darkside%of%the%dns%force · dns intro subdomain mechanism impact outro good bad ugly dns...
TRANSCRIPT
![Page 1: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/1.jpg)
Dark Side of the DNS ForceERIK WU
ACALVIO, INC.
![Page 2: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/2.jpg)
IntroSubdomainMechanism
ImpactOutro DNS
104.20.66.243
Good BadUgly
![Page 3: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/3.jpg)
DNS
IntroSubdomainMechanism
ImpactOutro
Good BadUgly
DNS
104.20.66.243
104.20.66.243blackhat.com.
![Page 4: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/4.jpg)
IntroSubdomainMechanism
ImpactOutro Registered Internet Domains
0
200
400
600
800
1000
12001993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
Internet Domain Names (in millions)
Source Statista
Good BadUgly
![Page 5: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/5.jpg)
IntroSubdomainMechanism
ImpactOutro
Cloudflare/Spamhaus DDoSed via open DNS resolvers
Responses Unique Correct Responses Wrong Port RA
Source openresolverproject.org
FLASHING IN MARCH 2013300gbps DNS amplification attacks27.2M open DNS resolvers (in 2013)
17.6M of today (>3yrs later)
Good BadUgly
![Page 6: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/6.jpg)
IntroSubdomainMechanism
ImpactOutro DNS amplification DDoS attacks
• Enablers • Open DNS resolvers • DNS amplifiers
• Legit • Purpose-built
• Spoofed sending addresses (of victims)
Good BadUgly
attacker
OpenResolver
OpenResolver
victim
DNS Amplifier
![Page 7: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/7.jpg)
IntroSubdomainMechanism
ImpactOutro DNS amplification DDoS attacks
Good BadUgly
DNS AMPLIFIERLegit | Purpose-built
![Page 8: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/8.jpg)
IntroSubdomainMechanism
ImpactOutro DNS amplification DDoS attacks
Good BadUgly
DNS AMPLIFIERLegit | Purpose-built
![Page 9: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/9.jpg)
IntroSubdomainMechanism
ImpactOutro DNS amplification DDoS attacks
DNS AMPLIFIERLegit | Purpose-built
Good BadUgly
![Page 10: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/10.jpg)
IntroSubdomainMechanism
ImpactOutro DNS amplification DDoS attacks
DNS AMPLIFIERLegit | Purpose-built
Good BadUgly
![Page 11: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/11.jpg)
IntroSubdomainMechanism
ImpactOutro DNS amplification DDoS attacks
• Mitigation options• Filter spoofed sending addresses• Disarm amplifiers • Close open resolvers
Good BadUgly
![Page 12: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/12.jpg)
IntroSubdomainMechanism
ImpactOutro
High spikes of unique domains seen on Internet
Source: Nominum
0
1000
2000
3000
4000
5000
6000
Unique Domain Names (in Millions)
Good BadUgly
![Page 13: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/13.jpg)
IntroSubdomainMechanism
ImpactOutro What’s wrong with subdomains?
blackhat.com.
www.blackhat.com.m.blackhat.com.media.blackhat.com.
wwww.blackhat.com.mwww.blackhat.com.mmww.blackhat.com.mmmw.blackhat.com.mmmm.blackhat.com.
Good BadUgly
104.20.66.243
NXDOMAIN
![Page 14: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/14.jpg)
IntroSubdomainMechanism
ImpactOutro
Subdomain attack as a competitive edge
• Online gaming sites’ availability is a key metrics • Subdomain attack was a novel abuse of DNS back in 2011/2012
• Initially simple sequence number strings were used as prefixes to a competitor gaming site domain name to destruct the service of that gaming site:
100000000.sf520.com.100000001.sf520.com.100000010.sf520.com.100000011.sf520.com.100000100.sf520.com.100000101.sf520.com.100000110.sf520.com.100000111.sf520.com.100001000.sf520.com.
Initial TrialSeriousweapon
![Page 15: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/15.jpg)
IntroSubdomainMechanism
ImpactOutro Aimed at high-value targets
~200M unique subdomains of arkhamnetwork.org.
