet filtering, rate limiting, response rate limiting (RRL), and distributing DNS infrastructure.
This document discusses how to launch and defend against DDoS attacks. It explains that DDoS attacks are easy to conduct using tools that allow for spoofing of IP addresses. It also describes how protocols like UDP and DNS amplification attacks can be used to launch large attacks. The document then provides recommendations for how to defend against DDoS attacks, including using a global network with anycast, hiding your origin IP, separating protocols by IP, and working closely with your upstream provider.
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...APNIC
This document discusses a "Water Torture" DNS DDoS attack targeting QTNet, a Japanese telecommunications carrier. The attack works by botnets sending large numbers of random DNS queries to open resolvers, overwhelming cache DNS servers. QTNet saw this traffic grow in May 2014, overloading their cache DNS server. To block the attack, QTNet used iptables hashlimit module to limit queries to authoritative DNS servers, and is asking customers to update router firmware to prevent open resolvers. The fundamental problems are open resolvers enabling reflection and direct traffic from botnets, and QTNet may implement IP address blocking of port 53 traffic from the internet.
This document discusses strategies for conducting distributed denial-of-service (DDoS) attacks and bypassing mitigation tactics. It presents 10 attack strategies, including targeting backend systems like databases to cause amplification, using reflection techniques, and spoofing large ranges of IP addresses to overwhelm blocklisting defenses. The document also critiques common misconceptions that can leave systems vulnerable, such as not protecting HTTPS traffic or enabling dynamic cloud distribution without origin protection. The overall message is that comprehensive testing and planning is needed to effectively mitigate DDoS attacks.
This document discusses DDoS attacks and mitigation methods. It begins by defining DDoS attacks as using multiple sources to overwhelm a target's availability, unlike a DOS attack which uses a single source. Common DDoS attack types are then outlined, along with the costs and impacts of attacks for victims. The document also provides details on specific attack methods like SYN floods, reflection attacks using DNS and NTP, and recommended mitigation techniques including whitelisting, rate limiting, and fingerprinting. It concludes by emphasizing that DDoS attacks are easy to carry out and difficult to detect, while having significant negative effects on victims.
This document discusses distributed denial of service (DDoS) attacks. It begins by defining a DDoS attack as a malicious attempt to disrupt normal traffic by overwhelming a target with a flood of traffic utilizing multiple compromised systems. The document then discusses the evolution of DDoS attacks over time in terms of size and complexity. It provides examples of different types of DDoS attacks including application layer attacks like HTTP floods, protocol attacks like SYN floods, and volumetric attacks like DNS amplification attacks. Finally, it discusses common techniques for mitigating DDoS attacks such as black hole routing, rate limiting, web application firewalls, and anycast network diffusion.
<p>DDoS attacks make headlines everyday, but how do they work and how can you defend against them? DDoS attacks can be high volume UDP traffic floods, SYN floods, DNS amplification, or Layer 7 HTTP attacks. Understanding how to protect yourself from DDoS is critical to doing business on the internet today.</p>
<p>Suzanne Aldrich, a lead Solutions Engineer at Cloudflare, will cover how these attacks work, what is being targeted by the attackers, and how you can protect against the different attack types. She will cap the session with the rise in IoT attacks, and expectations for the future of web security.</p>
<p><strong>Speaker Bio</strong>:</p>
<p>Suzanne is a solutions engineer team lead at Cloudflare, where she specializes in security, performance, and usability. Her interest in all things web started in high school when she created the school’s first website. While at Stanford, Suzanne was the webmaster for a matchbox sized server running the Wearable Computing Lab’s site.</p>
This document discusses analyzing DNS data to detect DNS-based distributed denial-of-service (DDoS) attacks. It finds that random subdomain attacks and attacks using open home gateways and bot malware are increasingly common. These attacks strain DNS resolvers and authoritative servers by generating large volumes of recursive queries with randomized subdomains. The document recommends filtering DNS traffic at the ingress of resolvers to minimize workload and stress, while still allowing legitimate queries by using near-real-time blocklists and whitelisting valid subdomains for popular domains.
This document discusses how to launch and defend against DDoS attacks. It explains that DDoS attacks are easy to conduct using tools that allow for spoofing of IP addresses. It also describes how protocols like UDP and DNS amplification attacks can be used to launch large attacks. The document then provides recommendations for how to defend against DDoS attacks, including using a global network with anycast, hiding your origin IP, separating protocols by IP, and working closely with your upstream provider.
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...APNIC
This document discusses a "Water Torture" DNS DDoS attack targeting QTNet, a Japanese telecommunications carrier. The attack works by botnets sending large numbers of random DNS queries to open resolvers, overwhelming cache DNS servers. QTNet saw this traffic grow in May 2014, overloading their cache DNS server. To block the attack, QTNet used iptables hashlimit module to limit queries to authoritative DNS servers, and is asking customers to update router firmware to prevent open resolvers. The fundamental problems are open resolvers enabling reflection and direct traffic from botnets, and QTNet may implement IP address blocking of port 53 traffic from the internet.
This document discusses strategies for conducting distributed denial-of-service (DDoS) attacks and bypassing mitigation tactics. It presents 10 attack strategies, including targeting backend systems like databases to cause amplification, using reflection techniques, and spoofing large ranges of IP addresses to overwhelm blocklisting defenses. The document also critiques common misconceptions that can leave systems vulnerable, such as not protecting HTTPS traffic or enabling dynamic cloud distribution without origin protection. The overall message is that comprehensive testing and planning is needed to effectively mitigate DDoS attacks.
This document discusses DDoS attacks and mitigation methods. It begins by defining DDoS attacks as using multiple sources to overwhelm a target's availability, unlike a DOS attack which uses a single source. Common DDoS attack types are then outlined, along with the costs and impacts of attacks for victims. The document also provides details on specific attack methods like SYN floods, reflection attacks using DNS and NTP, and recommended mitigation techniques including whitelisting, rate limiting, and fingerprinting. It concludes by emphasizing that DDoS attacks are easy to carry out and difficult to detect, while having significant negative effects on victims.
This document discusses distributed denial of service (DDoS) attacks. It begins by defining a DDoS attack as a malicious attempt to disrupt normal traffic by overwhelming a target with a flood of traffic utilizing multiple compromised systems. The document then discusses the evolution of DDoS attacks over time in terms of size and complexity. It provides examples of different types of DDoS attacks including application layer attacks like HTTP floods, protocol attacks like SYN floods, and volumetric attacks like DNS amplification attacks. Finally, it discusses common techniques for mitigating DDoS attacks such as black hole routing, rate limiting, web application firewalls, and anycast network diffusion.
