Arming the Defenseless: An Incentive-based Approach to DNS - - PowerPoint PPT Presentation

arming the defenseless an incentive based approach to dns
SMART_READER_LITE
LIVE PREVIEW

Arming the Defenseless: An Incentive-based Approach to DNS - - PowerPoint PPT Presentation

Jul 02, 2023 206 likes •316 views

Arming the Defenseless: An Incentive-based Approach to DNS Reflection Prevention Casey Deccio, Brigham Young University AIMS 2017 CAIDA, UCSD, La Jolla, CA March 1, 2017 Reflection/Amplification-based DDoS Attack Queries Responses

slide-1
SLIDE 1

Arming the Defenseless: An Incentive-based Approach to DNS Reflection Prevention

Casey Deccio, Brigham Young University AIMS 2017 CAIDA, UCSD, La Jolla, CA March 1, 2017

slide-2
SLIDE 2

Reflection/Amplification-based DDoS Attack

Attackers (Globally distributed) Servers (Address B) Victim (Address A) Queries ((spoofed)A → B) Responses (B → A)

slide-3
SLIDE 3

DNS Response Rate Limiting (RRL)

  • Responses rate limited based on:
  • Frequency of incoming domain name/type/source IP
  • Responses are small – simply request retry over TCP
  • Legitimate clients still have a reasonable chance
  • Weaknesses:
  • Relies on a threshold
  • Deals with amplification, but not reflection

RRL

slide-4
SLIDE 4

DNS Cookies

  • Server sends cookie to client
  • Cookie must be included in subsequent requests
  • Server drops requests from clients that don’t have cookies
  • Effective for source IP address validation
  • Weaknesses:
  • Cannot be effectively enforced

DNS Client DNS server

www.example.com (NOCOOKIE) COOKIE: 1234 www.example.com (COOKIE:1234) 192.0.2.1

slide-5
SLIDE 5

Source Address Filtering: Best Current Practice 38 (BCP38)

  • Filter IP packets whose source IP addresses don’t originate in-network
  • That’s it!

Attackers (Globally distributed) Servers (Address B) Victim (Address A) Queries ((spoofed)A → B)

slide-6
SLIDE 6

Incentives

BCP38 DNS RRL Increase Resources

slide-7
SLIDE 7

We either need to

incentivize the parties

capable of effective solutions

  • r

develop effective mechanisms

that can be deployed by those with incentive

slide-8
SLIDE 8

Network Capability Assertion In a Nutshell

  • Server enforces source address validation mechanism
  • on demand; or
  • all the time
  • To enforce source address validation
  • a server performs a lookup of network capabilities; and
  • ignores requests that don’t validate
slide-9
SLIDE 9

Reflection with Enforcement of Source IP Address Validation

Attackers (Globally distributed) Servers (Address B) Victim (Address A) Queries ((spoofed)A → B)

slide-10
SLIDE 10

Advertising and Detecting Network Capabilities – in the DNS

  • Publish and lookup in .arpa tree in the DNS
  • Example: for 192.0.2.1, query the DNS for 2.0.192.in-addr.arpa
  • Network capabilities specified at 8-bit granularity
  • Child inherits default policy from parent
  • Server assumes defaults until lookup completes

arpa 192 2 in-addr 191 193 … …