SlideShare una empresa de Scribd logo

Harness DNS Activity to Defend Against DDoS Attacks

APNIC
APNIC

This document discusses analyzing DNS data to detect DNS-based distributed denial-of-service (DDoS) attacks. It finds that random subdomain attacks and attacks using open home gateways and bot malware are increasingly common. These attacks strain DNS resolvers and authoritative servers by generating large volumes of recursive queries with randomized subdomains. The document recommends filtering DNS traffic at the ingress of resolvers to minimize workload and stress, while still allowing legitimate queries by using near-real-time blocklists and whitelisting valid subdomains for popular domains.

Internet
1 de 25
Descargar para leer sin conexión
Harness Your Internet Activity
Drilling Down into DDoS APRICOT 2015 Fukuoka, Japan Bruce Van Nice
• 2 Terabytes of data analyzed per day – Anonymized from ISPs worldwide – Estimate about 3% of ISP DNS resolver traffic • Team of data scientists • Algorithms searching for: – DDoS – Bots – Malware – Machine generated traffic – Etc 3 Nominum Research
• DNS-based DDoS attacks increasing – DNS Amplification – Random subdomain attacks – focus of this presentation • Attack vectors – Open home gateways – NEW - Bot malware • Stress on DNS worldwide 4 Introduction
5 DNS Queries – One Day’s Data 02/09/15 88% 12% DNS Queries "Good" Queries Malicious Queries 80% 15% 5% Malicious Queries Random Subdomain Amplification Bot Command & Control
6 Random Subdomain Attack Trends 2014 Data
7 Random Subdomain Attacks RANDOM TARGET NAME Example query: wxctkzubkb..liebiao.800fy.com • Queries with random subdomains - answer NXD • Lots of work for resolvers - recursion • Lots of works for authoritative servers - large spikes
nbpdestuvjklz.pay.shop6996.com. 1lHecqrP.xboot.net. hxdfmo.iyisa.com. a6ca.cubecraft.net. 8 Different Kinds of “Random” Different Random Label Patterns = Different Attacks
Alexa 1000 Names Rank baidu.com. 5 blog.sina.com.cn. 13 xlscq.blog.163.com. 56 amazon.co.uk. 65 www.bet365.com. 265 www.lady8844.com. 389 d3n9cbih5qfgv5.cloudfront.net. 458 www.appledaily.com.tw. 565 asus.com. 702 9 Popular Names are Attacked Attacks on popular names must be handled carefully: Fine Grained Policy, Whitelists About 9% of names attacked are popular
Attack on asus.com (computers and phones) – 190 legitimate subdomains Attack on mineplex.com (minecraft gaming site) – 78 legitimate subdomains ~ 2% of queries are to legitimate subdomains 10 Need to Protect Good Traffic to Popular Domains
Attacks Using Open DNS Proxies 1 Internet Query with randomized subdomains 2 Authoritative ServerCompromised hosting Recursive queries Open DNS Proxy (Home Gateway) 3 NXD responses ISP Target Web Site Attacks Using Open DNS Proxies ISP Resolver
12 Open Resolvers in Asia Pacific
- 5 10 15 20 25 30 Millions Open Resolvers 13 Open Resolvers Are Declining Feb 13 2014 Jan 28 2015 Open Resolver Project Data Actual Trend
Attacks Using Bots Internet 2 Authoritative Server Recursive queries Bot infected devices 3 NXD responses ISP Target Web Site ISP ResolverQueries with randomized subdomains 1