<p>DDoS attacks make headlines everyday, but how do they work and how can you defend against them? DDoS attacks can be high volume UDP traffic floods, SYN floods, DNS amplification, or Layer 7 HTTP attacks. Understanding how to protect yourself from DDoS is critical to doing business on the internet today.</p>
<p>Suzanne Aldrich, a lead Solutions Engineer at Cloudflare, will cover how these attacks work, what is being targeted by the attackers, and how you can protect against the different attack types. She will cap the session with the rise in IoT attacks, and expectations for the future of web security.</p>
<p><strong>Speaker Bio</strong>:</p>
<p>Suzanne is a solutions engineer team lead at Cloudflare, where she specializes in security, performance, and usability. Her interest in all things web started in high school when she created the school’s first website. While at Stanford, Suzanne was the webmaster for a matchbox sized server running the Wearable Computing Lab’s site.</p>
This document discusses analyzing DNS data to detect DNS-based distributed denial-of-service (DDoS) attacks. It finds that random subdomain attacks and attacks using open home gateways and bot malware are increasingly common. These attacks strain DNS resolvers and authoritative servers by generating large volumes of recursive queries with randomized subdomains. The document recommends filtering DNS traffic at the ingress of resolvers to minimize workload and stress, while still allowing legitimate queries by using near-real-time blocklists and whitelisting valid subdomains for popular domains.
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesAPNIC
The document discusses DNS query attacks that aim to degrade DNS resolvers by flooding them with requests for nonexistent subdomains. It describes the attacks, identifying features like high volumes of random subdomain queries. It then outlines several mitigation techniques resolvers have used, including temporarily authorizing themselves to answer authoritatively, filtering requests using real-time blocklists, and making resolvers smarter by monitoring responses and throttling queries adaptively on a per-server or per-zone basis. The best long-term solution mentioned is closing insecure home gateways that are often hijacked to initiate such attacks.
This document provides an overview of DNS security and DNSSEC. It begins with explanations of what DNS is, how it works, and how DNS responses can be corrupted. It then discusses the problems that occur when DNS goes bad, such as being directed to the wrong site or downloading malware. The document introduces DNSSEC as a solution and explains why it was created and why it is important, particularly for government agencies. It addresses why more organizations don't use DNSSEC and the challenges of deploying and maintaining it. Finally, it describes options for implementing DNSSEC, including the GSA DNSSEC Cloud Signing Service, which handles the complexities for .gov domains.
The document discusses various techniques that internet service providers can use to prevent IP reflection attacks, including:
- Implementing BCP38 and BCP140, which involve validating the source IP address of incoming packets to prevent spoofing. This is recommended to be deployed as close to the edge of the network as possible.
- Enforcing validation using access control lists (ACLs) to filter packets and unicast reverse path forwarding (uRPF) to check the return path of source IP addresses. Strict uRPF is recommended for customers.
- Example ACL and uRPF configurations are provided for Cisco and Juniper routers to filter traffic from customer networks connected to the ISP edge router.
The document discusses DDoS attacks and countermeasures. It begins with an overview of common DDoS attack types like botnet attacks and distributed reflected DNS attacks. It then discusses challenges like how easy it is to build botnets and buy them online. The document also covers the xFlash attack technique and new capabilities in Flash 9. The second part discusses countermeasures, emphasizing performance tuning, caching, scalability through architecture like shared nothing, and implementing defense in depth. It concludes by thanking the audience and asking for questions.
Distributed Denial of Service or DDoS attacks have been in news a lot lately. This video will explain what those attacks are and provide recommendations on what you can do to prevent or mitigate those attacks on your business or website.
This document provides an introduction to DNSSEC (Domain Name System Security Extensions) in 3 parts:
1. It explains the purpose of DNSSEC is to address vulnerabilities in the DNS like cache poisoning and lack of data integrity by cryptographically signing DNS records.
2. It discusses some of the operational implications of DNSSEC like increased response sizes requiring EDNS0, using multiple keys (KSK and ZSK), and developing a DNSSEC Policy and Practice Statement.
3. It provides resources for further learning including open source DNSSEC software, mailing lists, and examples of deployed DNSSEC at the root zone and in some top-level domains.
This document provides an overview of distributed denial of service (DDoS) attacks including:
- Common types of DDoS attacks like UDP floods, SYN floods, DNS floods and HTTP floods and how they work to overwhelm servers.
- How DDoS attacks are evolving to larger sizes and more complex botnets.
- Methods for mitigating DDoS attacks including black hole routing, rate limiting, web application firewalls, anycast networks and cloud-based DDoS protection services.
- A real example of mitigating a massive 400Gbps DDoS attack and the largest attacks seen to date.
1. The document discusses DNS cache poisoning using a man-in-the-middle attack. It provides details on setting up the attack using Kali Linux, Windows Server 2008, and Windows 7. It clones the Facebook website and poisons the DNS cache so traffic is redirected to the fake site.
2. Testing confirms the attack was successful when pinging the fake Facebook site returns the IP of the Kali machine for both Windows systems. The document also proposes short and long-term solutions to prevent DNS cache poisoning attacks, such as disabling open recursive name servers and implementing DNSSEC.
3. In conclusion, the document notes that while DNS cache poisoning is easy to setup, protection requires more effort but is still important for network
This document discusses DNS cache poisoning. It begins by explaining what DNS is and its purpose of mapping domain names to IP addresses. It then discusses how DNS servers implement caching to improve performance and defines DNS cache poisoning as getting unauthorized entries into a DNS server's cache. The document outlines how an attacker could poison a cache to redirect traffic to a machine they control in order to perform man-in-the-middle attacks or install malware. It describes various methods of poisoning caches locally or remotely, such as between end users and nameservers or between nameservers themselves using the Kaminsky attack. Defenses like DNSSEC are mentioned along with encouragement to try cache poisoning in a controlled lab environment.
This document discusses IPv6 threats to government networks. It provides an overview of IPv6 including its large address space and advantages over IPv4. It notes that while the US government is required to transition to IPv6, progress has been slow. Specific IPv6 threats are examined such as NDP spoofing, SLAAC attacks, and Teredo tunneling. It is concluded that most organizations are not fully prepared to detect and mitigate IPv6 threats due to limitations in tools, analyst expertise, and threat intelligence focusing primarily on IPv4.
DDoS attacks make headlines everyday, but how do they work and how can you defend against them? DDoS attacks can be high volume UDP traffic floods, SYN floods, DNS amplification, or Layer 7 HTTP attacks. Understanding how to protect yourself from DDoS is critical to doing business on the internet today. Suzanne Aldrich, a lead Solutions Engineer at Cloudflare, will cover how these attacks work, what is being targeted by the attackers, and how you can protect against the different attack types. She will cap the session with the rise in IoT attacks, and expectations for the future of web security.
https://2017.badcamp.net/session/devops-performance-security-privacy/beginner/anatomy-ddos-attack
Cloudflare protects and accelerates any web property online. We stop hackers from reaching your web property and knocking it offline. In addition, we help your site visitors access your content as fast as possible no matter their location. Join us as we discuss evolving DDoS attack types and trends to be aware about in 2018.
