when the dike breaks dissecting dns defenses during ddos
play

When the Dike Breaks: Dissecting DNS Defenses During DDoS Giovane C. - PowerPoint PPT Presentation

Nov 08, 2023 •253 likes •648 views

When the Dike Breaks: Dissecting DNS Defenses During DDoS Giovane C. M. Moura 1 , 2 , John Heidemann 3 , Moritz Mller 1 , 4 , Ricardo de O. Schmidt 5 , Marco Davids 1 RIPE 77, Amsterdam, The Netherlands 2018-10-15 1 SIDN Labs, 2 TU Delft, 3

  1. When the Dike Breaks: Dissecting DNS Defenses During DDoS Giovane C. M. Moura 1 , 2 , John Heidemann 3 , Moritz Müller 1 , 4 , Ricardo de O. Schmidt 5 , Marco Davids 1 RIPE 77, Amsterdam, The Netherlands 2018-10-15 1 SIDN Labs, 2 TU Delft, 3 USC/ISI, 4 University of Twente, 5 University of Passo Fundo 1

  2. Research paper to appear on ACM IMC 2018 • Joint research work to appear at: https://conferences.sigcomm.org/imc/2018/ • Full text (PDF): https://www.isi.edu/~johnh/PAPERS/Moura18b.pdf 2

  3. DDoS Attacks • DDoS attacks are on the rise • Getting bigger, more frequent, cheaper, and easier • Arbor: 1.7 Tb/s [2] (2018) • Github DDoS: 1.35 Tb/s [1] (2018) • Dyn DDoS: 1.2 Tb/s (Mirai IoT) [6] (2017) • DDoS as a service: few dollars with booters [8]. • Many DNS services have been victim of DDOS attacks 3

  4. DDoS and DNS: two examples Root DNS DDoS Nov 2015 Dyn Oct 2016 no known reports of errors seen some users could not reach by users [3] popular sites [6] Two large DDoSes, very different outcomes. Why? 4

  5. DDoS and DNS: two examples Root DNS DDoS Nov 2015 Dyn Oct 2016 no known reports of errors seen some users could not reach by users [3] popular sites [6] Two large DDoSes, very different outcomes. Why? 4

  6. DNS Basics Query: example.nl ? User Internet Answer:192.168.1.1 • That’s what most users (need to) know about DNS • Let’s see what really happens 5

  7. Background: the many parts of DNS Authoritative ... Servers AT 1 AT n e.g.: ns1.example.nl Recursives ... Rn a Rn n ( n th level) CRn a CRn b e.g: ISP resolv. Recursives R 1 a R 1 b (1st level CR 1 a CR 1 b e.g.: modem) Stub Resolver e.g.: OS/applications Stub Figure 1: Relationship between resolvers,caches, and authoritatives • DNS query: where’s example.nl ( $ dig A example.nl ) • Answer: example.nl. 3600 IN A 94.198.159.35 • DNS TTL : max time to cache a record 6

  8. Background: the many parts of DNS Authoritative DDoS attack ... Servers AT 1 AT n e.g.: ns1.example.nl Recursives ... Rn a Rn n ( n th level) CRn a CRn b e.g: ISP resolv. Recursives R 1 a R 1 b (1st level CR 1 a CR 1 b e.g.: modem) Stub Resolver e.g.: OS/applications Stub • How much will resolver’s built-in defenses help users during DDoS? 7

  9. OPS expectation during DDoS Authoritative DDoS attack ... AT 1 AT n Servers e.g.: ns1.example.nl Recursives ... Rn a Rn n ( n th level) CRn a CRn b e.g: ISP resolv. Recursives R 1 a R 1 b (1st level CR 1 a CR 1 b e.g.: modem) Stub Resolver e.g.: OS/applications Stub Figure 2: TTL= how long your star powers will last – answer from cache 8

  10. Evaluating DNS Resiliency • Part 1 : evaluate user experience under “normal” operations • Part 2 : Verify results of Part 1 in production zones ( .nl ) • Part 3 : Emulate DDoSes in the wild to evaluate caching/retrials under stress, to observe user experience 9

  11. Part 1: measuring caching in the wild Setup 1. register our new domain ( cachetest.nl ) 2. run two unicast IPv4 authoritatives on EC2 Frankfurt 3. User Ripe Atlas and their resolvers as vantage points ( ∼ 15k) 4. Each VP sends a unique AAAA query, so no interference • e.g.,: 500.cachetest.nl for probeID=500 5. Each AAAA DNS answer encodes a counter that allow us to tell if it was cache hit or miss • $PREFIX:$SERIAL:$PROBEID:$TTL 6. Probe every 20min, and run scenarios with different TTLs, for 2 to 3 hours (to match various TTLs in the wild) • 60, 1800,3600, and 86400 seconds TTL 10

  12. Part 1: measuring caching in the wild • We control auth servers and clients (stub resolver) • We do not control recursives • How efficient is caching in the wild? • Remember: TTL sets upper limit for HOW LONG it should be cached by recursives 11

