This document discusses analyzing DNS data to detect DNS-based distributed denial-of-service (DDoS) attacks. It finds that random subdomain attacks and attacks using open home gateways and bot malware are increasingly common. These attacks strain DNS resolvers and authoritative servers by generating large volumes of recursive queries with randomized subdomains. The document recommends filtering DNS traffic at the ingress of resolvers to minimize workload and stress, while still allowing legitimate queries by using near-real-time blocklists and whitelisting valid subdomains for popular domains.

1. Harness Your Internet Activity

2. Drilling Down into DDoS
APRICOT 2015
Fukuoka, Japan
Bruce Van Nice

3. • 2 Terabytes of data analyzed per day
– Anonymized from ISPs worldwide
– Estimate about 3% of ISP DNS resolver traffic
• Team of data scientists
• Algorithms searching for:
– DDoS
– Bots
– Malware
– Machine generated traffic
– Etc
3
Nominum Research

4. • DNS-based DDoS attacks increasing
– DNS Amplification
– Random subdomain attacks – focus of this presentation
• Attack vectors
– Open home gateways
– NEW - Bot malware
• Stress on DNS worldwide
4
Introduction

5. 5
DNS Queries – One Day’s Data 02/09/15
88%
12%
DNS Queries
"Good" Queries
Malicious Queries
80%
15%
5%
Malicious Queries
Random Subdomain
Amplification
Bot Command & Control

6. 6
Random Subdomain Attack Trends
2014 Data

7. 7
Random Subdomain Attacks
RANDOM TARGET NAME
Example query:
wxctkzubkb..liebiao.800fy.com
• Queries with random subdomains - answer NXD
• Lots of work for resolvers - recursion
• Lots of works for authoritative servers - large spikes

8. nbpdestuvjklz.pay.shop6996.com.
1lHecqrP.xboot.net.
hxdfmo.iyisa.com.
a6ca.cubecraft.net.
8
Different Kinds of “Random”
Different Random Label Patterns = Different Attacks

9. Alexa 1000 Names Rank
baidu.com. 5
blog.sina.com.cn. 13
xlscq.blog.163.com. 56
amazon.co.uk. 65
www.bet365.com. 265
www.lady8844.com. 389
d3n9cbih5qfgv5.cloudfront.net. 458
www.appledaily.com.tw. 565
asus.com. 702
9
Popular Names are Attacked
Attacks on popular names
must be handled carefully:
Fine Grained Policy, Whitelists
About 9% of names attacked are popular

10. Attack on asus.com (computers and phones)
– 190 legitimate subdomains
Attack on mineplex.com (minecraft gaming site)
– 78 legitimate subdomains
~ 2% of queries are to legitimate subdomains
10
Need to Protect Good Traffic to Popular Domains

11. Attacks Using Open DNS Proxies
1
Internet
Query with
randomized
subdomains
2
Authoritative
ServerCompromised
hosting
Recursive
queries
Open DNS Proxy
(Home Gateway)
3
NXD
responses
ISP
Target
Web Site
Attacks Using Open DNS Proxies
ISP
Resolver

12. 12
Open Resolvers in Asia Pacific

13. -
5
10
15
20
25
30
Millions
Open Resolvers
13
Open Resolvers Are Declining
Feb 13 2014 Jan 28 2015
Open Resolver Project Data
Actual
Trend

14. Attacks Using Bots
Internet
2
Authoritative
Server
Recursive
queries
Bot infected
devices
3
NXD
responses
ISP
Target
Web Site
ISP
ResolverQueries
with randomized
subdomains
1

15. 1. Bots scan networks for home gateways or
other vulnerable devices
2. Attempt to login with default passwords
3. Load malware on gateway
4. Malware sends huge volumes of specially
crafted DNS queries
15
What’s Happening?
Other vectors are possible:
Bots with loaders
Rompager

16. 16
Bots are Everywhere! 02/09/15
Threat Type Query Count
Spybot 1,679,616
Vobfus 925,323
Nitol 883,376
Gamarue 878,672
VBInject 864,944
Spambot 613,449
Ramnit 418,984
Bladabindi 90,486
Palevo 60,324
Sdbot 59,314
Threat Type Query Count
Dorkbot 52,935
Morto 35,912
Sality 35,711
Virut 32,027
SMSsend 16,000
Jeefo 14,645
Gbot 11,853
GameOver 9,407
Phorpiex 5,875
Buzus 5,123
Bots that can install additional software
on a compromised host

17. 17
“Things” Generate Intense Attack Traffic
0
2
4
6
8
10
Millions
Query Counts from Attacking IPs
One hours data – APAC provider network
# IPs involved in attack
1 206
200 IPs sourced ~83M queries
15 IPs sourced ~61M queries
1 IP sourced ~ 9M queries

18. 18
2 Days Attack Data
0
75
150
225
300
Number of IPs used in attack per hour
Nov 16
19:00
Nov 18
8:00

19. 19
Example Attack Data
0%
20%
40%
60%
80%
Attack Queries as a Percentage of Total Traffic
Nov 16
19:00
Nov 18
8:00
70% of queries
from attack

20. 20
Why These Attacks Hurt
Border
Home
Gateway
Resolver Authority
Spoofed IP
Query (UDP):
Ivatsnkb.web.pay1.cn
Proxy query,
translate IP
Recursion
NXD
NXD
NXD
Spoofed IP
Proxy query,
translates IP
Spoofed IP
Query (UDP):
Ivatsnkb.web.pay1.cn
Proxy query,
translate IP
Recursion
Truncate
Bad Case
Worse Case
Response
Rate
Limiting
Retry TCP
NXD
NXD
NXD
Proxy query,
translates IP
Spoofed IP
Attacker

21. 21
Response Rate Limiting can Aggravate
Proxy query,
translate IP
Recursion
Truncate
Response
Rate
Limiting
Border
Home
Gateway
Resolver AuthorityAttacker
Retry TCP
Authority
Fails
High traffic
with
TCP overhead
Resolver doesn’t
get responses,
tries new Authorities,
cascading failures
Spoofed IP
Randomized queries
Resolver stress
TCP overhead

22. • Every RSD requires recursion
• “Normal” incoming queries are 80% cached
• Equivalent load is:
1/(1- 0.8) = 5
• For 8,000 QPS of attack traffic equivalent load is:
8,000 x 5 = 40,000 QPS
22
Some Simple Math
Very rough estimate of additional workload

23. • Attacks on popular domains complicate filtering
• Home Gateways mask spoofed source IP
• Bots operate wholly within provider networks
– Filtering DNS at borders won’t work
• Observed tendency for cascading failures
• RRL by authorities increases work for resolvers &
authorities
– This seems to have gone away for now
23
Attacks Cause Many Problems

24. • Block bad traffic at ingress to resolvers
– Minimize work
– Eliminate stress on entire DNS hierarchy
• Near-real time block lists and fine grained policy
– Protect good traffic - whitelist legitimate labels for “core”
domains
24
Solution

25. • New generation of DNS Based DDoS
• Open Home Gateways remain a problem
• Malware based exploits create broad exposure
• Filter DNS traffic at ingress to resolvers
– Protect good queries – fine grained filters
– Drop bad queries – protect resolvers, authorities and
targets
25
Summary