© at&t inc detection of dns traffic anomalies anestis karasaridis, phd,cissp
TRANSCRIPT
© AT&T Inc
Detection of DNS Traffic Anomalies
Anestis Karasaridis, PhD,CISSP
Detection of DNS Traffic Anomalies4/25/2006Page 2
© AT&T Inc
Overview
DNS - Protocol and Applications
Vulnerabilities and common attacks
Monitoring, Detection, Protection
Detection of DNS Traffic Anomalies4/25/2006Page 3
© AT&T Inc
Protocol Overview
DNS is the white pages of the Internet allowing to map hostnames/domains to IP addresses (and vice versa)
Facilitates the communication of devices over the Internet
Based on Standards (RFCs 1034, 1035-> STD13, Updated by a number of RFCs)
A Distributed and hierarchical database
IP at Layer 3, uses UDP or TCP for Layer 4.
Managed by different organizations coordinated by the Internet Consortium of Assigned Names and Numbers (ICANN)
Detection of DNS Traffic Anomalies4/25/2006Page 4
© AT&T Inc
Applications Overview
Network Infrastructure Service: Used by almost all applications where two devices need to be connected remotely:
Web Email FTP P2P Streaming …many others
Its use has been expanded to create overlay networks (Content Distribution Networks) that are used to distribute load and improve latency.
Emerging Applications: VoIP (ENUM Protocol), Spam Control (SPF Protocol), RFID
Detection of DNS Traffic Anomalies4/25/2006Page 5
© AT&T Inc
Example use of DNS:
The user types the following URL to his/her browser: http://www.ieee.org
The browser process generates a DNS request to a configured local DNS server (usually throught DHCP) in which it asks the IP address of the server able to serve the webpage. If the local server does not know the answer, it makes the same request to an upstream server. When the IP address is found it is returned to the local server and the browser process. The browser then makes the request for the page directly to the IP address that was returned
A user prepares and send email to [email protected] The mail application sends the email first to a local repository (email relay).
The repository then has to figure where to send the email to reach yahoo.com. The relay server makes a DNS query to find the Mail Exchange record for yahoo.com. When it gets the answer from DNS with the IP address of yahoo’s mail server, it proceeds to sending the email to the recipient’s server.
Detection of DNS Traffic Anomalies4/25/2006Page 6
© AT&T Inc
DNS Hierarchy
DNS is organized in domains which are subdivided to subdomains etc. Top domain is the “Root” (.) and the domains below are called Top Level Domains (TLDs). Top level domains are (com, gov, edu, net, biz, info, us, etc.)
Detection of DNS Traffic Anomalies4/25/2006Page 7
© AT&T Inc
Distributed Architecture
Various domains and subdomains contain partial DNS information. If the information is not available the database contains pointers (delegation) to other servers that may contain the requested information.
Different parts of the domain space are managed by different entities. The set of domains/subdomains that are managed by a single entity are called zones
Detection of DNS Traffic Anomalies4/25/2006Page 8
© AT&T Inc
Example of domains and zones
The US domain has NJ, DC, MD, MA and VA as its subdomains. Since the information in all these subdomains is usually unmanageable the DNS information is usually spit in the different subdomains. The US zone contains delegation points for the subdomains that it does not manage.
US
nj va dc ma md
US zone
US domain
Detection of DNS Traffic Anomalies4/25/2006Page 9
© AT&T Inc
Example of Name Resolution using the hierarchical and distributed nature of DNS
© AT&T Inc
Security Vulnerabilities
Detection of DNS Traffic Anomalies4/25/2006Page 11
© AT&T Inc
DNS Protocol Security vulnerabilities
• DNS is an open protocol.
• ASCII protocol with no encryption
• DNS is widely implemented and deployed using BIND which is open source and has many known security holes
• Uses a very rudimentary authentication mechanism which is based only on the SIP, port and transaction ID, therefore easily trusts source of information
• Caching allows to bypass authoritative records and to store unreliable information in many locations in the internet
• Heavy reliance on the network makes it vulnerable to network outages
Detection of DNS Traffic Anomalies4/25/2006Page 12
© AT&T Inc
DNS Vulnerabilities due to Poor Planning
Single point of failure issues Running registered authoritative DNS servers on a single
subnet can cause severe application outages if the gateway/router connecting this subnet goes down
Running the DNS servers in a single geographical area Running DNS servers on a single OS
Poor capacity planning or lack of load balancing
Poor disaster recovery planning, e.g. during power outages, earthquakes etc.