This document provides an overview of key concepts in DNSSEC including public/private keys, message digests or hashes, and digital signatures. It explains that public/private key pairs are used, where the private key is kept secret and the public key can be freely distributed. It also describes how one-way hashing functions work to generate fixed-length hashes from variable-length data, and how digital signatures are created by encrypting a message hash with a private key. These three concepts of public/private keys, hashes, and digital signatures form the basis of cryptographic techniques used in DNSSEC.
This document discusses DNS cache poisoning vulnerabilities, including:
- Explanations of how cache poisoning works by entering non-authoritative records into a resolver's cache.
- A timeline of vulnerabilities discovered from 1993-2008 related to implementation issues that allowed cache poisoning.
- Countermeasures like DNSSEC that add authentication and integrity to DNS to prevent cache poisoning attacks.
DNS is critical network infrastructure and securing it against attacks like DDoS, NXDOMAIN, hijacking and Malware/APT is very important to protecting any business.
1) The document discusses DNS spoofing techniques including DNS cache poisoning, DNS ID spoofing, and exploiting the birthday paradox.
2) It describes two versions of a DNS ID spoofing tool called dnsspoof.py that either targets a specific victim or all victims on the network.
3) Examples are given using the Scapy Python library to build and sniff packets to demonstrate how the DNS spoofing tools could be implemented.
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Ruo Ando
Feasibility study of large scale attacks of DNS. We have found 10,334,293 DNS servers in 34 hours of first measurement (2013/05/31 – 2013/06/02) and 30285322 DNS servers in 26 hours of second measurement (2013/07/05).
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
Encryption is coming to mainstream DNS. This briefing discusses the history, protocols and architecture of encrypted DNS, specifically DNS over TLS and DNS over HTTPS. It also describes the impact of DoT and DoH on various operational models.
This briefing was given during DNSheads Vienna #5 at the nic.at office in Vienna on Jan 30 2018.
DDoS Attack on DNS using infected IoT DevicesSeungjoo Kim
[Case Study] DDoS Attack on DNS using infected IoT Devices @ ACSAC 2015 (The 31st Annual Computer Security Applications Conference 2015), which is one of the most important cyber security conferences in the world and the oldest information security conference held annually
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesAPNIC
The document discusses DNS query attacks that aim to degrade DNS resolvers by flooding them with requests for nonexistent subdomains. It describes the attacks, identifying features like high volumes of random subdomain queries. It then outlines several mitigation techniques resolvers have used, including temporarily authorizing themselves to answer authoritatively, filtering requests using real-time blocklists, and making resolvers smarter by monitoring responses and throttling queries adaptively on a per-server or per-zone basis. The best long-term solution mentioned is closing insecure home gateways that are often hijacked to initiate such attacks.
This document provides an overview of DNS security and DNSSEC. It begins with explanations of what DNS is, how it works, and how DNS responses can be corrupted. It then discusses the problems that occur when DNS goes bad, such as being directed to the wrong site or downloading malware. The document introduces DNSSEC as a solution and explains why it was created and why it is important, particularly for government agencies. It addresses why more organizations don't use DNSSEC and the challenges of deploying and maintaining it. Finally, it describes options for implementing DNSSEC, including the GSA DNSSEC Cloud Signing Service, which handles the complexities for .gov domains.
The document discusses various techniques that internet service providers can use to prevent IP reflection attacks, including:
- Implementing BCP38 and BCP140, which involve validating the source IP address of incoming packets to prevent spoofing. This is recommended to be deployed as close to the edge of the network as possible.
- Enforcing validation using access control lists (ACLs) to filter packets and unicast reverse path forwarding (uRPF) to check the return path of source IP addresses. Strict uRPF is recommended for customers.
- Example ACL and uRPF configurations are provided for Cisco and Juniper routers to filter traffic from customer networks connected to the ISP edge router.
The document discusses DDoS attacks and countermeasures. It begins with an overview of common DDoS attack types like botnet attacks and distributed reflected DNS attacks. It then discusses challenges like how easy it is to build botnets and buy them online. The document also covers the xFlash attack technique and new capabilities in Flash 9. The second part discusses countermeasures, emphasizing performance tuning, caching, scalability through architecture like shared nothing, and implementing defense in depth. It concludes by thanking the audience and asking for questions.
Distributed Denial of Service or DDoS attacks have been in news a lot lately. This video will explain what those attacks are and provide recommendations on what you can do to prevent or mitigate those attacks on your business or website.
This document provides an introduction to DNSSEC (Domain Name System Security Extensions) in 3 parts:
1. It explains the purpose of DNSSEC is to address vulnerabilities in the DNS like cache poisoning and lack of data integrity by cryptographically signing DNS records.
2. It discusses some of the operational implications of DNSSEC like increased response sizes requiring EDNS0, using multiple keys (KSK and ZSK), and developing a DNSSEC Policy and Practice Statement.
3. It provides resources for further learning including open source DNSSEC software, mailing lists, and examples of deployed DNSSEC at the root zone and in some top-level domains.
This document provides an overview of distributed denial of service (DDoS) attacks including:
- Common types of DDoS attacks like UDP floods, SYN floods, DNS floods and HTTP floods and how they work to overwhelm servers.
- How DDoS attacks are evolving to larger sizes and more complex botnets.
- Methods for mitigating DDoS attacks including black hole routing, rate limiting, web application firewalls, anycast networks and cloud-based DDoS protection services.
- A real example of mitigating a massive 400Gbps DDoS attack and the largest attacks seen to date.
1. The document discusses DNS cache poisoning using a man-in-the-middle attack. It provides details on setting up the attack using Kali Linux, Windows Server 2008, and Windows 7. It clones the Facebook website and poisons the DNS cache so traffic is redirected to the fake site.
2. Testing confirms the attack was successful when pinging the fake Facebook site returns the IP of the Kali machine for both Windows systems. The document also proposes short and long-term solutions to prevent DNS cache poisoning attacks, such as disabling open recursive name servers and implementing DNSSEC.
3. In conclusion, the document notes that while DNS cache poisoning is easy to setup, protection requires more effort but is still important for network
This document discusses DNS cache poisoning. It begins by explaining what DNS is and its purpose of mapping domain names to IP addresses. It then discusses how DNS servers implement caching to improve performance and defines DNS cache poisoning as getting unauthorized entries into a DNS server's cache. The document outlines how an attacker could poison a cache to redirect traffic to a machine they control in order to perform man-in-the-middle attacks or install malware. It describes various methods of poisoning caches locally or remotely, such as between end users and nameservers or between nameservers themselves using the Kaminsky attack. Defenses like DNSSEC are mentioned along with encouragement to try cache poisoning in a controlled lab environment.
