Download - Thoughts about DNS for DDoS
![Page 1: Thoughts about DNS for DDoS](https://reader031.vdocument.in/reader031/viewer/2022021416/587883c21a28ab466c8b6895/html5/thumbnails/1.jpg)
A Specula*on on DNS DDOS Geoff Huston
APNIC
Some thoughts about
for
![Page 2: Thoughts about DNS for DDoS](https://reader031.vdocument.in/reader031/viewer/2022021416/587883c21a28ab466c8b6895/html5/thumbnails/2.jpg)
Well–guess-fromthesnippetsthathavebeenreleased…ItwasaMiraia9ackItusedacompromiseddevicecollec<onItusedarangeofa9ackvectors
TCPSYN,TCPACK,GRE,…OneofthesewasDNS
What we know about the October DYN a9ack…
![Page 3: Thoughts about DNS for DDoS](https://reader031.vdocument.in/reader031/viewer/2022021416/587883c21a28ab466c8b6895/html5/thumbnails/3.jpg)
DDOS A9acks
Arenothingnew–unfortunately
AndourresponseisoLenrespondinglikeforlike
• Buildthickerandthickerbunkersofbandwidthandprocessingcapacitythatcanabsorbthea9acks
• Andleavetheundefendedopenspaceastoxicwasteland!
ButusingtheDNSfora9acksopenssomenewpossibili<es…
![Page 4: Thoughts about DNS for DDoS](https://reader031.vdocument.in/reader031/viewer/2022021416/587883c21a28ab466c8b6895/html5/thumbnails/4.jpg)
What we understand about direct DNS DDOS a9acks
Thesearenotreflec<on/amplifica<ona9acksTheyaredirectedattheauthorita<venameservers/rootserversItloadstheauthorita<veserverswithquerytraffic
Itcansaturatethecarriage/switchinginfrastructureoftheserverItcanexhausttheserveritselfofresourcessoitdrops“legi<mate”queries
Thea9ackquerieslookexactlylikeotherqueriesthatareseenattheseservers
Sofrontendpa9ernmatchingandfilteringmaynotworkTheqnameislikelytobe<random>.targetsoastodefeatcachesandsimplefiltersThesequerieslookjustlikeChrome’sbehaviour!
![Page 5: Thoughts about DNS for DDoS](https://reader031.vdocument.in/reader031/viewer/2022021416/587883c21a28ab466c8b6895/html5/thumbnails/5.jpg)
The intended outcome of the a9ack
• Becausethe<random>.targetqnameformwilldefeattherecursiveresolvercachingfunc<on,thequeryispassedtotheauthnameservertoresolve
• Withanadequatelyhighqueryvolume,theauthorita<veserverwillstarttodiscardqueriesduetoresourcestarva<on
• TheresultisthatthetargetnamewillfadeawayontheInternetasrecursiveresolvers’cacheentriesexpire,andtheycannotrefreshtheircachefromtheauthorita<veservers
![Page 6: Thoughts about DNS for DDoS](https://reader031.vdocument.in/reader031/viewer/2022021416/587883c21a28ab466c8b6895/html5/thumbnails/6.jpg)
Possible Mi*ga*ons – 1
”ABiggerBunker”AddmoreFoo
• Moreauthorita<venameservers• Morebandwidthtoauthorita<venameservers
• MoreCPUandmemorytoauthorita<venameservers
• i.e.deploymore”foo”andtryandabsorbthea9ackattheauthorita<venameserverinfrastructurewhiles<llanswering“legi<mate”queries
![Page 7: Thoughts about DNS for DDoS](https://reader031.vdocument.in/reader031/viewer/2022021416/587883c21a28ab466c8b6895/html5/thumbnails/7.jpg)
Possible Mi*ga*ons - 2
LongerTTLs:• LowTTL’smaketheauthserversmorevulnerablebecauserecursivesneedtorefertoauthorita<vesmorefrequently
• WithalongerTTL,thea9ackwills<llhappen,butthelegitrecursivesmaynotgetacacheexpirysoquickly
• Therecursiveresolverswills<llservecachednamesfromtheircacheevenwhentheauthorita<venameserverisoffline
• A9ackerswillneedtoa9ackforlongerintervalstocausewidespreadvisibledamage
But..• NobodylikestocementtheirDNSwithlongTTLs• Andcurrentrecursiveresolversdon’tseemtohonourlongerTTLs
anyway!