1. Bots scan networks for home gateways or other vulnerable devices 2. Attempt to login with default passwords 3. Load malware on gateway 4. Malware sends huge volumes of specially crafted DNS queries 15 What’s Happening? Other vectors are possible: Bots with loaders Rompager
16 Bots are Everywhere! 02/09/15 Threat Type Query Count Spybot 1,679,616 Vobfus 925,323 Nitol 883,376 Gamarue 878,672 VBInject 864,944 Spambot 613,449 Ramnit 418,984 Bladabindi 90,486 Palevo 60,324 Sdbot 59,314 Threat Type Query Count Dorkbot 52,935 Morto 35,912 Sality 35,711 Virut 32,027 SMSsend 16,000 Jeefo 14,645 Gbot 11,853 GameOver 9,407 Phorpiex 5,875 Buzus 5,123 Bots that can install additional software on a compromised host
17 “Things” Generate Intense Attack Traffic 0 2 4 6 8 10 Millions Query Counts from Attacking IPs One hours data – APAC provider network # IPs involved in attack 1 206 200 IPs sourced ~83M queries 15 IPs sourced ~61M queries 1 IP sourced ~ 9M queries
18 2 Days Attack Data 0 75 150 225 300 Number of IPs used in attack per hour Nov 16 19:00 Nov 18 8:00
19 Example Attack Data 0% 20% 40% 60% 80% Attack Queries as a Percentage of Total Traffic Nov 16 19:00 Nov 18 8:00 70% of queries from attack
20 Why These Attacks Hurt Border Home Gateway Resolver Authority Spoofed IP Query (UDP): Ivatsnkb.web.pay1.cn Proxy query, translate IP Recursion NXD NXD NXD Spoofed IP Proxy query, translates IP Spoofed IP Query (UDP): Ivatsnkb.web.pay1.cn Proxy query, translate IP Recursion Truncate Bad Case Worse Case Response Rate Limiting Retry TCP NXD NXD NXD Proxy query, translates IP Spoofed IP Attacker
21 Response Rate Limiting can Aggravate Proxy query, translate IP Recursion Truncate Response Rate Limiting Border Home Gateway Resolver AuthorityAttacker Retry TCP Authority Fails High traffic with TCP overhead Resolver doesn’t get responses, tries new Authorities, cascading failures Spoofed IP Randomized queries Resolver stress TCP overhead
• Every RSD requires recursion • “Normal” incoming queries are 80% cached • Equivalent load is: 1/(1- 0.8) = 5 • For 8,000 QPS of attack traffic equivalent load is: 8,000 x 5 = 40,000 QPS 22 Some Simple Math Very rough estimate of additional workload
• Attacks on popular domains complicate filtering • Home Gateways mask spoofed source IP • Bots operate wholly within provider networks – Filtering DNS at borders won’t work • Observed tendency for cascading failures • RRL by authorities increases work for resolvers & authorities – This seems to have gone away for now 23 Attacks Cause Many Problems
• Block bad traffic at ingress to resolvers – Minimize work – Eliminate stress on entire DNS hierarchy • Near-real time block lists and fine grained policy – Protect good traffic - whitelist legitimate labels for “core” domains 24 Solution
• New generation of DNS Based DDoS • Open Home Gateways remain a problem • Malware based exploits create broad exposure • Filter DNS traffic at ingress to resolvers – Protect good queries – fine grained filters – Drop bad queries – protect resolvers, authorities and targets 25 Summary

