Upload
dyn
View
3.155
Download
1
Embed Size (px)
DESCRIPTION
Want to understand more about DDoS attacks? Check out these slides from Dyn Director of DNS Technology Andrew Sullivan & watch the accompanying webinar: http://dyn.com/dyn-webinar-everything-you-need-to-know-about-ddos-managed-dns/
Citation preview
Everything You Need to Know About DDoS@DynInc
Everything You Need ToKnow About DDoS Attacks
Andrew SullivanDirector of DNS Engineering@DynInc
Everything You Need to Know About DDoS@DynInc
What We’ll Cover Today• What is a DDoS?• Why are there DDoSes?• What can happen?– Suppose you’re the target– Suppose you’re an amplifier
• Can outsourcing things help?• Can anycast help?• Appliances?
Focus primarily on DNSsince that’s where the pain is these days
Everything You Need to Know About DDoS@DynInc
Denial Of Service
• Just what the name implies• Lots of ways– Break code– Smash the stack– Lock out passwords– Request so much that nothing else
can get served– Stuff the network pipe so full that
nobody else can get in or out
Everything You Need to Know About DDoS@DynInc
Denial Of Service Target
Everything You Need to Know About DDoS@DynInc
Just scale
Everything You Need to Know About DDoS@DynInc
Moore’s Law
Everything You Need to Know About DDoS@DynInc
Denial Of Service (Traffic)
Everything You Need to Know About DDoS@DynInc
Distribute The Source
Everything You Need to Know About DDoS@DynInc
No, Really Distribute It
Everything You Need to Know About DDoS@DynInc
Not New
• Morris worm (“the Great Worm”) was in 1988
• Effective attacks were almost always “distributed” in some sense
• Issue now is the type of attack, and the resources available
Everything You Need to Know About DDoS@DynInc
DDoS Attack Sources?
• In the old days, always-on cable modems and a certain popular but vulnerable operating system
• Now, cheap or compromised (often virtual) hosts with lots of bandwidth
You’ll now run out of money for bandwidth before the bad guys run out of compromised servers.
Everything You Need to Know About DDoS@DynInc
Why Do They Do This?
Money
Politics
Religion
Everything You Need to Know About DDoS@DynInc
Why Do They Do This?
Money
Politics
Religion
Everything You Need to Know About DDoS@DynInc
Traditional DDoS
Everything You Need to Know About DDoS@DynInc
Traditional DDoS
Everything You Need to Know About DDoS@DynInc
Kill The C&C, You Kill The Attack
Everything You Need to Know About DDoS@DynInc
Wait. Spoofed Addresses?
• Most modern effective attacks come over User Datagram Protocol (UDP)
• Transmission Control Protocol (TCP) requires a handshake– You can tell who’s at the other end
• UDP has no handshake– Could be anybody – even someone pretending to
be someone else
Everything You Need to Know About DDoS@DynInc
Why Don’t We Fix That?
• We tried• Best Current Practice (BCP)
38 says that, if you run a network, you should never send things that shouldn’t come from you – “egress filtering”
• Some people don’t do it• There are no Internet Police– that cure worse than the disease anyway
Everything You Need to Know About DDoS@DynInc
Traditional DDoS
Everything You Need to Know About DDoS@DynInc
DNS DDoS: reflector
Everything You Need to Know About DDoS@DynInc
Key Attributes
• Uses DNS as an amplifier– Just a few octets for the query,
big answers (usual TXT records or something from DNSSEC)
• Relies on poor network security and UDP– Send query pretending to be the target
• Tricky to defend against– Might cause collateral damage
Everything You Need to Know About DDoS@DynInc
Amplification
• Small cost at traffic source (each member of the botnet)
• Innocuous traffic (DNS queries)– except for the spoofed address
• Query for a large Resource Record set– Big TXT record– RR type with lots of records– Some DNSSEC records
Everything You Need to Know About DDoS@DynInc
How Amplified?
• A query for the TXT records at dyn.com takes 25 octets (bytes)
• The answer for that is 442 octets (bytes)About 18 times bigger!
• Lots of domains look like this• Easy to get bigger responses• Not hard to create bigger responses• 18 times amplification on millions of
queries is a lot
Everything You Need to Know About DDoS@DynInc
What’s The Target?
• Could be the DNS service itself– Fill the transit
• Could be some other DNS service– Fill that service’s inbound transit
• Could be any other service– Fill that service’s inbound transit
Everything You Need to Know About DDoS@DynInc
Aside: Open Resolvers
• Open resolvers are indeed bad– Other kinds of attack, they’re critical
• Not the only vector for reflection attacks• Source of problem packets need not be a
resolver• Target need not be a resolver
Everything You Need to Know About DDoS@DynInc
Attack the DNS Service Itself
Abuse Queries
Legitimate Queries
Responses to Abuse Queries
Responses to Legitimate Queries
Everything You Need to Know About DDoS@DynInc
Attack Some Different Service
Responses to Legitimate
Queries
192.0.2.1
Abuse Queries(forged source
192.2.1)Responses to Abuse Queries
Legitimate Queries
Everything You Need to Know About DDoS@DynInc
Attack Some Different Service
192.0.2.1
Abuse Queries(forged source
192.2.1)Responses to Abuse Queries
http responses
http request
Everything You Need to Know About DDoS@DynInc
What Happens: You Are Authoritative
DNS Target
• You can’t answer legitimate queries you should be able to answer
• You may become a reflector– Depends on abuse source– Probably, since otherwise abuse
source would fall over too
Everything You Need to Know About DDoS@DynInc
What Happens: You Are DNS Amplifier
• You get identified as amplifier• People start restricting you – completely– with Response Rate Limiting (RRL)*
Everything You Need to Know About DDoS@DynInc
What happens: You Are Some Target Application
• All your bandwidth goes to receiving answers you didn’t ask for
• Your application is useless (or down) for your users
• This might cost you real cash (bandwidth overage) without any legitimate increase in traffic
Everything You Need to Know About DDoS@DynInc
What To Do: Outsource?