This document discusses IPv6 threats to government networks. It provides an overview of IPv6 including its large address space and advantages over IPv4. It notes that while the US government is required to transition to IPv6, progress has been slow. Specific IPv6 threats are examined such as NDP spoofing, SLAAC attacks, and Teredo tunneling. It is concluded that most organizations are not fully prepared to detect and mitigate IPv6 threats due to limitations in tools, analyst expertise, and threat intelligence focusing primarily on IPv4.
DDoS attacks make headlines everyday, but how do they work and how can you defend against them? DDoS attacks can be high volume UDP traffic floods, SYN floods, DNS amplification, or Layer 7 HTTP attacks. Understanding how to protect yourself from DDoS is critical to doing business on the internet today. Suzanne Aldrich, a lead Solutions Engineer at Cloudflare, will cover how these attacks work, what is being targeted by the attackers, and how you can protect against the different attack types. She will cap the session with the rise in IoT attacks, and expectations for the future of web security.
https://2017.badcamp.net/session/devops-performance-security-privacy/beginner/anatomy-ddos-attack
Cloudflare protects and accelerates any web property online. We stop hackers from reaching your web property and knocking it offline. In addition, we help your site visitors access your content as fast as possible no matter their location. Join us as we discuss evolving DDoS attack types and trends to be aware about in 2018.
This document provides an overview of key concepts in DNSSEC including public/private keys, message digests or hashes, and digital signatures. It explains that public/private key pairs are used, where the private key is kept secret and the public key can be freely distributed. It also describes how one-way hashing functions work to generate fixed-length hashes from variable-length data, and how digital signatures are created by encrypting a message hash with a private key. These three concepts of public/private keys, hashes, and digital signatures form the basis of cryptographic techniques used in DNSSEC.
This document discusses DNS cache poisoning vulnerabilities, including:
- Explanations of how cache poisoning works by entering non-authoritative records into a resolver's cache.
- A timeline of vulnerabilities discovered from 1993-2008 related to implementation issues that allowed cache poisoning.
- Countermeasures like DNSSEC that add authentication and integrity to DNS to prevent cache poisoning attacks.
DNS is critical network infrastructure and securing it against attacks like DDoS, NXDOMAIN, hijacking and Malware/APT is very important to protecting any business.
1) The document discusses DNS spoofing techniques including DNS cache poisoning, DNS ID spoofing, and exploiting the birthday paradox.
2) It describes two versions of a DNS ID spoofing tool called dnsspoof.py that either targets a specific victim or all victims on the network.
3) Examples are given using the Scapy Python library to build and sniff packets to demonstrate how the DNS spoofing tools could be implemented.
Grehack2013-RuoAndo-Unraveling large scale geographical distribution of vulne...Ruo Ando
Feasibility study of large scale attacks of DNS. We have found 10,334,293 DNS servers in 34 hours of first measurement (2013/05/31 – 2013/06/02) and 30285322 DNS servers in 26 hours of second measurement (2013/07/05).
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
Encryption is coming to mainstream DNS. This briefing discusses the history, protocols and architecture of encrypted DNS, specifically DNS over TLS and DNS over HTTPS. It also describes the impact of DoT and DoH on various operational models.
This briefing was given during DNSheads Vienna #5 at the nic.at office in Vienna on Jan 30 2018.
DDoS Attack on DNS using infected IoT DevicesSeungjoo Kim
[Case Study] DDoS Attack on DNS using infected IoT Devices @ ACSAC 2015 (The 31st Annual Computer Security Applications Conference 2015), which is one of the most important cyber security conferences in the world and the oldest information security conference held annually
This document discusses a denial of service (DoS) attack. It describes DoS attacks as flooding a server with data packets to create heavy internet traffic and deny service to legitimate users. It outlines the tools needed to perform a DoS attack, including a Linux machine, Mono, Mono-gmcs, and LOIC. It then explains the methodology, describing how to specify the target URL in LOIC and set it to UDP mode to flood packets without acknowledgment. Finally, it discusses the pros and cons of DoS attacks, noting they damage servers and reputation while allowing attackers to remain untraced.
This document provides a summary of key strategies for enhancing DNS security, including implementing layered defenses, managing DNS traffic to mitigate DDoS attacks, and understanding how DNS is used in advanced malware attacks. It recommends a layered approach involving people, processes, and technology since there is no single solution. Specific tactics discussed include spreading out DNS servers, using commercial DDoS filtering, rate limiting by source/destination IP and query type, and using specialized DNS firewalls to filter traffic before it reaches DNS servers. The document emphasizes the importance of DNS to internet functionality and outlines growing security threats.
Dns protocol design attacks and securityMichael Earls
The document discusses DNS security and attacks such as cache poisoning, denial of service attacks through query flooding, and man-in-the-middle attacks through DNS hijacking. It provides examples using tools like dnsFlood.pl and dnshijacker to demonstrate these attacks, and recommends mitigations like restricting queries, preventing unauthorized zone transfers, using DNSSEC, and configuring TSIG to secure DNS messages.
The presentation covers information about basic and advanced ddos attacks; the tools, techniques and methods to perform them and how to prevent them using the methods present in TCP/IP. Given the different network and application protocols for tcp/ip; we tried to describe where ddos attacks are made possible in the communication process . Each attack is seperately analyzed and described and defense technique is described using the same analogy. Our motto: If there is a ddos case, there was a way to defend it.
PLNOG 13: Adam Obszyński: Case Study – Infoblox Advanced DNS ProtectionPROIDEA
Adam Obszyński – pracuje w Infoblox jako Senior Systems Engineer odpowiedzialny za CEE. Wcześniej pracował w Cisco, u kilku integratorów (NXO, MCX, ATM) i operatorów (ATMAN, Polbox, Multinet). Posiada doświadczenie w projektowaniu i wdrażaniu rozwiązań sieciowych i aplikacyjnych. W branży od 20 lat. Certyfikowany inżynier CCIE #8557 oraz CISSP. Prowadził prezentacje i warsztaty na wielu konferencjach w kraju i za granicą (m.in. Cisco Live US & EU, Cisco Forum, Cisco Expo, PLNOG).
Temat prezentacji:Case Study – Infoblox Advanced DNS Protection
Język prezentacji: Polski
Abstrakt:
Słyszałeś o typach ataków wymienionych poniżej? A może doświadczyłeś ich w swojej sieci?
Phantom domain attack
NXDomain attack
DNS reflection/DrDoS attacks
DNS amplification
DNS cache poisoning
Protocol anomalies
DNS tunneling
DNS hijacking
Na poprzednim PLNOG mówiłem o unikalnej ochronie DNS za pomocą Infoblox ADP. Tym razem opowiem o tym co nowego zrobiliśmy w ramach ochrony DNS oraz zaprezentuje przypadki ze środowisk sieciowych naszych klientów.
Opowiem co się działo w sieci klientów i jak uporaliśmy się z problemami ataków na DNS.
