open resolvers and the threat of reflection attacks
play

Open Resolvers and the Threat of Reflection Attacks John Kristoff - PowerPoint PPT Presentation

Nov 19, 2022 •359 likes •626 views

Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI Networks Seminar jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 1 / 26 A Review of the DNS Lookup Process jtk (jtk@depaul.edu) ORs and

  1. Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI Networks Seminar jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 1 / 26

  2. A Review of the DNS Lookup Process jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 2 / 26

  3. What Does Verisign Like About This Picture? jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 3 / 26

  4. Resource Record (RR) format 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | / / / NAME / | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | TYPE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | CLASS | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | TTL | | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | RDLENGTH | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--| / RDATA / / / +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 4 / 26

  5. DNS Message Format +---------------------+ | Header | +---------------------+ | Question | the question for the name server +---------------------+ | Answer | RRs answering the question +---------------------+ | Authority | RRs pointing toward an authority +---------------------+ | Additional | RRs holding additional information +---------------------+ jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 5 / 26

  6. DNS Message Header Format 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ID | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |QR| Opcode |AA|TC|RD|RA| Z | RCODE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | QDCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ANCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | NSCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ARCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 6 / 26

  7. Open Resolver • A DNS server that provides an answer or referral for anyone • Full open recursive name servers can be particularly problematic • It can be difficult to limit open recursion in practice • There are lots of open resolvers jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 7 / 26

  8. Amplification and Reflection Attacks Using Open Resolvers • Imagine... lots of bots • Imagine... lots of open recursive name servers • Imagine... a 4 KB TXT resource record • Imagine... source address spoofing • Imagine... queries that are less than 100 bytes • Imagine... jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 8 / 26

  9. Resolver probing, not scanning We could just send properly formatted DNS queries to TCP/UDP port 53 if all we cared about was finding name servers. However, we want to try to precisely identify resolver behavior, configuration and implementation. jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 9 / 26

  10. Some Remote Open Resolver Probing Questions • How do you really know if the server is recursing for you? • Are there questions a server answers for in unexpected ways? • Is the server you’re asking the only server at that address? • Are you getting a cached answer? • Are wildcards being used? jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 10 / 26

  11. Some Multifaceted Probing Techniques • Query for whoareyou.ultradns.net • Query for whoami.ultradns.net • Query for unique, but bogus top-level domain (TLD) • Fingerprint with fpdns • Query for unique name in a zone we control • Distribute query sources • Disable recursion desired (rd) bit • Query for popular names and NS RRsets • Query for unique, but bogus name in popular zones and TLDs jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 11 / 26

  12. Challenges to Remote Probing • Recursion available (ra) is an unreliable indicator • Non-exist name/TLD query doesn’t always result in NXDOMAIN • Adherence to TTL is inconsistent • High-speed querying difficultly and timeout handling • Various other unexpected answers due to config or implementation jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 12 / 26

  13. Caching Weirdness $ dig @61.46.219.237 whoareyou.ultradns.net +noall +answer ; <<>> DiG 9.2.2 <<>> @61.46.219.237 whoareyou.ultradns.net +noall +answer ;; global options: printcmd whoareyou.ultradns.net. 0 IN A 204.74.96.5 $ dig @61.46.219.237 whoareyou.ultradns.net +noall +answer ; <<>> DiG 9.2.2 <<>> @61.46.219.237 whoareyou.ultradns.net +noall +answer ;; global options: printcmd whoareyou.ultradns.net. 4294967292 IN A 204.74.96.5 jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 13 / 26

  14. Alternate Root $ dig @211.220.209.3 bogus-tld +noall +answer +authority ; <<>> DiG 9.2.2 <<>> @211.220.209.3 bogus-tld +noall +answer +authority ;; global options: printcmd realname. 86400 IN A 211.106.67.200 realname. 86400 IN NS update-psi.netpia.com. jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 14 / 26

  15. Wildcard $ dig @213.30.189.132 nanug.org +noall +answer ; <<>> DiG 9.2.2 <<>> @213.30.189.132 nanug.org +noall +answer ;; global options: printcmd nanug.org. 10000 IN A 62.210.183.75 nanug.org. 10000 IN TXT "toto" jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 15 / 26

  16. Flags and Inconsistency $ dig @213.215.76.84 +noall +comments +answer www.nanog.org ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52909 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 $ dig @213.215.76.84 +noall +comments +answer www.nanog.org ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43523 ;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; ANSWER SECTION: www.nanog.org. 86392 IN A 198.108.1.5 jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 16 / 26

  17. Query Amplification and Aggression? Auth Server #1 client 209.63.146.65#37695: query: researchprobe-3632192887.example.org IN A -E client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A -E client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A - client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A - client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A - client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A - Auth Server #2 client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A -E client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A -E client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A - client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A - client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A - jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 17 / 26

  18. Bad Defaults $ dig @202.146.225.194 bogus-tld +noall +comments +answer ; <<>> DiG 9.2.2 <<>> @202.146.225.194 bogus-tld +noall +comments +answer ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30140 ;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; ANSWER SECTION: bogus-tld. 3600 IN A 10.61.32.1 jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 18 / 26