Recomendados

Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesPseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesAPNIC
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...APNIC
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and RiskSukbum Hong
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020APNIC
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksAcquia
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoSjgrahamc
 

Recomendados

Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesPseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesAPNIC
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...APNIC
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and RiskSukbum Hong
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096
DNS-OARC-36: Measurement of DNSSEC Validation with RSA-4096APNIC
 
DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020DNS-OARC 34: Measuring DNS Flag Day 2020
DNS-OARC 34: Measuring DNS Flag Day 2020APNIC
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksAcquia
 
How to launch and defend against a DDoS
How to launch and defend against a DDoSHow to launch and defend against a DDoS
How to launch and defend against a DDoSjgrahamc
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationJerod Brennen
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDNVishal Vasudev
 
Time-based DDoS Detection and Mitigation for SDN Controller
Time-based DDoS Detection and Mitigation for SDN ControllerTime-based DDoS Detection and Mitigation for SDN Controller
Time-based DDoS Detection and Mitigation for SDN ControllerLippo Group Digital
 
Cyber-security
Cyber-securityCyber-security
Cyber-securityQasim Zaidi
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesSam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNChao Chen
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureSam Bowne
 
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSRicardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSMichiel Cazemier
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPROIDEA
 
DNS Vulnerabilities
DNS VulnerabilitiesDNS Vulnerabilities
DNS VulnerabilitiesMike Spaulding
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondSam Bowne
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersChika Yoshimura
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...ShortestPathFirst
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the nameSecurity BSides London
 
Advanced DNS Protection
Advanced DNS ProtectionAdvanced DNS Protection
Advanced DNS ProtectionSrikrupa Srivatsan
 

Más contenido relacionado

La actualidad más candente

DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesBabak Farrokhi
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationJerod Brennen
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDNVishal Vasudev
 
Time-based DDoS Detection and Mitigation for SDN Controller
Time-based DDoS Detection and Mitigation for SDN ControllerTime-based DDoS Detection and Mitigation for SDN Controller
Time-based DDoS Detection and Mitigation for SDN ControllerLippo Group Digital
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesSam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksSecurity Session
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNChao Chen
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureSam Bowne
 
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSRicardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSMichiel Cazemier
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPROIDEA
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondSam Bowne
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersChika Yoshimura
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...ShortestPathFirst
 

La actualidad más candente (20)

DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and Mitigation
 
Entropy based DDos Detection in SDN
Entropy based DDos Detection in SDNEntropy based DDos Detection in SDN
Entropy based DDos Detection in SDN
 
Time-based DDoS Detection and Mitigation for SDN Controller
Time-based DDoS Detection and Mitigation for SDN ControllerTime-based DDoS Detection and Mitigation for SDN Controller
Time-based DDoS Detection and Mitigation for SDN Controller
 
Cyber-security
Cyber-securityCyber-security
Cyber-security
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilities
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
Ripe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigationRipe71 FastNetMon open source DoS / DDoS mitigation
Ripe71 FastNetMon open source DoS / DDoS mitigation
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breaches
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and Architecture
 
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNSRicardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
Ricardo de Oliveria Schmidt - DDoS Attacks on the Root DNS
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
 
DNS Vulnerabilities
DNS VulnerabilitiesDNS Vulnerabilities
DNS Vulnerabilities
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
 
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache ServersNANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
NANOG32 - DNS Anomalies and Their Impacts on DNS Cache Servers
 
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...
 

Destacado

Avoiding dns amplification attacks
Avoiding dns amplification attacksAvoiding dns amplification attacks
Avoiding dns amplification attacksLucas Kauffman
 
Introduction of Mirai Translate, Inc.
Introduction of Mirai Translate, Inc. Introduction of Mirai Translate, Inc.
Introduction of Mirai Translate, Inc. Osaka University
 
Dns reflection attacks webinar slides
Dns reflection attacks webinar slidesDns reflection attacks webinar slides
Dns reflection attacks webinar slidesMen and Mice
 
Dns Amplification Zafiyeti
Dns Amplification ZafiyetiDns Amplification Zafiyeti
Dns Amplification ZafiyetiMehmet VAROL
 
The Other Advanced Attacks: DNS/NTP Amplification and Careto
The Other Advanced Attacks: DNS/NTP Amplification and CaretoThe Other Advanced Attacks: DNS/NTP Amplification and Careto
The Other Advanced Attacks: DNS/NTP Amplification and CaretoMike Chapple
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS SecurityThousandEyes
 
Finding Evil In DNS Traffic
Finding Evil In DNS TrafficFinding Evil In DNS Traffic
Finding Evil In DNS Trafficreal_slacker007
 
Security Onion Conference - 2016
Security Onion Conference - 2016Security Onion Conference - 2016
Security Onion Conference - 2016DefensiveDepth
 
MIRAI: What is It, How Does it Work and Why Should I Care?
MIRAI: What is It, How Does it Work and Why Should I Care?MIRAI: What is It, How Does it Work and Why Should I Care?
MIRAI: What is It, How Does it Work and Why Should I Care?Memoori
 
How IoT Is Breaking The Internet
How IoT Is Breaking The InternetHow IoT Is Breaking The Internet
How IoT Is Breaking The InternetCarl J. Levine
 
State of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of BotnetsState of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of BotnetsRahul Neel Mani
 