Rozwiązanie Advanced DNS Protection od Infoblox dostarcza kompleksowe rozwiązanie do ochrony przed wieloma atakami na usługi DNS. System w inteligentny sposób odróżnia poprawny ruch DNS od złośliwego ruchu DDoS generowanego przez atakujących, takich jak DNS, exploity i słabości. Automatycznie usuwa ruch atakujący podczas gdy z pełną wydajnością odpowiada na poprawny ruch DNS. Ponadto, Advanced DNS Protection otrzymuje automatyczne aktualizacje swoich polityk/reguł, zapewniając stałą ochronę przed wszelkimi nowościami w tej dziedzinie. Infoblox jest pierwszym i jedynym producentem, który oferuje tak wyjątkowe i unkalne rozwiązanie dla najwyższej ochrony krytycznych usług DNS. Więcej szczegółów o rozwiązaniach dla operatorów: www.infoblox.com/sp
"In this session, we will address the current threat landscape, present DDoS attacks that we have seen on AWS, and discuss the methods and technologies we use to protect AWS services. You will leave this session with a better understanding of:
DDoS attacks on AWS as well as the actual threats and volumes that we typically see.
What AWS does to protect our services from these attacks.
How this all relates to the AWS Shared Responsibility Model."
DNS spoofing/poisoning Attack Report (Word Document)Fatima Qayyum
This document discusses DNS spoofing/poisoning attacks. It begins by explaining how DNS works, translating domain names to IP addresses. It then discusses different types of DNS attacks, focusing on DNS spoofing/poisoning. The document outlines how DNS spoofing occurs by tampering with DNS resolvers or using malicious DNS servers. It explains the goals of attackers, such as launching denial of service attacks or redirecting users to fake websites. The document also provides ways to exploit DNS spoofing through amplification attacks and discusses recommendations for preventing DNS spoofing, such as checking and flushing DNS settings on Windows systems.
Nowadays DNS is used to load balance, failover, and geographically redirect connections. DNS has become so pervasive it is hard to identify a modern TCP/IP connection that does not use DNS in some way. Unfortunately, due to the reliability built into the fundamental RFC-based design of DNS, most IT professionals don't spend much time worrying about it. If DNS is maliciously attacked — altering the addresses it gives out or taken offline the damage will be enormous. Whether conducted for political motives, financial gain, or just the notoriety of the attacker, the damage from a DNS attack can be devastating for the target.
In this research we will review different DNS advanced attacks and analyze them. We will survey some of the most DNS vulnerabilities and ways of DNS attacks protection.
This document discusses using fastnetmon and ExaBGP to monitor and mitigate DDoS attacks at the University of Wisconsin-Platteville. Fastnetmon monitors network traffic in real-time and detects DDoS attacks based on packet, bandwidth, and flow thresholds. It then triggers ExaBGP to inject blackhole routes to drop attack traffic while allowing legitimate traffic to pass. This integrated solution allows the university to automatically detect and mitigate DDoS attacks in near real-time.
This document provides an overview of denial of service attacks and service provider solutions from F5 Networks. It discusses how DNS protocols are commonly used in DDoS attacks and how F5 solutions can provide DNS firewalling, DDoS protection, and high performance DNS services. The document also summarizes how the F5 Advanced Firewall Manager (AFM) can mitigate DDoS attacks through detection, filtering, and dynamic blacklisting capabilities. Finally, it addresses challenges of IPv6 and the transition to IPv6 through integrated firewall and CGNAT solutions.
This document summarizes a presentation about DNS in AWS. It discusses using Route53 outbound resolvers and resolver rules to resolve VPC endpoints and avoid DNS traffic leaving the VPC. It also discusses using Guard Duty to monitor DNS activity and configure a DNS firewall to block exfiltration or botnet C&C queries. The presentation recommends configuring DNSSEC for hosted zones and validating responses. It suggests logging and analyzing DNS queries for security.
Network Intelligence for a secured Network (2014-03-12)Andreas Taudte
This document discusses BlueCat Network Intelligence's threat protection solution for securing network infrastructure. It describes typical attacks that leverage DNS, and how BlueCat protects against these attacks by downloading lists of known malicious sites and blocking queries and traffic to these sites. The document also outlines challenges with external DNS and how BlueCat's hosted DNS solution addresses these with features like DNSSEC, response rate limiting, and anycast architecture. It positions BlueCat as providing a single management platform for on-premise and external DNS/DHCP services through components like Address Manager and Automation Manager.
This document discusses solutions for preventing distributed denial-of-service (DDoS) attacks on game servers at different levels including DNS, network, and application levels. It recommends purchasing anti-DDoS services, using content delivery networks, web application firewalls, blacklisting abnormal IP addresses, and implementing packet marking and filtering techniques. The document also provides references to several commercial anti-DDoS service providers and their pricing.
This document discusses distributed denial-of-service (DDoS) attacks and mitigation strategies. It begins with a definition of DDoS attacks as attempts to make machines or networks unavailable to intended users. It then discusses different types of DDoS attack motivations, including distraction from criminal activity, competitive advantage, retaliation, and ideology. The document outlines the sophistication of DDoS attack tools and services available. It emphasizes that DDoS attacks are a major risk to service availability that should be accounted for in risk planning and analyses. The business impacts of DDoS attacks, including revenue loss, operations impacts, help desk impacts, and brand/reputation damage are reviewed. Finally, mitigation strategies are discussed
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr WojciechowskiPROIDEA
This document provides an overview of DDoS solutions from a customer perspective. It discusses different types of DDoS attacks and the need for multiple protection tools. It describes two common deployment models for scrubbing centers: DNS redirection and BGP. AlwaysOn protection is generally better than on-demand AlwaysAvailable protection. While scrubbing services can mitigate large attacks, they are not a complete solution and other measures are needed to deal with initial attack waves. Preparation including a response team and plan can help organizations effectively respond to DDoS attacks.
The document provides an overview of DNS history and requirements for maintaining a DNS infrastructure. It discusses how DNS has evolved since 1983 to support features like load balancing, geobalancing, failover, and security protocols. When choosing a DNS software product or service provider, key considerations include scalability, supported features, dynamic configuration, failover capabilities, and protection against DDoS attacks. Maintaining DNS with multiple service providers can improve performance and reliability compared to a single provider.
A contemporary network service heavily depends on domain name system operating normally. Yet, often issues and caveats of typical DNS setup are being overlooked. DNS (like BGP before) is expected to "just work" everywhere, however, just as BGP, this is a complex protocol and a complex solution where a lot of things could go wrong in multiple ways under different circumstances. This talk is supposed to provide some assistance both in maintaining your own DNS infrastructure and in relying on service providers doing this.