Failure to upgrade or patch DNS implementation
Misconfiguration
Detection of DNS Traffic Anomalies4/25/2006Page 13
© AT&T Inc
Common DNS Attacks
(D)DoS
Cache poisoning
Tunneling Buffer overflows
Zone transfer hijacking
Dynamic update corruption
Unauthorized registry changes
Detection of DNS Traffic Anomalies4/25/2006Page 14
© AT&T Inc
DoS attacks
One or more attackers controlling one or more devices launch an avalanche of messages to one or more DNS servers
If the sources are distributed, such an attack is difficult to control and trace
DNS responses are larger than requests and can be used to magnify attacks using spoofed source IP addresses. The attackers use source IP address the address of the target and send multiple DNS requests to a DNS server
Detection of DNS Traffic Anomalies4/25/2006Page 15
© AT&T Inc
Wide-scale DoS attack to Root Servers
On Oct 21, 2002 a wide scale attack was launched to the 13 IP addresses of the Root servers using ICMP echo reply messages
According to Keynote Systems 7 of the 13 Root servers were severely slowed down during the attack.
Detection of DNS Traffic Anomalies4/25/2006Page 16
© AT&T Inc
Examples of anomalies: Large volumes from a single source
Number of requests/replies to/from MIS DNS server per address (10/21, 14hr)
0
500
1000
1500
2000
2500
3000
IP Addresses
Nu
mb
er o
f R
equ
est/
Rep
lies
Unusually large number of requests
Detection of DNS Traffic Anomalies4/25/2006Page 17
© AT&T Inc
Cache poisoning
Alteration of the contents of the DNS cache
Query sent to a local DNS server. Local starts a recursive search. Fake response is sent from the attacker before the valid server responds. Local DNS returns the fake response to the resolver and caches the forged mapping
Can lead to a denial of service or to redirection to an evil site (that collects for example private information)
Detection of DNS Traffic Anomalies4/25/2006Page 18
© AT&T Inc
DNS spoofing/cache poisoning
Client
resolver
Local DNS server
Attacker
1. DNS request
2.Spoofed reply
3. True reply
4. ICMP port unreachable
Detection of DNS Traffic Anomalies4/25/2006Page 19
© AT&T Inc
Cache Poisoning- another variation
Attacker directs local dns server to a controlled DNS server, which returns bogus info. Local DNS server does not properly check and caches bogus info
LaptopBad guy's DNS server
Local DNS Server
4. Query www.dod.gov
3. Returns real along withspoof info
2. Query is forwarded to bad guy's DNS server
1. Send a q
uery t
hat needs to
be
resolved to
his D
NS server
5. Return spoof address whichpoints to bad guy's server
Bad guy'sterminal
Detection of DNS Traffic Anomalies4/25/2006Page 20
© AT&T Inc
Detection of brute force cache poisoning attacks
For each DNS flow, identify if the packets in the flow are requests or responses (based on port numbers).
If the packets in the flow record are requests, combine the flow with a thread (a group of objects such as flows with similar characteristics) of request flows that have the same destination IP (DIP) and the same bytes-per-packet ratio (BPR), if the flow arrives within a small time interval (e.g., 1sec) after the last flow in the thread. If the thread exceeds a certain number of flows (e.g., 50), summarize the information in the flow records and provide an alert that repeated requests took place.
Detection of DNS Traffic Anomalies4/25/2006Page 21
© AT&T Inc
Detection of brute force cache poisoning attacks (cont’d)
If the flow record contains response packets, combine the incoming flow with similar flows by DIP, BPR, DPORT and SIP in the event that the flow arrives within a small time interval (e.g., 1 sec) since the arrival of the last flow in the same thread. Examine if the number of such flows exceeds a threshold (e.g., 50). If the threshold is exceeded, examine all the request threads for the same DIP and see if they have a BPR such that
BPR_{response} > BPR_{request}+BPR_{THR},
where BPR_{THR} the minimum number of additional bytes (set at 16) required to construct a response for a given request Also, examine if the response thread starts within the time limits of the request thread. If all the above conditions are true, summarize the flows and generate an alarm for cache-poisoning attack. If the number of responses in the thread is larger than a threshold, but it is not within the time frame of a request thread or it cannot be matched to a request thread because the BPR condition (see above) is not met, then the algorithm produces an alarm for repeated responses.
Empty and restart request and response threads when flows come much later (e.g., more than 1 sec later) or earlier than the last flow in the thread.