DNS Security
DNS SecurityDNS Security
DNS Securityinbroker
 
Dns security overview
Dns security overviewDns security overview
Dns security overviewVladimir2003
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeAPNIC
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS AttacksAmazon Web Services
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSASrikrupa Srivatsan
 
From cache to in-memory data grid. Introduction to Hazelcast.
From cache to in-memory data grid. Introduction to Hazelcast.From cache to in-memory data grid. Introduction to Hazelcast.
From cache to in-memory data grid. Introduction to Hazelcast.Taras Matyashovsky
 

Destacado (20)

Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
Advanced DNS Protection
Advanced DNS ProtectionAdvanced DNS Protection
Advanced DNS Protection
 
Avoiding dns amplification attacks
Avoiding dns amplification attacksAvoiding dns amplification attacks
Avoiding dns amplification attacks
 
Introduction of Mirai Translate, Inc.
Introduction of Mirai Translate, Inc. Introduction of Mirai Translate, Inc.
Introduction of Mirai Translate, Inc.
 
Dns reflection attacks webinar slides
Dns reflection attacks webinar slidesDns reflection attacks webinar slides
Dns reflection attacks webinar slides
 
Dns Amplification Zafiyeti
Dns Amplification ZafiyetiDns Amplification Zafiyeti
Dns Amplification Zafiyeti
 
The Other Advanced Attacks: DNS/NTP Amplification and Careto
The Other Advanced Attacks: DNS/NTP Amplification and CaretoThe Other Advanced Attacks: DNS/NTP Amplification and Careto
The Other Advanced Attacks: DNS/NTP Amplification and Careto
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
 
Finding Evil In DNS Traffic
Finding Evil In DNS TrafficFinding Evil In DNS Traffic
Finding Evil In DNS Traffic
 
Security Onion Conference - 2016
Security Onion Conference - 2016Security Onion Conference - 2016
Security Onion Conference - 2016
 
MIRAI: What is It, How Does it Work and Why Should I Care?
MIRAI: What is It, How Does it Work and Why Should I Care?MIRAI: What is It, How Does it Work and Why Should I Care?
MIRAI: What is It, How Does it Work and Why Should I Care?
 
How IoT Is Breaking The Internet
How IoT Is Breaking The InternetHow IoT Is Breaking The Internet
How IoT Is Breaking The Internet
 
State of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of BotnetsState of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of Botnets
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
Dns security overview
Dns security overviewDns security overview
Dns security overview
 
Security of DNS
Security of DNSSecurity of DNS
Security of DNS
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat Landscape
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks
 
DNS Security Presentation ISSA
DNS Security Presentation ISSADNS Security Presentation ISSA
DNS Security Presentation ISSA
 
From cache to in-memory data grid. Introduction to Hazelcast.
From cache to in-memory data grid. Introduction to Hazelcast.From cache to in-memory data grid. Introduction to Hazelcast.
From cache to in-memory data grid. Introduction to Hazelcast.
 

Similar a Harness DNS Activity to Defend Against DDoS Attacks

DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectAPNIC
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
DNS Security WebTitan Web Filter - Stop Malware
DNS Security WebTitan Web Filter - Stop Malware DNS Security WebTitan Web Filter - Stop Malware
DNS Security WebTitan Web Filter - Stop Malware Dryden Geary
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16Radware
 
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama ElhamerBSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama ElhamerShellmates
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
 
Day 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache PoisoningDay 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache Poisoningvngundi
 
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetup
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetupWeapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetup
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetupmichaelxin2015
 
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...Yankmo
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Usevngundi
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolJisc
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS MeasurementsAFRINIC
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSSuzanne Aldrich
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014Raleigh ISSA
 
The latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECThe latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECWhalebone, s.r.o.
 