  19. ORNS Candidate Data Sets • 51,196 reflector attack, Feb. 2006 • 191,966 ORNS from Duane Wessels, March 2006 • 2,660,229 somethings querying us, March 2006 jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 19 / 26

  20. Netblocks - Attack Set jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 20 / 26

  21. Netblocks - Duane’s Set jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 21 / 26

  22. Netblocks - Our Flows jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 22 / 26

  23. ORNS Netblocks - Our Flows (˜14%) jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 23 / 26

  24. Referrer Netblocks - Our flows (˜2%) jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 24 / 26

  25. Building and Maintaining A Resolver Probing System • Where do you get candidate probing addresses from? • Where do you probe from? How fast? Will you get filtered? • What queries do you send? • Logs, packet captures or responses. What do you do with them? • How do you re-test and maintain accuracy? • How do you share the data and/or alert administrators? • What else can you do with this data? jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 25 / 26

  26. End - Work in Progress • [dns-research01 | dns-research02].cti.depaul.edu • DNS prototype probing systems with web interface • TLD zone monitoring and analysis jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 26 / 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Probing for Open DNS Resolvers John Kristoff jtk@depaul.edu Midwest Security Workshop jtk

Probing for Open DNS Resolvers John Kristoff jtk@depaul.edu Midwest Security Workshop jtk

Probing for Open DNS Resolvers John Kristoff jtk@depaul.edu Midwest Security Workshop jtk (jtk@depaul.edu) DNS Probing September 30, 2006 1 / 9 Open Resolvers Recursive - open access to a full resolver Forwarder - proxy access to a

371 views • 9 slides
Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von Mobilfunk-Botnetzen im Hinblick auf DoS-Angriffe)

311 views • 20 slides
Looking at DNS traces: What do we know about resolvers? lafur Gu mundsson Shinkuro

Looking at DNS traces: What do we know about resolvers? lafur Gu mundsson Shinkuro

Looking at DNS traces: What do we know about resolvers? lafur Gu mundsson Shinkuro Ogud@shinkuro.com Motivation: Open Questions What is the market share for resolver X What can we deduct from traces to a subset of authorative

623 views • 19 slides
DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS

DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS

DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS resolvers abstract complexity and offer the possibility of improved performance and better scalability . Why are they harmful? 3 Resolvers Are Vulnerable

618 views • 34 slides
Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017 www.lookingglasscyber.com PRESENTER: Allan Thomson, CTO Dr Jamison Day, Principal Data Scientist 2017 LookingGlass Cyber Solutions Inc. 1 What threats are

344 views • 21 slides
Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M.

Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M.

Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M. Cao 1 , Alexander Withers 2 , Zbigniew T. Kalbarczyk 1 , Ravishankar K. Iyer 1 1 University of Illinois at Urbana-Champaign (UIUC) 2 National

421 views • 14 slides
OSD Funded and Developed Open Air IRCM Threat Simulators and Methodology UNCLASSIFIED 1

OSD Funded and Developed Open Air IRCM Threat Simulators and Methodology UNCLASSIFIED 1

UNCLASSIFIED OSD Funded and Developed Open Air IRCM Threat Simulators and Methodology UNCLASSIFIED 1 UNCLASSIFIED Legacy Threat Stimulators Legacy Missile Warning Sensors (MWS) typically required only stimulation, not simulation

700 views • 32 slides
UPnP: Unlimited Proxies and Pwnage Waylon Grange Sr. Threat Researcher, Symantec

UPnP: Unlimited Proxies and Pwnage Waylon Grange Sr. Threat Researcher, Symantec

UPnP: Unlimited Proxies and Pwnage Waylon Grange Sr. Threat Researcher, Symantec @professor__plum Exploits long forgotten UPnP (SSDP) DDoS P n P U Most people think of DDoS attacks when asked about UPnP abuse These attacks are

489 views • 32 slides
CS371m - Mobile Computing Content Providers And Content Resolvers Content Providers One of

CS371m - Mobile Computing Content Providers And Content Resolvers Content Providers One of

CS371m - Mobile Computing Content Providers And Content Resolvers Content Providers One of the four primary application components: activities content providers / content resolvers services broadcast receivers 2 Android

728 views • 50 slides
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014 DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client Side: Stub resolvers

429 views • 30 slides
Assessment What is Threat Assessment Threat assessment is the process of gathering

Assessment What is Threat Assessment Threat assessment is the process of gathering

Threat Assessment What is Threat Assessment Threat assessment is the process of gathering information to understand the threat of violence posed by a person. Threat management is the process of developing and executing plans to mitigate

332 views • 15 slides
Panel discussion: Open reflection - on TSO/DSO interactions ENTSO-G/ACER Balancing Workshop 12.

Panel discussion: Open reflection - on TSO/DSO interactions ENTSO-G/ACER Balancing Workshop 12.