Periodically (e.g., every 500,000 input flows) clean up threads to free up memory
Detection of DNS Traffic Anomalies4/25/2006Page 22
© AT&T Inc
Cache Poisoning Example
Type Src IP Dest IPPkts Bytes Stime Etime Sport Dport Prot
2 20.20.20.30 5.10.15.20 1 90 77 77 53 51453 17
1 20.30.10.5 5.10.15.20 1 70 78 78 14414 53 17
2 20.20.20.30 5.10.15.20 1 90 78 78 53 51453 17
1 100.50.25.25 5.10.15.20 1 70 79 79 50235 53 17
1 200.100.50.25 5.10.15.20 1 70 79 79 65164 53 17
1 50.100.150.200 5.10.15.20 1 70 79 79 61480 53 17
1 10.20.30.40 5.10.15.20 1 70 79 79 10105 53 17
Detection of DNS Traffic Anomalies4/25/2006Page 23
© AT&T Inc
Alerting for Cache Poisoning Attacks
Repeated Requests:dip=5.10.15.20,
number=307,bpr=70,link=SiteA,
sip=var,sport=var,
start_time=Wed Oct 22 13:57:58 2005,
end_time=Wed Oct 22 14:00:38 2005
Suspicious Responses:dip=5.10.15.20,
number=811,bpr=90,link=SiteA,
sip=20.20.20.30,dport:51453,
start_time=Wed Oct 22 13:57:57 2005,
end_time=Wed Oct 22 14:05:00 2005
Repeated Responses:dip=5.10.15.20,
number=811,bpr=90,link=SiteA,
sip=20.20.20.30,dport:51453,
start_time=Wed Oct 22 13:57:57 2005,
end_time=Wed Oct 22 14:05:00 2005
Detection of DNS Traffic Anomalies4/25/2006Page 24
© AT&T Inc
Tunneling Anomaly Detection
• DNS is used to tunnel traffic in and out of firewalls and IDSs
Viruses Botnet control Streaming audio
• Protocol specification should be taken into account
Detection of DNS Traffic Anomalies4/25/2006Page 25
© AT&T Inc
Tunneling Anomaly detection- Abnormal packet sizes
Requests typically should not exceed 312 bytes (including TCP and IP headers)
UDP responses typically do not exceed 512 bytes
Calculate histograms of request/response packet sizes. Track and detect changes in the frequencies of non-conforming packets sizes
Detection of DNS Traffic Anomalies4/25/2006Page 26
© AT&T Inc
Example of anomalies: Large DNS Requests
DNS Request (UDP) size histogram
0.00
2.00
4.00
6.00
8.00
10.00
12.00
0 100 200 300 400 500 600
Request size (bytes)
Pro
bab
ilit
y (%
) Not complying with the protocol
•Large requests appeared interestingly among other normal size requests
•In one case they were sent periodically between a single pair of hosts
Detection of DNS Traffic Anomalies4/25/2006Page 27
© AT&T Inc
Example anomalies: Large DNS responses
DNS Response (UDP) size histogram
0
0.2
0.4
0.6
0.8
1
1.2
1.4
1.6
1.8
0 500 1000 1500
Response size (bytes)
Pro
bab
ilit
y (%
)
Non complying response sizes
Detection of DNS Traffic Anomalies4/25/2006Page 28
© AT&T Inc
Example anomalies: Increase in large request packet size frequencies
Ratio of Non-compliant DNS Request Byte Sizes
0.00
1.00
2.00
3.00
4.00
22-Sep 24-Sep 26-Sep 28-Sep 30-Sep 2-Oct 4-Oct 6-Oct 8-Oct
Date
Per
cen
t o
f n
on
-co
mp
lian
t re
qu
est
pac
ket
size
s
attga05511 n54ny01668ra
Detection of DNS Traffic Anomalies4/25/2006Page 29
© AT&T Inc
Track and detect packet size anomalies
Built a baseline histogram of packet sizes
Calculate current histogram
Calculate difference between current and baseline histograms. KL distance (also known as Relative Entropy) is one example:
pi are the current frequencies and qi are the baseline frequencies
i
iiir qppE )/log(
Detection of DNS Traffic Anomalies4/25/2006Page 30
© AT&T Inc
Track and detect packet size anomalies (cont’d)
Baseline should be adaptive to variations in traffic
It should be updated when there are small changes that are benign
It should not include data that generate alarms
Detection of DNS Traffic Anomalies4/25/2006Page 31
© AT&T Inc
Example of detection of tunneling Sinit virus propagated using port 53 traffic
Sophisticated p2p-type of propagation using custom protocol
Cross Entropy vs. Self-Entropy (NY 01668ra circuit)
0
1
2
3
4
5
6
Self Entropy Cross Entropy Diff Threshold
Detection of DNS Traffic Anomalies4/25/2006Page 32
© AT&T Inc
Summary DNS is ubiquitus and expanding to new
applications and technologies
Many vulnerabilities exist due to poor design, configuration or software holes
Monitoring revealed wide-scale events before public reports
DNSSEC is an attempt to address some of security issues