Upload
deleteyrself
View
216
Download
0
Embed Size (px)
DESCRIPTION
Ripe52 Plenary Dnsamp
Citation preview
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 1
DNS amplification attacks
Matsuzaki Yoshinobu<[email protected]>
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 2
DNS amplification attacks
• Attacks using IP spoofed dns query– generating a traffic overload– bandwidth attack– similar to ‘smurf attacks’
• Components are:– IP spoofing– DNS amp
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 3
IP spoofing + DNS amp
• IP spoofing– IP spoofed dns query– to use reflections
• DNS amp– UDP (no 3way handshake)– good amplification ratio =~ 60– distributed by full/stub-resolver (dns cache)
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 4
reflection
IP spoofed packet
reflector
Sender src: victimdst: reflector
victim
reply
pac
ket
dst:src:
refle
victi
mctor
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 5
amplification
1. multiple replies
Sender
2. bigger reply
Sender
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 6
DNS amplification
ANY�?xxx.example.com
DNSSender
xxx.example.com IN TXT XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 7
DNS amplification attack
IP spoofedDNS queries
DNS replies
victim
DNSDNS
DNSDNSAttacker
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 8
attack relations
DNSDNS DNS
victim
Command&Control
DNS
DNS
stub-resolvers full-resolversroot-servers
tld-servers
example-servers
IP spoofedDNS queries
botnet
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 9
view of bot #1
bot #1
Internet
size: =~60bytessrc IP: victim(IP spoofed)dst IP: various(DNS amp)protocol: udpsrc port: variousdst port: 53QR: standard queryQNAME: (specific one)
DNS queries
DNSDNS
DNS
• performance degradation• traffic overload
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 10
view of bot #2
• a bot behind NAT box
bot #2
Internet
src IP: victim(IP spoofed)dst IP: various(DNS amp)
NAT
src IP: various(DNS amp)dst IP: NAT Router
src IP: NAT Routerdst IP: various(DNS amp)• NAT table saturation
• ICMP unreach generation
DNS query – after NAT
DNS query – before NAT
DNS replyDNS
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 11
view of stub-resolver
DNS
stub-resolver
DNS
full-resolvers
DNS queries
size: =~4000bytes(ip fragmented)
src IP: stub-resolverdst IP: victim
bot#2(NAT)QNAME: (specific one)
DNS replies
Internet• victim• bot#2(NAT)
size: =~60bytessrc IP: victim
bot#2(NAT)dst IP: stub-resolverQNAME: (specific one)
• performance degradation• traffic overload• if the stub-resolver worksas a no-cache mode, all ofthe queries are relayedto the full-resolvers.
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 12
view of full-resolver
DNS
full-resolver
DNS
• root-servers• tld-servers• example-servers
size: ~4000bytes(ip fragmented)
src IP: full-resolverdst IP: victim
bot#2(NAT)stub-resolver
QNAME: (specific one)
DNS replies
Internet
DNS queries
• victim• bot#2(NAT)• stub-resolvers
size: =~60bytessrc IP: victim
bot#2stub-resolver
dst IP: full-resolverQNAME: (specific one)
• performance degradation• traffic overload• if the TTL of the RR isshort, # of queries to the*-servers are increased.
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 13
view of victim
victim
Internet
size: =~4000bytes(ip fragmented)
src IP: full-resolversstub-resolvers
dst IP: victim
DNS replies
DNSDNS
DNS
• traffic overload
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 14
solutions
IP spoofeddns queries
Attacker
dns r
eplie
s
victim
discard recursive DNS queries from external
=Disable Open Recursive DNS
resolvers
DNS
drop IP spoofed packets=
Source Address Validation
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 15
Disable Open Recursive DNS
• There are many ‘open relay’ resolvers.– ISP cache servers– customers’ dns servers– DSL routers (dns proxy as stub-resolver)
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 16
Source Address Validation
• BCP38/RFC2827– All providers of Internet connectivity are urged
to implement filtering described in this document to prohibit attackers from using forged source addresses...
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 17
IIJ/AS2497’s case
• IIJ to Introduce Source Address Validation to all its Connectivity Services– http://www.iij.ad.jp/en/pressrelease/2006/0308.html
• IIJ is adopting uRPF and ACLs.
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 18
IIJ’s policy
peer ISP upstream ISP
customer ISP
multi homedstatic customer
single homedstatic customer
IIJ/AS2497
uRPF strict mode
uRPF loose mode
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 19
CISCO uRPF configuration
uRPF strict mode
interface GigabitEthernet0/0ip verify unicast source reachable-via rx
uRPF loose mode
interface GigabitEthernet0/0ip verify unicast source reachable-via any
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 20
Juniper uRPF configuration
uRPF strict mode
interface { ge-0/0/0 { unit 0 { family inet {rpf-check;} } } }
uRPF loose mode
interface { ge-0/0/0 { unit 0 { family inet { rpf-check { mode loose; } } } } }
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 21
reference
• AL-1999.004 – DoS attacks using the DNS– http://www.auscert.org.au/render.html?it=80
• The Continuing DoS Threat Posed by DNS Recursion– http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf
• SAC008 – DNS Distributed DDoS Attacks– http://www.icann.org/committees/security/dns-ddos-advisory-
31mar06.pdf
2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 22