2016 state of the internet threat advisory dnssec ddos amplification attacksAndrey Apuhtin
The document discusses DNSSEC amplification DDoS attacks that have been observed over the past quarters. It notes that attackers have been leveraging a specific DNSSEC-configured .gov domain to launch over 400 attacks due to the large response size it provides. The domain has been used in attacks against customers in multiple industries. It then provides technical details on how DNSSEC works and how attackers are exploiting it to amplify DDoS attacks through DNS reflection techniques.
The document provides an overview of DNS (Domain Name System) security. It begins with introductions and defines DNS as the core internet protocol that converts domain names to IP addresses. It then discusses some security issues with DNS like hijacking and cache poisoning since DNS data is not encrypted or authenticated. It provides examples of how DNS works through a system of delegation from the root zone down. It explains how DNSSEC aims to address security but has limitations. The document demonstrates DNSSEC in action by showing signed responses from the root zone down to an example domain.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
DNS DDoS Attack and Risk
1. DNS DDoS Analysis and Defense
2013. Sep. Sukbum Hong (antihong@gmail.com)
Please let me know, if there is any error, question, or comment.
2. Page 1
Contents • DNS Risks
• DNS DDoS Attack History
• DNS DDoS Attack Types and Defense
(1) Bandwidth Consuming attack
(2) Massive A type Query attack
(3) Massive other query type attack
(4) Amplification attack
open-resolver project
(5) non-existant(NXDOMAIN) query attack
(6) RRL defense
• Conclusion
3. Page 2
What’s happen if DNS was attacked? Why Risk?
• Every service(web,e-mail,intranet) will be shutdown if DNS is down
• All domains in DNS server will be impacted
-. Generally One DNS server services several thousands of domains together
• Hard to change the IP address if get attacked
-. generally, DNS TTL is 1Day or 2Days
-. need to change the NAMEHOST(whois) as well as DNS A record
• Hard to defense attack as DNS packet is simple
-. impossible to distinguish the legitimate traffic from illegitimate traffic
• Hard to defense attack as DNS packet is UDP
-. No protocol based ACL
• Hard to block the source IP using rate-limit based
-. As attacker can spoof the Source IP address
4. Page 3
“Operation Global Blackout” on 31st March :: 2012/03
http://pastebin.com/NKbnh8q8
The principle is simple; a flaw that uses forged UDP packets is to be
used to trigger a rush of DNS queries all redirected and reflected to
those 13 IPs. The flaw is as follow; since the UDP protocol allows it,
we can change the source IP of the sender to our target, thus spoofing
the source of the DNS query.
The DNS server will then respond to that query by sending the answer to the
spoofed IP. Since the answer is always bigger than the query, the
DNS answers will then flood the target ip. It is called an amplified
because we can use small packets to generate large traffic. It is called
reflective because we will not send the queries to the root name servers,
instead, we will use a list of known vulnerable DNS servers which will attack the
root servers for us.
5. Page 4
GoDaddy Outage Takes Down Millions of customer Sites :: 2012/09/10
http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/
http://www.wired.com/wiredenterprise/2012/09/godaddy-moves-to-verisign/
Amid Outage, GoDaddy Moves DNS
to Competitor VeriSign
6. Page 5
Knocked Spamhaus offline with 120G or 300Gbps attack :: 2013/03/19
http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho
Officially 120Gbps, Unofficially 300Gbps attack
7. Page 6
300Gbps almost broke the Internet?
http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet
there's an online attack underway.
The biggest in history??
Enough to slow down the internet……………….???
http://gizmodo.com/5992652/that-internet-war-apocalypse-is-a-lie
That Internet War Apocalypse Is a Lie
Just to put it in perspective the traffic estimates for the DDOS attack were as high as 300 Gbps at the target. That would easily
overwhelm the average hosting center, but not a core component of the Internet. For example, DECIX, the German Internet
exchange in Frankfurt, regularly handles 2.5 Tbps at peak on any given day:
http://www.de-cix.net/about/statistics/
While it may have severely affected the websites it was
targeted at, the global Internet as a whole
was not impacted by this localized incident.
8. Page 7
NetworkSolutions outage because of DNS DDOS attack
http://blogs.cisco.com/security/hijacking-of-dns-records-from-network-solutions/
Over 5,000 domains including linkedin.com in NSI DNS customers were changed with Unknown DNS.
ns1624.ztomy.com(204.11.56.20) . It was in the process to move to Prolexic to defense the DDoS attack
July 16, 2013
http://blogs.cisco.com/security/network-solutions-customer-site-compromises-and-ddos/
Linkedin.com homepage was redirected to DomainSale Homepage
$ traceroute -q 1 ns1624.ztomy.com.
.......
15 209.200.136.34 (209.200.136.34) 118.578 ms
16 unknown.prolexic.com (72.52.18.126) 239.717 ms
17 204.11.56.20 (204.11.56.20) 235.350 ms
July 16, 2013
June 20, 2013
Service outage for 24 hours because of ddos attack
9. Page 8
Hosting Service outage :: June
:: Hosting Provider in Sydney
http://www.tppwholesale.com.au/support/service-alerts/more-information-recent-ddos-attacks
we took the drastic step of rate limiting DNS queries using the Arbor Pravail equipment to stem the flow of the attack.
but due to the aggressive filtering nature there will be some false positives and some customers who will be denied services despite being legitimate
users. This kind of rate limiting is not ideal or a long term solution and will result in some further inconvenience. Our long term strategy is to further
cluster, load balance and segregate name services to provide greatly enhanced scale, fault tolerance and capacity. This had not been required prior to
this attack.
:: DNS hosting provider based in Toronto
It was difficult to differentiate the real traffic from the DDoS traffic
“This is the ‘nightmare scenario’ for DNS providers, because it is not against a specific domain which we can isolate and mitigate, but it’s against
easyDNS itself”
http://blog.easydns.org/2013/06/04/post-mortem-of-the-june-3-4th-ddos/
We can recommend DNSMadeEasy, DNSimple or No-Ip, then there's Route53 (our users had good results with easyRoute53 overnight). - See more at:
http://blog.easydns.org/2013/06/04/post-mortem-of-the-june-3-4th-ddos/#sthash.wRlXg4iO.dpuf
:: DNS hosting Provider in Florida
“The attacker essentially flooded us with ‘ANY’ queries for a variety of domains managed by our DNS service, with the intention of amplifying these
small queries into significantly larger responses aimed at a specific network.”
10. Page 9
.CN root DNS outage
8/25(Sun) :: 00:00 DDoS attack to .CN root DNS server
02:00 Mitigated the attack
04:00 doos attack again
01:00 service recovered
No information about Attack size, how to attack,etc.
cn. 172800 IN NS a.dns.cn.
cn. 172800 IN NS b.dns.cn.
cn. 172800 IN NS c.dns.cn.
cn. 172800 IN NS d.dns.cn.
cn. 172800 IN NS e.dns.cn.
cn. 172800 IN NS ns.cernet.net.
google.cn. 86400 IN NS ns2.google.com.
google.cn. 86400 IN NS ns3.google.com.
google.cn. 86400 IN NS ns1.google.com.
google.cn. 86400 IN NS ns4.google.com.