Initial TrialSeriousweapon
![Page 16: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/16.jpg)
IntroSubdomainMechanism
ImpactOutro Aimed at high-value targets
Initial TrialSeriousweapon
![Page 17: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/17.jpg)
IntroSubdomainMechanism
ImpactOutro Subdomain strings
SUBDOMAIN STRINGS:• Fixed or varying length: • Time stamps:• Random strings• Random numbers• Sequence numbers• Dictionary words
StringsPositionComposition
z5kr836ws qjkn zdecc7nnx styzcphur
1465560729 1465561210
2967230841 4343234574
WO423WWWOX5C FN88RBHXWX9J
1165885261118 1165885261119
glassmaking dishwater
![Page 18: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/18.jpg)
IntroSubdomainMechanism
ImpactOutro Subdomain position
SUBDOMAIN POSITION:• Left most • 2nd left most • 3rd left most• Any position on the left side of target domain
StringsPositionComposition
zdecc7nnx.www.blackhat.com.
m.zdecc7nnx.www.blackhat.com.
n.m.zdecc7nnx.www.blackhat.com.
![Page 19: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/19.jpg)
IntroSubdomainMechanism
ImpactOutro Subdomain composition
SUBDOMAIN COMPOSITION:• Single subdomain string• Multiple subdomain strings• Combination of constant and random strings
StringsPositionComposition
FN88RBHXWX9J.blackhat.com.
WO423WW1WX5.FN88RBHXWX9J.blackhat.com.
a.FN88RBHXWX9J.blackhat.com.b.WO423WW1WX5.blackhat.com.
![Page 20: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/20.jpg)
IntroSubdomainMechanism
ImpactOutro Impact
• Attacking target domain’s authoritative name servers• Collateral damages of DNS resolvers along the path• Enablers: • Subdomain generator • (optional) Open resolvers• (optional) Spoofed sending addresses
OperationMitigation
Resolver
victim.com.
victim’s name server
what is IP address of victim.com?
Resolver
![Page 21: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/21.jpg)
IntroSubdomainMechanism
ImpactOutro Operation Disruption
Authoritative name server often serves more than one domain, so does DNS resolver (cache/recursive)
A major ISP operation may be taken down by small-scale subdomain attacks• 2gbps vs 300gbps
OperationMitigation
![Page 22: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/22.jpg)
IntroSubdomainMechanism
ImpactOutro Mitigation Option
• SUBDOMAIN ATTACKS MAY BE MITIGATED WITH VARYING RESULTS:
• Drop queries with random strings• Limit queries with random strings• Limit queries per IP address• Limit queries per domain• Drop queries per domain
• What about high-value targets?
OperationMitigation
![Page 23: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/23.jpg)
IntroSubdomainMechanism
ImpactOutro Dark Side Innovation
SIMPLE PROTOCOL ABUSE CAN BECOME A MAJOR SECURITY HEADACHE AND COSTLY MITIGATION:• DNS cache poisoning• DNS changer • DNS amplification• DNS subdomain • DNS tunneling
InnovationDefense
![Page 24: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/24.jpg)
IntroSubdomainMechanism
ImpactOutro Dark Side Innovation
ARMS RACE BETWEEN THE DARK-SIDE INNOVATIONS AND OURS IN CYBER SECURITY DEFENSE:
The dark-side has repeatedly won the fight
Any glitch in our defense is a winning amplifiable opportunity for the dark-side, while vice versa is not true
Rethinking of ourdefense strategy
Deception to help rebalance the asymmetric warfare situation between the dark-side and us
InnovationDefense
![Page 25: DarkSide%of%the%DNS%Force · DNS Intro Subdomain Mechanism Impact Outro Good Bad Ugly DNS 104.20.66.243 blackhat.com. 104.20.66.243](https://reader033.vdocument.in/reader033/viewer/2022042909/5f3a1cf450160f49f55f3701/html5/thumbnails/25.jpg)
Thanks and Questions