a solution for the dns amplification attack problem july
play

A solution for the DNS amplification attack problem July 4 th , 2013 - PowerPoint PPT Presentation

Nov 30, 2022 •175 likes •409 views

Ralph Dolmans A solution for the DNS amplification attack problem July 4 th , 2013 Context Spamhaus was attacked with 300Gbps Every day attacks are getting bigger Sites can be held hostage, banks cannot talk Global problem, the end

  1. Ralph Dolmans A solution for the DNS amplification attack problem July 4 th , 2013

  2. Context  Spamhaus was attacked with 300Gbps  Every day attacks are getting bigger  Sites can be held hostage, banks cannot talk  Global problem, the end of the Internet? Research Project 2, Ralph Dolmans 2

  3. Annoy people by sending bricks  Send an unsolicited brick by mail  Annoying for the receiver, but only obstructive when done by many people at once Research Project 2, Ralph Dolmans 3

  4. Easy way to send lots of bricks Research Project 2, Ralph Dolmans 4

  5. 1: Sender verification  Factory contacts customers to verify order  Dramatic change in order process  More work for bricks factory employees  More time needed to handle requests = Three way handshake, DNS over TCP Research Project 2, Ralph Dolmans 5

  6. 2: Prevent sender address spoofing  Validation at postal sorting center, only process orders when the delivery address is in the area in which the mail is posted  Only works when all postal sorting centers can be trusted = BCP38 Research Project 2, Ralph Dolmans 6

  7. 3: Rate limiting  Limit the number of orders the factory handles per customer address  Factory can falsely drop orders, thereby losing money  Factory can falsely allow orders, thereby still sending unsolicited bricks = DNS Response Rate Limiting (DNS RRL) Research Project 2, Ralph Dolmans 7

  8. Shipping to intended users only Research Project 2, Ralph Dolmans 8

  9. DNS parallel  Bricks factory = Authoritative name server (ANS)  Local reseller = Recursive resolver (RRNS)  Local customer = User of a specific resolver Research Project 2, Ralph Dolmans 9

  10. DNS amplification attacks  Same solution:  ANS handles orders coming from RRNS  RRNS only handles orders coming from local users  Instead of dropping unwanted orders, the ANS could apply a rate limit to enable debugging Research Project 2, Ralph Dolmans 10

  11. Whitelists  RRNS needs whitelist of customers  RRNS providers know the IPs of their network  ANS needs global whitelist of RRNS servers  There are no list containing all resolvers, so we need a method to create this list Research Project 2, Ralph Dolmans 11

  12. Generating a global list of resolvers  We cannot simply scan IP space as is done by http://openresolverproject.org/  Log source address in requests at ANS  Introducing integrity using a simple CNAME handshaking dialogue Research Project 2, Ralph Dolmans 12

  13. Simple CNAME handshake Research Project 2, Ralph Dolmans 13

  14. Custom ANS software  Implemented using python + twisted  ping val.stopddosattacks.org  1200+ resolvers in the MySQL database so far Research Project 2, Ralph Dolmans 14

  15. ANS whitelist check  Using standard firewall instead of changing DNS software (BIND, NSD, PowerDNS)  Firewall rules for ANS:  Accept packet when source on whitelist  Rate limit packer otherwise  Does this perform? Research Project 2, Ralph Dolmans 15

  16. Iptables + ipset whitelist  Ipset for the whitelisted IPs  Benchmarks:  Average latency, handling 10 million requests, 200K per second  CPU load for 1 million whitelisted IPs Research Project 2, Ralph Dolmans 16

  17. Iptables + ipset latency Research Project 2, Ralph Dolmans 17

  18. Iptables + ipset CPU usage Research Project 2, Ralph Dolmans 18

  19. Promotion and education  Next step:  Educate people about the attacks  Collect as many resolvers as possible  Encourage the use of whitelists on ANSs  Two websites:  http://stopddosattacks.org  http://reliablenameservers.org Research Project 2, Ralph Dolmans 19

  20. Stopddosattacks.org  Check your connection (RRNS)  Check your website (ANS)  Encourage participation by providing badges Research Project 2, Ralph Dolmans 20

  21. Research Project 2, Ralph Dolmans 21

  22. Reliablenameservers.org  Check you website  Corporate and “green” feeling  Encourage participation by providing back-links Research Project 2, Ralph Dolmans 22

  23. Problem solved, any questions? Research Project 2, Ralph Dolmans 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Replay Attack in the TCG Specification and a Solution Danilo Bruschi Lorenzo Cavallaro Andrea

A Replay Attack in the TCG Specification and a Solution Danilo Bruschi Lorenzo Cavallaro Andrea

Trusted Computing Platforms Replay Attack Model Checking Proposed Solution Conclusion and Future Works A Replay Attack in the TCG Specification and a Solution Danilo Bruschi Lorenzo Cavallaro Andrea Lanzi Mattia Monga Universit` a degli

579 views • 38 slides
Evaluating Attack Amplification in Online Social Networks in Online Social Networks Blase E. Ur

