Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Drilling Down Into DNS DDoS

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige

Hier ansehen

1 von 25 Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Andere mochten auch (20)

Anzeige

Ähnlich wie Drilling Down Into DNS DDoS (20)

Weitere von APNIC (20)

Anzeige

Aktuellste (20)

Drilling Down Into DNS DDoS

  1. 1. Harness Your Internet Activity
  2. 2. Drilling Down into DDoS APRICOT 2015 Fukuoka, Japan Bruce Van Nice
  3. 3. • 2 Terabytes of data analyzed per day – Anonymized from ISPs worldwide – Estimate about 3% of ISP DNS resolver traffic • Team of data scientists • Algorithms searching for: – DDoS – Bots – Malware – Machine generated traffic – Etc 3 Nominum Research
  4. 4. • DNS-based DDoS attacks increasing – DNS Amplification – Random subdomain attacks – focus of this presentation • Attack vectors – Open home gateways – NEW - Bot malware • Stress on DNS worldwide 4 Introduction
  5. 5. 5 DNS Queries – One Day’s Data 02/09/15 88% 12% DNS Queries "Good" Queries Malicious Queries 80% 15% 5% Malicious Queries Random Subdomain Amplification Bot Command & Control
  6. 6. 6 Random Subdomain Attack Trends 2014 Data
  7. 7. 7 Random Subdomain Attacks RANDOM TARGET NAME Example query: wxctkzubkb..liebiao.800fy.com • Queries with random subdomains - answer NXD • Lots of work for resolvers - recursion • Lots of works for authoritative servers - large spikes
  8. 8. nbpdestuvjklz.pay.shop6996.com. 1lHecqrP.xboot.net. hxdfmo.iyisa.com. a6ca.cubecraft.net. 8 Different Kinds of “Random” Different Random Label Patterns = Different Attacks
  9. 9. Alexa 1000 Names Rank baidu.com. 5 blog.sina.com.cn. 13 xlscq.blog.163.com. 56 amazon.co.uk. 65 www.bet365.com. 265 www.lady8844.com. 389 d3n9cbih5qfgv5.cloudfront.net. 458 www.appledaily.com.tw. 565 asus.com. 702 9 Popular Names are Attacked Attacks on popular names must be handled carefully: Fine Grained Policy, Whitelists About 9% of names attacked are popular
  10. 10. Attack on asus.com (computers and phones) – 190 legitimate subdomains Attack on mineplex.com (minecraft gaming site) – 78 legitimate subdomains ~ 2% of queries are to legitimate subdomains 10 Need to Protect Good Traffic to Popular Domains
  11. 11. Attacks Using Open DNS Proxies 1 Internet Query with randomized subdomains 2 Authoritative ServerCompromised hosting Recursive queries Open DNS Proxy (Home Gateway) 3 NXD responses ISP Target Web Site Attacks Using Open DNS Proxies ISP Resolver
  12. 12. 12 Open Resolvers in Asia Pacific
  13. 13. - 5 10 15 20 25 30 Millions Open Resolvers 13 Open Resolvers Are Declining Feb 13 2014 Jan 28 2015 Open Resolver Project Data Actual Trend
  14. 14. Attacks Using Bots Internet 2 Authoritative Server Recursive queries Bot infected devices 3 NXD responses ISP Target Web Site ISP ResolverQueries with randomized subdomains 1
  15. 15. 1. Bots scan networks for home gateways or other vulnerable devices 2. Attempt to login with default passwords 3. Load malware on gateway 4. Malware sends huge volumes of specially crafted DNS queries 15 What’s Happening? Other vectors are possible: Bots with loaders Rompager
  16. 16. 16 Bots are Everywhere! 02/09/15 Threat Type Query Count Spybot 1,679,616 Vobfus 925,323 Nitol 883,376 Gamarue 878,672 VBInject 864,944 Spambot 613,449 Ramnit 418,984 Bladabindi 90,486 Palevo 60,324 Sdbot 59,314 Threat Type Query Count Dorkbot 52,935 Morto 35,912 Sality 35,711 Virut 32,027 SMSsend 16,000 Jeefo 14,645 Gbot 11,853 GameOver 9,407 Phorpiex 5,875 Buzus 5,123 Bots that can install additional software on a compromised host
  17. 17. 17 “Things” Generate Intense Attack Traffic 0 2 4 6 8 10 Millions Query Counts from Attacking IPs One hours data – APAC provider network # IPs involved in attack 1 206 200 IPs sourced ~83M queries 15 IPs sourced ~61M queries 1 IP sourced ~ 9M queries
  18. 18. 18 2 Days Attack Data 0 75 150 225 300 Number of IPs used in attack per hour Nov 16 19:00 Nov 18 8:00
  19. 19. 19 Example Attack Data 0% 20% 40% 60% 80% Attack Queries as a Percentage of Total Traffic Nov 16 19:00 Nov 18 8:00 70% of queries from attack
  20. 20. 20 Why These Attacks Hurt Border Home Gateway Resolver Authority Spoofed IP Query (UDP): Ivatsnkb.web.pay1.cn Proxy query, translate IP Recursion NXD NXD NXD Spoofed IP Proxy query, translates IP Spoofed IP Query (UDP): Ivatsnkb.web.pay1.cn Proxy query, translate IP Recursion Truncate Bad Case Worse Case Response Rate Limiting Retry TCP NXD NXD NXD Proxy query, translates IP Spoofed IP Attacker
  21. 21. 21 Response Rate Limiting can Aggravate Proxy query, translate IP Recursion Truncate Response Rate Limiting Border Home Gateway Resolver AuthorityAttacker Retry TCP Authority Fails High traffic with TCP overhead Resolver doesn’t get responses, tries new Authorities, cascading failures Spoofed IP Randomized queries Resolver stress TCP overhead
  22. 22. • Every RSD requires recursion • “Normal” incoming queries are 80% cached • Equivalent load is: 1/(1- 0.8) = 5 • For 8,000 QPS of attack traffic equivalent load is: 8,000 x 5 = 40,000 QPS 22 Some Simple Math Very rough estimate of additional workload
  23. 23. • Attacks on popular domains complicate filtering • Home Gateways mask spoofed source IP • Bots operate wholly within provider networks – Filtering DNS at borders won’t work • Observed tendency for cascading failures • RRL by authorities increases work for resolvers & authorities – This seems to have gone away for now 23 Attacks Cause Many Problems
  24. 24. • Block bad traffic at ingress to resolvers – Minimize work – Eliminate stress on entire DNS hierarchy • Near-real time block lists and fine grained policy – Protect good traffic - whitelist legitimate labels for “core” domains 24 Solution
  25. 25. • New generation of DNS Based DDoS • Open Home Gateways remain a problem • Malware based exploits create broad exposure • Filter DNS traffic at ingress to resolvers – Protect good queries – fine grained filters – Drop bad queries – protect resolvers, authorities and targets 25 Summary

×