Secure 2013 Poland
Secure 2013 PolandSecure 2013 Poland
Secure 2013 PolandCloudflare
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Andreas Taudte
 

Similar a Harness DNS Activity to Defend Against DDoS Attacks (20)

DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring Project
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
Botconf ppt
Botconf pptBotconf ppt
Botconf ppt
 
DNS Security WebTitan Web Filter - Stop Malware
DNS Security WebTitan Web Filter - Stop Malware DNS Security WebTitan Web Filter - Stop Malware
DNS Security WebTitan Web Filter - Stop Malware
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16
 
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama ElhamerBSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
Day 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache PoisoningDay 2 Dns Cert 4a Cache Poisoning
Day 2 Dns Cert 4a Cache Poisoning
 
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetup
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetupWeapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetup
Weapons of Mass Disruption by Roman Lara for OWASP San Antonio Chapter meetup
 
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
abusing dns to spread malware:from router to end user(滥用dns传播恶意软件:从路由器到最终用户)-...
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
 
DNS Measurements
DNS MeasurementsDNS Measurements
DNS Measurements
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014
 
The latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSECThe latest news in the DNS resolution: DNSSEC
The latest news in the DNS resolution: DNSSEC
 
Secure 2013 Poland
Secure 2013 PolandSecure 2013 Poland
Secure 2013 Poland
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)
 

Más de APNIC

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonAPNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonAPNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPNIC
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6APNIC
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!APNIC
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023APNIC
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAPNIC
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAPNIC
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAPNIC
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAPNIC
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAPNIC
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemAPNIC
 

Más de APNIC (20)

IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 
AFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment StatusAFNOG 1: Afghanistan IP Deployment Status
AFNOG 1: Afghanistan IP Deployment Status
 
AFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressingAFSIG 2023: Internet routing and addressing
AFSIG 2023: Internet routing and addressing
 
AFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & DevelopmentAFSIG 2023: APNIC - Registry & Development
AFSIG 2023: APNIC - Registry & Development
 
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurityAfghanistan IGF 2023: The ABCs and importance of cybersecurity
Afghanistan IGF 2023: The ABCs and importance of cybersecurity
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
IDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry SystemIDNIC OPM 2023 - Internet Number Registry System
IDNIC OPM 2023 - Internet Number Registry System
 

Último

『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 

Último (8)