![Page 8: Thoughts about DNS for DDoS](https://reader031.vdocument.in/reader031/viewer/2022021416/587883c21a28ab466c8b6895/html5/thumbnails/8.jpg)
Possible Mi*ga*ons – 3
Filterqueries:• Trytogetafixonthe<random>namecomponentinthequeries• Setofafrontendqueryfilterandblockthesequeries
• But• Thisisjusttailchasing!
![Page 9: Thoughts about DNS for DDoS](https://reader031.vdocument.in/reader031/viewer/2022021416/587883c21a28ab466c8b6895/html5/thumbnails/9.jpg)
Possible Mi*ga*ons - 4
Whatifthea9ackingdevicesarepassingthequeriesdirectlytotheauthorita<venameservers?FilterIPaddresses!
![Page 10: Thoughts about DNS for DDoS](https://reader031.vdocument.in/reader031/viewer/2022021416/587883c21a28ab466c8b6895/html5/thumbnails/10.jpg)
All resolvers might be equal, but some resolvers are more equal than others!
8,000 distinct IP addresses (2.3% of all seen IP addrs) for resolvers serve 90% of all experiments
![Page 11: Thoughts about DNS for DDoS](https://reader031.vdocument.in/reader031/viewer/2022021416/587883c21a28ab466c8b6895/html5/thumbnails/11.jpg)
Possible Mi*ga*ons - 4
“FilterFilterFilter”(IPsources)Only8,000discreteIPaddressesaccountformorethan90%oftheusers’DNSqueriesThesearethemainrecursiveresolversusedbymostoftheinternet–soitsprobablygoodtoanswerthem!PutallothersourceIPaddressqueriesonalowerpriorityresolu<onpathwithintheauthorita<venameserverDividequeriersintoseparatequeuesof“Friends”and“Strangers”:JustlikeSMTP!
![Page 12: Thoughts about DNS for DDoS](https://reader031.vdocument.in/reader031/viewer/2022021416/587883c21a28ab466c8b6895/html5/thumbnails/12.jpg)
Possible Mi*ga*ons - 5
Whatifthedevicesarepassingthequeriesviarecursiveresolvers?
![Page 13: Thoughts about DNS for DDoS](https://reader031.vdocument.in/reader031/viewer/2022021416/587883c21a28ab466c8b6895/html5/thumbnails/13.jpg)
Possible Mi*ga*ons - 5
Getassistance!UseDNSSECandapplyNSECAggressivecaching*• Thea9ackwillgenerateNXDOMAINanswers• SowhynotgettherecursiveresolversclosertotheindividualdevicestoanswertheNXDOMAINquerydirectly
• Thiscanbedonewiththecombina<onofDNSSECandNSECsigning,usingtheNSECspanresponsetothenrespondtofurtherquerieswithinthespanwithoutreferencetotheauthorita<veservers
• ThismeansthattherecursivesystemabsorbstheDNSquerya9ackanddoesnotreferthequeriesbacktotheauthservers
*draL-iei-dnsop-nsec-aggressiveuse-05
![Page 14: Thoughts about DNS for DDoS](https://reader031.vdocument.in/reader031/viewer/2022021416/587883c21a28ab466c8b6895/html5/thumbnails/14.jpg)
If only…
• Piecemealsolu<onsdeployedinapiecemealfashionwillseea9ackerspickoffthevulnerableagainandagain• Andthelongtermanswerisnotbiggerandthickerwalls,astheIoTvolumeswillalwaysbehigher• Weneedtothinkagainhowtoleveragetheexis<ngDNSresolu<oninfrastructuretobemoreresilient• Andforthatweprobablyneedtotalkaboutthisopenlyandconstruc<velyandseeifwecanbesmarterandmakeamoreresilientDNSinfrastructure• AndforthatweprobablyneedtotalkabouttheDNSandDNSSECandhowitworks,andhowitcanworkforustodefendthesea9acks