Evaluating Attack Amplification in Online Social Networks in Online Social Networks Blase E. Ur

Evaluating Attack Amplification in Online Social Networks in Online Social Networks Blase E. Ur and Vinod Ganapathy blaseur@rci.rutgers.edu , vinodg@cs.rutgers.edu Rutgers University W2SP09 Online Social Networks 200 million

513 views • 37 slides
TOWARDS A SOLUTION TO THE TOWARDS A SOLUTION TO THE "SAMEAS PROBLEM" "SAMEAS

TOWARDS A SOLUTION TO THE TOWARDS A SOLUTION TO THE "SAMEAS PROBLEM" "SAMEAS

TOWARDS A SOLUTION TO THE TOWARDS A SOLUTION TO THE "SAMEAS PROBLEM" "SAMEAS PROBLEM" Joe Raad joe.raad@agroparistech.fr July 12th, 2018 - DIG Seminar ABOUT ME ABOUT ME PHD STUDENT PHD STUDENT * 3rd year * MIA-Paris

780 views • 43 slides
A solution of A solution of the cusp problem the cusp problem in relaxed halos in relaxed

A solution of A solution of the cusp problem the cusp problem in relaxed halos in relaxed

A solution of A solution of the cusp problem the cusp problem in relaxed halos in relaxed halos E.V. Mikheeva in collaboration with A.G.Doroshkevich and V.N.Lukash Astro Space Centre of P.N.Lebedev Physics Institute Cusp problem: density

398 views • 14 slides
Company Name 1 Team 2 Problem What problem are you solving? 3 Solution What is your

Company Name 1 Team 2 Problem What problem are you solving? 3 Solution What is your

Company Name 1 Team 2 Problem What problem are you solving? 3 Solution What is your solution to the problem? 4 Customer Segment Who needs our solution? How many people need our solution right now? How many will

202 views • 18 slides
Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31.

Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31.

Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31. Juli 2014 Outline Background UDP-based Amplification TCP-based Amplification Comparison UDP- / TCP-based Amplification 2 AMPLIFICATION

731 views • 27 slides
Addressing the Forking Amplification Vulnerability draft-ietf-sip-fork-loop-fix-02 Robert Sparks

Addressing the Forking Amplification Vulnerability draft-ietf-sip-fork-loop-fix-02 Robert Sparks

Addressing the Forking Amplification Vulnerability draft-ietf-sip-fork-loop-fix-02 Robert Sparks Since -01 Demonstrated the attack with one resource and one attacker Reintroduced some of the motivational text in the security

267 views • 3 slides
Identifying Patterns in DNS Traffic Pieter Lexis System and Network Engineering Thu, Jul 4 2013

Identifying Patterns in DNS Traffic Pieter Lexis System and Network Engineering Thu, Jul 4 2013

Identifying Patterns in DNS Traffic Pieter Lexis System and Network Engineering Thu, Jul 4 2013 Reflection and Amplification Attacks DNS abused as DDoS Tool Spamhaus hit with 300 Gigabit/second DDoS Reflected Amplification Attack

429 views • 23 slides
Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent,

Introduction First attack Clamping attacks Low-Data Attack Conclusion Low-Memory Attacks against 2-Round Even-Mansour using the 3-XOR Problem Gatan Leurent, Ferdinand Sibleyras Inria, France Crypto 2019 1 / 23 Introduction First attack

733 views • 58 slides
Reduction Informal Definition A problem A is reducible to problem B iff the solution to problem B

Reduction Informal Definition A problem A is reducible to problem B iff the solution to problem B

Reduction Informal Definition A problem A is reducible to problem B iff the solution to problem B can be used to solve the problem A . Computability and Complexity This means that solving A cannot be more difficult than solving B . Lecture 5 In

187 views • 3 slides
Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA

Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA

Return of the Hidden Number Problem A Widespread and Novel Key Extraction Attack on ECDSA and DSA Keegan Ryan NCC Group What is ROHNP? Key extraction attack on DSA and ECDSA Uses an old technique to target a new part of the algorithm

243 views • 23 slides
Privacy Amplification by Mixing and Diffusion Mechanisms Borja Balle, Gilles Barthe, Marco

Privacy Amplification by Mixing and Diffusion Mechanisms Borja Balle, Gilles Barthe, Marco

Privacy Amplification by Mixing and Diffusion Mechanisms Borja Balle, Gilles Barthe, Marco Gaboardi, Joseph Geumlek Amplification by Postprocessing x 1 , , x n y 1 y 2 M K Post-processing Mechanism (Markov operator) Amplification by

338 views • 15 slides
Clean Coffee Team 17 Introduction Context Client Problem Progress Initial Method of Attack

Clean Coffee Team 17 Introduction Context Client Problem Progress Initial Method of Attack

Kirk Brink Chris Greaves Erik Karlson Paul Bootsma Clean Coffee Team 17 Introduction Context Client Problem Progress Initial Method of Attack Obstacles Overcome Final Plan of attack Sensitivity Studies Optimization Sustainability