『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 

Harness DNS Activity to Defend Against DDoS Attacks

  • 2. Drilling Down into DDoS APRICOT 2015 Fukuoka, Japan Bruce Van Nice
  • 3. • 2 Terabytes of data analyzed per day – Anonymized from ISPs worldwide – Estimate about 3% of ISP DNS resolver traffic • Team of data scientists • Algorithms searching for: – DDoS – Bots – Malware – Machine generated traffic – Etc 3 Nominum Research
  • 4. • DNS-based DDoS attacks increasing – DNS Amplification – Random subdomain attacks – focus of this presentation • Attack vectors – Open home gateways – NEW - Bot malware • Stress on DNS worldwide 4 Introduction
  • 5. 5 DNS Queries – One Day’s Data 02/09/15 88% 12% DNS Queries "Good" Queries Malicious Queries 80% 15% 5% Malicious Queries Random Subdomain Amplification Bot Command & Control
  • 6. 6 Random Subdomain Attack Trends 2014 Data
  • 7. 7 Random Subdomain Attacks RANDOM TARGET NAME Example query: wxctkzubkb..liebiao.800fy.com • Queries with random subdomains - answer NXD • Lots of work for resolvers - recursion • Lots of works for authoritative servers - large spikes
  • 9. Alexa 1000 Names Rank baidu.com. 5 blog.sina.com.cn. 13 xlscq.blog.163.com. 56 amazon.co.uk. 65 www.bet365.com. 265 www.lady8844.com. 389 d3n9cbih5qfgv5.cloudfront.net. 458 www.appledaily.com.tw. 565 asus.com. 702 9 Popular Names are Attacked Attacks on popular names must be handled carefully: Fine Grained Policy, Whitelists About 9% of names attacked are popular
  • 10. Attack on asus.com (computers and phones) – 190 legitimate subdomains Attack on mineplex.com (minecraft gaming site) – 78 legitimate subdomains ~ 2% of queries are to legitimate subdomains 10 Need to Protect Good Traffic to Popular Domains
  • 11. Attacks Using Open DNS Proxies 1 Internet Query with randomized subdomains 2 Authoritative ServerCompromised hosting Recursive queries Open DNS Proxy (Home Gateway) 3 NXD responses ISP Target Web Site Attacks Using Open DNS Proxies ISP Resolver
  • 12. 12 Open Resolvers in Asia Pacific
  • 13. - 5 10 15 20 25 30 Millions Open Resolvers 13 Open Resolvers Are Declining Feb 13 2014 Jan 28 2015 Open Resolver Project Data Actual Trend
  • 14. Attacks Using Bots Internet 2 Authoritative Server Recursive queries Bot infected devices 3 NXD responses ISP Target Web Site ISP ResolverQueries with randomized subdomains 1
  • 15. 1. Bots scan networks for home gateways or other vulnerable devices 2. Attempt to login with default passwords 3. Load malware on gateway 4. Malware sends huge volumes of specially crafted DNS queries 15 What’s Happening? Other vectors are possible: Bots with loaders Rompager
  • 16. 16 Bots are Everywhere! 02/09/15 Threat Type Query Count Spybot 1,679,616 Vobfus 925,323 Nitol 883,376 Gamarue 878,672 VBInject 864,944 Spambot 613,449 Ramnit 418,984 Bladabindi 90,486 Palevo 60,324 Sdbot 59,314 Threat Type Query Count Dorkbot 52,935 Morto 35,912 Sality 35,711 Virut 32,027 SMSsend 16,000 Jeefo 14,645 Gbot 11,853 GameOver 9,407 Phorpiex 5,875 Buzus 5,123 Bots that can install additional software on a compromised host
  • 17. 17 “Things” Generate Intense Attack Traffic 0 2 4 6 8 10 Millions Query Counts from Attacking IPs One hours data – APAC provider network # IPs involved in attack 1 206 200 IPs sourced ~83M queries 15 IPs sourced ~61M queries 1 IP sourced ~ 9M queries
  • 18. 18 2 Days Attack Data 0 75 150 225 300 Number of IPs used in attack per hour Nov 16 19:00 Nov 18 8:00
  • 19. 19 Example Attack Data 0% 20% 40% 60% 80% Attack Queries as a Percentage of Total Traffic Nov 16 19:00 Nov 18 8:00 70% of queries from attack
  • 20. 20 Why These Attacks Hurt Border Home Gateway Resolver Authority Spoofed IP Query (UDP): Ivatsnkb.web.pay1.cn Proxy query, translate IP Recursion NXD NXD NXD Spoofed IP Proxy query, translates IP Spoofed IP Query (UDP): Ivatsnkb.web.pay1.cn Proxy query, translate IP Recursion Truncate Bad Case Worse Case Response Rate Limiting Retry TCP NXD NXD NXD Proxy query, translates IP Spoofed IP Attacker
  • 21. 21 Response Rate Limiting can Aggravate Proxy query, translate IP Recursion Truncate Response Rate Limiting Border Home Gateway Resolver AuthorityAttacker Retry TCP Authority Fails High traffic with TCP overhead Resolver doesn’t get responses, tries new Authorities, cascading failures Spoofed IP Randomized queries Resolver stress TCP overhead
  • 22. • Every RSD requires recursion • “Normal” incoming queries are 80% cached • Equivalent load is: 1/(1- 0.8) = 5 • For 8,000 QPS of attack traffic equivalent load is: 8,000 x 5 = 40,000 QPS 22 Some Simple Math Very rough estimate of additional workload
  • 23. • Attacks on popular domains complicate filtering • Home Gateways mask spoofed source IP • Bots operate wholly within provider networks – Filtering DNS at borders won’t work • Observed tendency for cascading failures • RRL by authorities increases work for resolvers & authorities – This seems to have gone away for now 23 Attacks Cause Many Problems
  • 24. • Block bad traffic at ingress to resolvers – Minimize work – Eliminate stress on entire DNS hierarchy • Near-real time block lists and fine grained policy – Protect good traffic - whitelist legitimate labels for “core” domains 24 Solution
  • 25. • New generation of DNS Based DDoS • Open Home Gateways remain a problem • Malware based exploits create broad exposure • Filter DNS traffic at ingress to resolvers – Protect good queries – fine grained filters – Drop bad queries – protect resolvers, authorities and targets 25 Summary