Can help in some ways• Large providers• Robust networks• Expert mitigation
Presents a new risk• Large providers are themselves a target• Large providers can have other customers who are
targets
Everything You Need to Know About DDoS@DynInc
How To Do: Outsource?
• Most people already outsourced– Let the registrar run it
• Research your options if you’re at risk– What are the vendor’s mitigation strategies?– Who will you be sharing your service with?– Does the vendor offer realistic promises?– What’s the vendor’s network profile?
Everything You Need to Know About DDoS@DynInc
What To Do: Anycast?
• Anycast is a trick: one IP address actually identifies several physically different machines located at different places in the network
• Relies on routing• It can help isolate attacks– attacks often all come from one or some small
group of networks– so, land in the same network data centre
Everything You Need to Know About DDoS@DynInc
What To Do: Anycast?
Pro• Isolates attack traffic to particular anycast
regions• Can use it to reroute attack traffic to more
robust network location• Harder to fill many 10G or 40G transit paths
than one
Everything You Need to Know About DDoS@DynInc
What To Do: Anycast?
Con• If you don’t know what an anycast is, you
don’t want to do it yourself• Requires network experts, operations staff,
and hardware• Not a solution to all victim scenarios
Everything You Need to Know About DDoS@DynInc
How To Do: Anycast?
• Get relevant network experts• Bring (some) money• Pick the right protocol– long-lived http streams are very bad candidates– short messages (like DNS) good candidates
• If you want to do this, outsourcing increasingly a good option
• Research provider’s history, participation in operator fora
Everything You Need to Know About DDoS@DynInc
What To Do: Appliances?
• Basically two strategies– Identify bad guys in advance, and spot and
quarantine– Use analysis to identify bad traffic
• Generally perform rate limiting on identified bad traffic
• Often quite good at identifying anomalies• If your pipe is full, it doesn’t matter
Everything You Need to Know About DDoS@DynInc
What Else To Do?
• There is no magic, general-purpose “DDoS protection”– Like saying “We will protect you from crime”
• Murder?• Fraud?• Traffic light violations?
• Techniques need to be tailored
Everything You Need to Know About DDoS@DynInc
RRL
• Response Rate Limiting is a technique in DNS servers
• Identifies repeated queries for the same name, type, and class from the same source– Inside the Time To Live for the record
• Infers that’s not a real resolver• Limits responses
Everything You Need to Know About DDoS@DynInc
RRL
Pro• If you’re running your own server, Turn It On
Now.• Evidence says it helps in the
majority of cases
Everything You Need to Know About DDoS@DynInc
RRL
Con• Some corner cases
(very short TTLs and high-value, high-traffic sites) with some issues
• Adds yet another tricky operational convention to DNS
Everything You Need to Know About DDoS@DynInc
What Else To Do?
• Press network operators to do BCP 38– Specify it in RFPs– Test for implementation
• Resist dilutions of secure protocols– Special-access ports for law enforcement,
government, and so on are also back doors for criminals
– We have enough compromised systems on the Internet
– Insecure protocols weaken security for all
Everything You Need to Know About DDoS@DynInc
Review
Everything You Need to Know About DDoS@DynInc
DDoS
• Just a special Denial of Service• Made easier / “worse” by network
environment we have• Not a new problem
Everything You Need to Know About DDoS@DynInc
DNS DDoS
• Mostly reflector attacks• Relies on issues with UDP• Even ordinary services
(e.g. TXT records) offer big amplification
Everything You Need to Know About DDoS@DynInc
Reflectors
• 2 victims• Target service can fail• Intermediate DNS servers get hit
Everything You Need to Know About DDoS@DynInc
Open Resolvers Not At Fault
• You can do a reflector attack with only authoritative servers involved
• You can’t do a reflector attack if you have good egress filtering everywhere
Everything You Need to Know About DDoS@DynInc
Solutions Depend On Your Use
• Outsourcing can help, but not everyone
• Anycast can help, but not in all cases
• Appliances can do nothing if they’re inside your data centre behind the same plugged “pipe”
Everything You Need to Know About DDoS@DynInc
August 7-8 | Manchester, NH- Limited registrants!
- Great keynotes!www.geeksummercamp.com
Everything You Need to Know About DDoS@DynInc
New whitepaper!
Everything You Need To Know About A DDoS Attack
Download at http://dyn.com/content-hub/
Everything You Need to Know About DDoS@DynInc
Mike VeilleuxDirector of
Email Product
Steve WheelerDirector of
Deliverability
Email Webinar!Wednesday, July 24 2 PM EST I 19:00 GMT
Everything You Need to Know About DDoS@DynInc
Thank You!
Andrew SullivanDirector of DNS [email protected]