Panel discussion: Open reflection - on TSO/DSO interactions ENTSO-G/ACER Balancing Workshop 12. Juni 2018 Eva Hennig, Thga AG Munich, Chair of Eurogas Distribution Committee The operation of the grids will change with a wider variety of gases

431 views • 7 slides
Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process

Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process

Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process Service Untrusted (IAS) Enclave Enclave Code Trusted Process Process Enclave Other Data Enclave OS and/or Hypervisor Off-chip devices 2

531 views • 24 slides
Topic 9: Lighting &amp; Reflection models Lighting &amp; reflection The Phong reflection

Topic 9: Lighting &amp; Reflection models Lighting &amp; reflection The Phong reflection

9/10/2016 Topic 9: Lighting &amp; Reflection models Lighting &amp; reflection The Phong reflection model diffuse component ambient component specular component Spot the differences Terminology Illumination The transport

339 views • 5 slides
Future Banking and Financial Attacks Konstantinos Karagiannis Director, Ethical Hacking, BT

Future Banking and Financial Attacks Konstantinos Karagiannis Director, Ethical Hacking, BT

Future Banking and Financial Attacks Konstantinos Karagiannis Director, Ethical Hacking, BT Advise Assure 2 Agenda/topics covered Threat overview Advanced User Enumeration and DDoS Trading Turret and Timing Attacks Internal and External User

365 views • 35 slides
Cybersecurity in 2020 A Reflection on the Previous Decade &amp; How to Prepare for the Next Tech

Cybersecurity in 2020 A Reflection on the Previous Decade &amp; How to Prepare for the Next Tech

Cybersecurity in 2020 A Reflection on the Previous Decade &amp; How to Prepare for the Next Tech Terms Vulnerability Payload Exploit Advanced Persistent Threat Zero Day Exploit Dark Web Malware 5G Technology

500 views • 17 slides
Networking: UDP &amp; DNS 2 Lab Schedule Activities Assignments Due This Week Lab 9

Networking: UDP &amp; DNS 2 Lab Schedule Activities Assignments Due This Week Lab 9

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Networking: UDP &amp; DNS 2 Lab Schedule Activities Assignments Due This Week Lab 9 Due by Apr 4 th 5:00am Lab 9 Network

349 views • 31 slides
Personalized Pseudonyms for Servers in the Cloud Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter

Personalized Pseudonyms for Servers in the Cloud Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter

Personalized Pseudonyms for Servers in the Cloud Qiuyu Xiao (UNC-Chapel Hill) Michael K. Reiter (UNC-Chapel Hill) Yinqian Zhang (Ohio State Univ.) Ba Backg kground Servers identity is not well protected with the normal HTTPS connection.

1.04k views • 65 slides
The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit

The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit

1 The DNS security mess D. J. Bernstein University of Illinois at Chicago; Technische Universiteit Eindhoven 2 The Domain Name System tue.nl wants to see http://www.ru.nl . Browser at tue.nl The web

1.39k views • 124 slides
Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu,

Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu,

Who Is Answering My Queries? Understanding and Characterizing Hidden Interception of the DNS Resolution Path Baojun Liu, Chaoyi Lu, Haixin Duan, Ying Liu, Zhou Li, Shuang Hao and MinYang Presenter: Zhou Li (UC Irvine EECS) 1 DNS Resolution

496 views • 34 slides
P4DNS: In-Network DNS Jackson Woodruff, Murali Ramanujam, Noa Zilberman University of Cambridge

P4DNS: In-Network DNS Jackson Woodruff, Murali Ramanujam, Noa Zilberman University of Cambridge

P4DNS: In-Network DNS Jackson Woodruff, Murali Ramanujam, Noa Zilberman University of Cambridge September 23, 2019 1 / 9 Introduction Networks continue to increase bandwidths without achieving much latency reduction. Latency is

496 views • 13 slides
Passive DNS Replication Florian Weimer 17 th Annual FIRST Conference, Singapore, 2005 Florian

Passive DNS Replication Florian Weimer 17 th Annual FIRST Conference, Singapore, 2005 Florian

Passive DNS Replication Florian Weimer 17 th Annual FIRST Conference, Singapore, 2005 Florian Weimer Passive DNS Replication FIRST 2005 1 / 25 Outline A very brief introduction to DNS Case Study: Botnet mitigation Architecture and

166 views • 13 slides
The Domain Name System Database that primarily maps IP addresses (147.188.192.42) to names

The Domain Name System Database that primarily maps IP addresses (147.188.192.42) to names

The Domain Name System Database that primarily maps IP addresses (147.188.192.42) to names (www.cs.bham.ac.uk) and viceversa Nice properties: distributed, coherent, reliable, autonomous, and hierarchical DNS namespace has tree

180 views • 5 slides
MOVE TOWARDS SIMPLER AUTOMATION WITH ABSTRACTION USING ANSIBLE ROLES AND F5 DECLARATIVE APIS.

MOVE TOWARDS SIMPLER AUTOMATION WITH ABSTRACTION USING ANSIBLE ROLES AND F5 DECLARATIVE APIS.

MOVE TOWARDS SIMPLER AUTOMATION WITH ABSTRACTION USING ANSIBLE ROLES AND F5 DECLARATIVE APIS. Payal Singh, Forrest Crenshaw, Principal Solution Engineer, Product Management Engineer, F5 Networks F5 Networks payal.singh@f5.com

909 views • 26 slides

More recommend