;; Received 109 bytes from 203.119.27.1#53(c.dns.cn) in 75 ms
Around ~30% .CN traffic was downed even long TTL cache.
TTL 1 hour 1D(24h)
1m 1680(1.7%) 70
2m 3360 140
30m 50,000(50%) 2100
1h 100,000(100%) 4200(4.2%)
How much LDNS can lose the DNS cache?
Assumption : # of LDNS is 0.1M
11. Page 10
DNS DDoS Attack Types and Defense :: Bandwidth Consuming attack
Packet size based Filtering at Network Level?
30Gbps
20Gbps
1Gbps based network
Solution1 :: PBR impossible as eating too much CPU
Router(config)# access-list 111 remark "DNS PBR“
Router(config)# access-list 111 permit udp any host dns.ip.addr eq 53
Router(config)# route-map dnsddos permit 10
Router(config-route-map)# match ip address 111
Router(config-route-map)# match length 512 1500
Router(config-route-map)# set interface Null 0
Router(config-if)# ip route-cache policy
Router(config-if)# ip policy route-map dnsddos
route 173.X.X.X/32-DNS-DROP {
match {
destination 173.X.X.X/32;
port 53;
packet-length [ 99971 99985 ];
} then discard;}
http://blog.cloudflare.com/todays-outage-post-mortem-82515
-. Direct attack from Zombies
-. Normal traffic should be UDP not TCP
TCP :: Zone transfer, when response over 512byte
-. Defense :: distributing the DNS infra
-. Defense :: Packet size based filtering if within the Infra size
-. Defense :: efficient by filtering the fragmented packet in upstream ISP
12. Page 11
DNS DDoS Attack Types and Defense :: Massive A type Query Attack
1.2.3.4.59873 > 10.10.1.2.53: 53495+ A? www.example.com. (44)
2.3.4.5.46922 > 10.10.1.2.53: 20009+ A? www.example.com. (44)
3.4.5.6.59873 > 10.10.1.2.53: 33495+ A? www.example.com. (44)
4.5.6.7.46922 > 10.10.1.2.53: 40009+ A? www.example.com. (44)
............................?
-. A Kind of QPS attack
-. Direct attack from Zombies
-. If source ip is not spoofed, we can filter rate-limited based policy
-. How to filter ?
If source ip is randomly changed?
and if the packet is exactly same with normal query traffic?
Victim :: 1.1.1.1
www.example.com IP Address?
How to differentiate attack or normal query?
13. Page 12
DNS DDoS Attack Types and Defense :: other Query type Attack
$ dig anonsc.com any
anonsc.com. IN A 123.45.67.59
anonsc.com. IN A 123.45.67.60
anonsc.com. IN A 123.45.67.61
anonsc.com. IN A 123.45.67.62
……………….
;; MSG SIZE rcvd: 3271
Ex: Direct attack case
Ex: Amplification attack case
14. Page 13
tcpdump example when ANY query
$ tcpdump -X port 53 -n (or tshark port 53 –n –x)
19:38:14.172255 IP 114.xx.xx.xx.60249 > 61.110.xxx.xxx.domain: 22765+ ANY? cdnetworks.co.kr. (34)
0x0000: 4500 003e 0000 4000 3311 9310 726f 3e14 E..>..@.3...ro>.
0x0010: 3d6e c6ad eb59 0035 002a fb7f 58ed 0100 =n...Y.5.*..X...
0x0020: 0001 0000 0000 0000 0a63 646e 6574 776f .........cdnetwo
0x0030: 726b 7302 636f 026b 7200 00ff 0001 rks.co.kr.....
[0001] means A record type
[0001] means IN
TYPE HEX
A 00010001
ANY 00ff0001
MX 000f0001
NS 00020001
PTR 000c0001
SOA 00060001
AAAA 001c0001
TXT 00100001
HINFO 000d0001
$iptables -A INPUT -p udp --dport 53 -m string --algo bm --hex-string '|00FF0001|' -m recent --set --name dnsany
$iptables -A INPUT -p udp --dport 53 -m string --algo bm --hex-string '|00FF0001|' -m recent --name dnsany
--rcheck --seconds 60 --hitcount 5 -j DROP
DNS DDoS Attack Types and Defense :: other Query type Attack
Default # of ipt_recent is 100,
so need to maxmize the value in advance
$ rmmod ipt_recent modprobe
$ ipt_recent ip_list_tot=4095
15. Page 14
Massive spoofed query as if source ip is Victim
Source:: 1.1.1.1:53 or 1024: / Dst :: open Resolver:53
Massive response from open resolver
Source:: Open_Resolver:53 / dst :: 1.1.1.1:53(or 1024~)
command
Distributed reflective, amplified attack
Prepare big size response packet in advance
$ dig re.vr.lt txt 60byte
;; MSG SIZE rcvd: 4000(byte)
x ~70 timesVictim :: 1.1.1.1
re.vr.lt DNS server :: 2.2.2.2
16. Page 15
Distributed reflective, amplified attack
Victim IP
Resolver DNS
Packet generating from Zombie PC
Packet from Victim Side
Resolver DNS
18. Page 17
Distributed reflective, amplified attack
# tcpdump -w dns.pcap -nn host 96.31.66.143
Only 1st response is DNS and the rests are Fragmented UDP packets
EDNS0 사용(Extension Mechanism for DNS) :: rfc2671
DNS 요청자는 RFC 2671에 정의된 EDNS0(DNS 확장 메커니즘)을 사용하여 UDP 패킷
의 크기를 알리고 UDP 패킷 크기의 원래 DNS 제한(RFC 1035)인 512(8진수)보다 큰
패킷 전송을 이용할 수 있습니다. DNS 서버는 UDP 전송 계층에서 요청을 받으면
OPT RR(리소스 레코드)에서 요청자의 UDP 패킷 크기를 확인하고 요청자가 지정한
최대 UDP 패킷 크기에 허용되는 만큼 리소스 레코드가 포함되도록 응답의 크기를
조절합니다.
$ man dig
+bufsize=B
Set the UDP message buffer size advertised using EDNS0 to B bytes. The maximum and
minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are
rounded up or down appropriately.
19. Page 18
Distributed reflective, amplified attack
http://dns.measurement-factory.com/surveys/openresolvers/ASN-reports/latest.html
http://www.chaz6.com/files/resolv.conf :: list of public ipv4/ipv6 dns cache servers
152,600 x Open Resolver !!!
http://openresolverproject.org/breakdown.cgi
2013-09-01 results
27,166,819 gave the correct answer to the A? for the DNS name queried
152,600 x 4,000 byte x 8(bit) = 4.8Gbps??
http://openresolverproject.org/searchby-asn.cgi?search?asn=XXXX ASN
Assumption ::
if one zombie can query 152,600 open resolver in a second
if one open resolver can generate 4,000 byte answer
then, one DNS query can be 4.8Gbps traffic
20. Page 19
How to do at each Backbone/Access level?