426 views • 26 slides
Magnetic Field Amplification in SNR by Richtmyer-Meshkov Instability K. Nishihara, T. Sano

Magnetic Field Amplification in SNR by Richtmyer-Meshkov Instability K. Nishihara, T. Sano

Magnetic Field Amplification in SNR by Richtmyer-Meshkov Instability K. Nishihara, T. Sano Institute of Laser Engineering, Osaka University C. Matsuoka Department of Physics, Ehime University amplification B-field line amplification B-field

800 views • 24 slides
A Solution for the Compositionality Problem of Dinatural Transformations Guy McCusker, Alessio

A Solution for the Compositionality Problem of Dinatural Transformations Guy McCusker, Alessio

A Solution for the Compositionality Problem of Dinatural Transformations Guy McCusker, Alessio Santamaria 12 th July 2019 Category Theory 2019 Edinburgh, 7- 13 th July 2019 Dinatural transformations F; G : C op C D . A dinatural

431 views • 41 slides
A Simple and Efficient Solution of the Identifiability Problem for Hidden Markov Models and

A Simple and Efficient Solution of the Identifiability Problem for Hidden Markov Models and

Guideline Introduction String Functions Solution of the Identifiability Problem A Simple and Efficient Solution of the Identifiability Problem for Hidden Markov Models and Quantum Random Walks Alexander Schnhuth Pacific Institute for the

648 views • 37 slides
Welcome Community Partnership Orchard Campus Reading Text is everywhere! Where do we start?

Welcome Community Partnership Orchard Campus Reading Text is everywhere! Where do we start?

Welcome Community Partnership Orchard Campus Reading Text is everywhere! Where do we start? Talking about books Sharing stories as a class Joining in with familiar stories Story play Phonics sessions Home readers Banded books Word lists

564 views • 11 slides
Goals of the Workshop You will learn about: Communication theory. Building communication

Goals of the Workshop You will learn about: Communication theory. Building communication

B ETTER C OMMUNICATION FOR E FFECTIVE D ECISION MAKING W ORKSHOP December 2, 2009 By Karen Firehock and Melinda Holland, E 2 Inc. Special thanks to E. Franklin Dukes, Ph.D Goals of the Workshop You will learn about: Communication theory.

286 views • 28 slides
Building Sustainable Organizations: Putting the Profit in Nonprofit May 9, 2012 Putting the

Building Sustainable Organizations: Putting the Profit in Nonprofit May 9, 2012 Putting the

Building Sustainable Organizations: Putting the Profit in Nonprofit May 9, 2012 Putting the Profit in Nonprofit A nonprofit organization ( NPO ) is an organization that uses surplus revenues to achieve its goals rather than to distribute

448 views • 19 slides
EFFECTIVE SCHOOL TURNAROUND & LEADERSHIP DEVELOPMENT Mark Comanducci: Executive Vice

EFFECTIVE SCHOOL TURNAROUND & LEADERSHIP DEVELOPMENT Mark Comanducci: Executive Vice

PILLARS TO EFFECTIVE SCHOOL TURNAROUND & LEADERSHIP DEVELOPMENT Mark Comanducci: Executive Vice President & Superintendent of Schools Emily Vanderplough: Regional Vice President 2 ACCELs Turnaround Schools To transform the lives

535 views • 29 slides
Parking without Barriers Welcoming access, flexible payment schemes, strict enforcement

Parking without Barriers Welcoming access, flexible payment schemes, strict enforcement

Parking without Barriers Welcoming access, flexible payment schemes, strict enforcement Characteristics Privately owned No Barriers License plate Payment for Regular visitors, car park recognition at visitors (Pay & staff and

457 views • 11 slides
Decentralized Tech - The Next 5 Years Conrad Barski, M.D. CEO, Forward Blockchain Privacy

Decentralized Tech - The Next 5 Years Conrad Barski, M.D. CEO, Forward Blockchain Privacy

Decentralized Tech - The Next 5 Years Conrad Barski, M.D. CEO, Forward Blockchain Privacy "The digital signing mechanism in Bitcoin & Ethereum is the most secure one ever created" "The digital signing mechanism in Bitcoin

828 views • 35 slides
2016 Annual Assessment and Accountability Meeting 1 Image by Photographers Name (Credit in

2016 Annual Assessment and Accountability Meeting 1 Image by Photographers Name (Credit in

2016 Annual Assessment and Accountability Meeting 1 Image by Photographers Name (Credit in black type) or Image by Photographers Name (Credit in white type) Agenda TestNav PearsonAccess next Pearson Portal Image placeholder

426 views • 28 slides
A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove @garethr Docker This talk

A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove @garethr Docker This talk

A Continuation of Devops Policy as Code March 2019 Gareth Rushgrove @garethr Docker This talk What to expect - A little history Infrastructure, APIs and devops - Parallels with security Security as policy management - Security tool

837 views • 60 slides

More recommend