AlbaniaDreamin24 - How to easily use an API with Flows
Mitigating DNS Amplification Attacks At The DNS Server Using BGP AS Paths and Ingress Filtering
1. Mitigating DNS Amplification Attacks
At The DNS Server Using BGP AS Paths and Ingress
Filtering
Team members
Christian Agala Bassey
Francis Timilehin Jeremiah
Rustem Iuzlibaev
2. Presentation Layout
● Background and Statement of Problem
● Goals
● Related Studies Reviewed
● Project infrastructure/Architecture
● Implementation
● Solutions
● Conclusion
● References
3. Background and Statement of the Problem
● DNS Amplification attacks are a form of DDOS attacks utilizing DNS servers.
● The goal is usually to exhaust victim resources and render victim network infrastructure unusable.
Problems
● The bulk of protection from these sort of DDOS attacks lie on the victim.
● A DNS server that participates in an amplification attack can be blacklisted in the victim’s network.
What if the amplifying server does not respond to malicious requests?
4. Goals
Finding innovative ways to mitigate DNS Amplification attacks especially exploring BGP.
Combining two approaches: uRPF and AS Paths
Anti-spoofing prevention via ingress packet filtering
5. Related Studies Reviewed
● Detecting DNS Amplification Attacks - Kambourakis et. al. (2007) - Record outgoing request and
incoming response pairs (Victim End)
● Preventing DNS Amplification Attacks Using the History of DNS Queries with SDN - Kim et. al.
(2017) - Use SDN to store DNS queries histories to use in differentiating legitimate and malicious
DNS responses (Victim End)
● Stopping Amplified DNS DDoS Attacks through Distributed Query Rate Sharing - Verma et. al,
Query rate sharing between the victim and DNS resolvers (DNS server infra)
● On the use of BGP AS numbers to detect spoofing - Vaidyanathan et. al. (2010) - Use BGP AS
numbers and their prefixes to generate an expected incoming AS path to detect spoofed packet.
(DNS server infra)
8. Implementation - DDOS Script
#Python Script
from scapy.all import *
while True:
target = "10.15.0.1" # Target host
nameserver = "10.10.2.1" # DNS server
ip = IP(src=target, dst=nameserver)
udp = UDP(dport=53)
dns = DNS(rd=1, qdcount=1, qd=DNSQR(qname="st4.inno-sne.ru", qtype=255))
request = (ip/udp/dns)
send(request)
9. Implementation (Packet Capture Legitimate Req)
Features:
● Request type is specific (user knows what he is looking for)
● Request is solicited
● Response size is 130 bytes
10.
11. Implementation (Packet Capture Malicious Req)
Features:
● Request type is ANY (to get a large response) 271 bytes
● Unsolicited is set to true
● Comes in Via interface ether3, leaves via ether2
12.
13. Solutions
Assumption: Packets from the same AS transverse the same last hop AS before entering the destination
AS
● Implement snort inline with a rule to detect packets of request type any
alert tcp any any -> $HOME_NET 53 (msg:"Posible spoofed request"; content:"|00 ff|"; sid:1000003;
rev:1;)
● Determine the AS path of the IP prefix in the request packet
ip route print detail where dst-address=10.15.0.0/24
14. Solutions
● Implement ingress filtering
ip firewall filter add chain=forward action=drop src-address=!10.15.0.0/24 in-interface=!ether2
dst-port=53 protocol=udp
● Implement Unicast Reverse Path Forwarding (uRPF)
ip settings set rp-filter=strict
● Shut down the DNS server
18. Results attained
● Implementation of continuous packet flow with dropped mechanism in
front of edge device of the DNS network
● Detection of DNS-spoofed packets via snort
● Implementing Unicast Reverse Path Forwarding (uRPF)
● Implementing firewall filter rules for spoofed DNS packets
19. Conclusion
● Triggering spoofed packets detections was successful using snort
● We successfully matched the AS paths to the victim IP address
● We successfully implemented ingress filtering for spoofed packets.
● This method will be a little manpower intensive as snort has to trigger
an alert then implement on the firewall rule filter
20. References
● G. Kambourakis, T. Moschos, D. Geneiatakis, S. Gritzalis, (2007) Detecting DNS Amplification
Attacks.
https://www.researchgate.net/publication/220816528_Detecting_DNS_Amplification_Attacks
● Kim S., Lee S., Cho G., Ahmed M.E., Jeong J.., Kim H. (2017) Preventing DNS Amplification Attacks
Using the History of DNS Queries with SDN. https://doi.org/10.1007/978-3-319-66399-9_8
(Accessed December 7, 2020)
● R. Vaidyanathan, A. Ghosh and Y. Cheng, A. Yamada and Y. Miyake, On the use of BGP AS numbers
to detect spoofing, http://intrusion-detection.org/papers/Ravi10BGPSpoofDetection.pdf
● A. Ghosh et al “InFilter: Predictive Ingress Filtering to Detect Spoofed IP Traffic”,
https://patents.google.com/patent/US8925079