20Gbps
40Gbps
Access Control ListHow to Filter? BackBone NET Level Access NET Level
Filtering big size UDP packet against
the DNS server
Access Control based on Source Port
and Destination Port
Src:53 / Dst:53 ??
Access Control Filtering for
Fragmented packets
Source IP Validation
SRC based Ratelimit
Signature based Filtering
Auth. DNS Server(ns1/ns2..)
21. Page 20
Signature Based Filtering against Amplification
How to filter if we get massive response packets , i,e. amplification attack
According to below image, we can see that QUESTION means 00010000 which means Questions :1, ANSWER:0
$ iptables -A INPUT -p udp --dport 53 -m string --algo bm --from 31 --to 32 --hex-string ! '|00010000|' -j DROP
# iptables -m string -h
string match options:
--from Offset to start searching from
--to Offset to stop searching
--algo Algorithm
[!] --string string Match a string in a packet
[!] --hex-string string Match a hex string in a packet
22. Page 21
Massive QUERY for $RANDOM.domain.com :: Non-Existent host
Objective :: The DNS server spends its time searching for something that doesn't exist instead of serving legitimate requests.
The result is that the cache on the DNS server gets filled with bad requests, and clients can't find the servers they are looking for.
• source IP based rate-limit if the source ip is not spoofed
• query type(ANY,TXT,CNAME,etc) based rate-limit or filtering
• it maybe problem if standard A query type with spoofed random source IP
NXDOMAIN query attack
Nov 21 09:09:58 s332-kt9-sel named[4942]: client 170.160.126.199#1234: query (cache) 'www.ceyxyl.biz/A/IN‘
Nov 21 09:09:58 s332-kt9-sel named[4942]: client 172.105.101.71#1234: query (cache) 'www.tcgexy.org/A/IN'
Nov 21 09:09:58 s332-kt9-sel named[4942]: client 177.112.102.240#1234: query (cache) 'www.etueqt.org/A/IN'
Nov 21 09:09:58 s332-kt9-sel named[4942]: client 59.34.42.184#1234: query (cache) 'www.nisyjr.com/A/IN'
Nov 21 09:09:58 s332-kt9-sel named[4942]: client 93.3.157.3#1234: query (cache) 'www.inrxpx.biz/A/IN'
23. Page 22
http://www.redbarn.org/dns/ratelimits :: Default function since centos 6.x since 2013.
http://ss.vix.su/~vjs/rl-arm.html
rate-limit {
[ responses-per-second number ; ]
[ referrals-per-second number ; ]
[ nodata-per-second number ; ]
[ nxdomains-per-second number ; ]
[ errors-per-second number ; ] // SERVFAIL, FORMERR excluding nxdomains
[ all-per-second number ; ] // normally at least 4~5 times bigger than other value
[ window number ; ]
[ log-only yes_or_no ; ]
[ qps-scale number ; ] // responses-per-second, errors-per-second, nxdomains-per-second ,all-per-second values are reduced by the ratio
[ ipv4-prefix-length number ; ] // default Is /24, need to change /32
[ slip number ; ]
}
e,g. qps-scale 250; responses-per-second 20; and a total query rate of 1000 queries/second for all queries from all DNS clients including via TCP,
then the effective responses/second limit changes to (250/1000)*20 or 5. Responses sent via TCP are not limited but are counted to compute the query per
second rate.
RRL(Response Rate Limiting) defense
24. Page 23
--- named.conf ---
rate-limit {
nxdomains-per-second 1;
ipv4-prefix-length 32;
slip 2;
};
RRL(Response Rate Limiting) defense
1 CLIENT -> SERVER DNS Standard query A 0.809928333227621.example.com
2 SERVER -> CLIENT DNS Standard query response, No such name
3 CLIENT -> SERVER DNS Standard query A 0.990417249591218.example.com
4 SERVER -> CLIENT DNS Standard query response
5 CLIENT -> SERVER TCP 41702 > 53 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=3124747279 TSER=0 WS=7
6 SERVER -> CLIENT TCP 53 > 41702 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 TSV=3737413786 TSER=3124747279 WS=6
7 CLIENT -> SERVER TCP 41702 > 53 [ACK] Seq=1 Ack=1 Win=5888 Len=0 TSV=3124747282 TSER=3737413786
8 CLIENT -> SERVER DNS Standard query A 0.990417249591218.example.com
9 SERVER -> CLIENT TCP 53 > 41702 [ACK] Seq=1 Ack=50 Win=14528 Len=0 TSV=3737413788 TSER=3124747282
10 SERVER -> CLIENT DNS Standard query response, No such name
11 CLIENT -> SERVER TCP 41702 > 53 [ACK] Seq=50 Ack=110 Win=5888 Len=0 TSV=3124747284 TSER=3737413788
12 CLIENT -> SERVER TCP 41702 > 53 [FIN, ACK] Seq=50 Ack=110 Win=5888 Len=0 TSV=3124747284 TSER=3737413788
13 SERVER -> CLIENT TCP 53 > 41702 [FIN, ACK] Seq=110 Ack=51 Win=14528 Len=0 TSV=3737413791 TSER=3124747284
14 CLIENT -> SERVER TCP 41702 > 53 [ACK] Seq=51 Ack=111 Win=5888 Len=0 TSV=3124747287 TSER=3737413791
3 way handshake
4 way handshake
Truncated: Message is truncated
Jul 1 14:11:10 SERVER named-sdb[15282]: limit responses to xx.xx.xx.xx/32 for xxxx.com IN A (00014672)
http://www.circleid.com/posts/20130820_a_question_of_dns_protocols/
17% of visible resolvers do not successfully followup with a TCP connection following the reception of a truncated UDP response.
Also performance issue.
25. Page 24
Anycast based Distribution
http://www.root-servers.org/ j.root-servers.net(192.58.128.30)
Google case:8.8.8.8
On the Internet, anycast is usually implemented by using
BGP to simultaneously announce the same destination IP
address range from many different places on the Internet.
This results in packets addressed to destination addresses
in this range being routed to the "nearest" point on the net
announcing the given destination IP address.
excerpted from Wikipedia.org
26. Page 25
Conclusion :: Technical Requirements for DNS DEFENSE
Tolerant against Massive QPS attack (~Mqps)
pass only valid dns packet
rate-limit per query type
ip rate-limit based on source ip or query type,etc
filter bad flag combinations
filter multiple request type in a packet
filter based on packet size(length,range)
Source IP validation
Using Multiple DNS provider
No solution against the
Massive standard Query
with randomly spoofed IP Address