  13. Results: how good caching is in the wild? 120000 Miss: 28.5% AA AC CC CA 100000 remaining queries Miss: 0.0% 80000 60000 Miss: 30.9% Miss: 32.9% 40000 Miss: 32.6% 20000 0 60s 1800s 3600s 86400s 3600s-10m Experiment 1. Good news: caching works fine for 70% of all 15,000 VPs • With our not popular domain 2. Not so good news: ∼ 30% of cache misses (AC) 12

  14. Why cache misses (Why AC?) Possible: capacity limits, cache flushes, complex caches Mostly: complex caches • cache fragmentation with multiple servers • (previous work on Google DNS [9]) TTL 60 1800 3600 86400 3600-10m AC Answers 37 24645 24091 23202 47,262 Public R 1 0 12000 11359 10869 21955 Google Public R 1 0 9693 9026 8585 17325 other Public R 1 0 2307 2333 2284 4630 Non-Public R 1 37 12645 12732 12333 25307 Google Public R n 0 1196 1091 248 1708 other R n 37 11449 11641 12085 23599 Table 1: AC answers (cache miss) public resolver classification 13

  15. Part 2: caching in production zones • OK, in our controlled environment, we show that caching works 70% as expected • Are these experiments representative? • We look at .nl production data • we compute ∆ t (time since last query) • Compare to TTL of 3600s • 485k queries from 7,779 recursives 14

  16. Part 2: caching in production zones • Most resolvers send queries usually ∼ 3600s ( .nl TTL) • 28% do not respect the 1h TTL • Yes, experiments are like real zone • (we also look into the Roots , see paper [4]) 1 0.9 0.8 0.7 0.6 CDF 0.5 0.4 0.3 0.2 0.1 0 0 2000 4000 6000 8000 10000 Δ t 15

  17. OK, so what do you we have so far? • We know how caching works in the wild (both Ripe and .nl ) • Time to move Part 3: emulate DDoS • Goal: understand client experience under DDoS 16

  18. Part 3: Emulating DDoS • Similar setup as other experiments: • Emulate DDoS: drop incoming queries at certain rates at Authoritative servers, with iptables • Question: (when) do caches protect clients? • Or why some DDoS attacks seem to have more impact? • We show only few experiments, many more in the paper 17

  19. Scenario A: all servers DOWN • Worst nightmare for a DNS operator • Only resolver’s cache can save clients • TTL=3600s (1 hour) • We probe every 10 minutes • At t = 10 min , we drop all packets 18

  20. Complete DDoS: TTL: 60min, 100% failure OK SERVFAIL No answer 20000 cache-only cache-expired 15000 answers 10000 5000 0 0 10 20 30 40 50 60 70 80 90 100 110 minutes after start Figure 3: Scenario A: 100% failure after 10min, TTL: 60min • DDoS starts after 1st query (fresh cache) • During DDoS: 35%-70% of clients are served (cache) • After cache expires: only 0.2% clients (serve state) • draft-ietf-dnsop-serve-stale-00 19

  21. Complete DDoS: changing cache freshness • Scenario B: Cache freshness: about to expire • How clients will experience DDoS? OK SERVFAIL No answer 20000 normal cache-only normal 15000 answers 10000 5000 0 0 10 20 30 40 50 60 70 80 90 100110 120130 140150 160170 minutes after start Figure 4: Scenario B: 100% failure after 60min, TTL: 60min • Cache much less effective (as times out near attack) • Fragmented cached helps some (by filling later) 20

  22. Complete DDoS: changing cache freshness • Scenario B: Cache freshness: about to expire • How clients will experience DDoS? OK SERVFAIL No answer 20000 normal cache-only normal 15000 answers 10000 5000 0 0 10 20 30 40 50 60 70 80 90 100110 120130 140150 160170 minutes after start Figure 4: Scenario B: 100% failure after 60min, TTL: 60min • Cache much less effective (as times out near attack) • Fragmented cached helps some (by filling later) 20

  23. Complete DDoS: TTL record influence • Influence of TTL: reducing from 60min to 30min • How clients will experience DDoS? OK SERVFAIL No answer 20000 normal cache- cache- normal only expired 15000 answers 10000 5000 0 0 10 20 30 40 50 60 70 80 90 100110120130140150160170 minutes after start Figure 5: Scenario C: 100% failure after 60min, TTL: 30min • Users experience worsens with shorter TTL • OPs: choose wisely the TTL of your records when 21 engineering for DDoS

  24. Discussion complete DDoS • Caching is partially successful during complete DDoS • OPs: don’t expect protection for clients as long as your TTL; depends on their cache state • Serving stale content provides the last resort for Doomsday scenario • some ops (Google, OpenDNS) seem to do it, but it is not widespread yet • TTL of records: the shorter you set them, the less you protect users during a complete DDoS 22

  25. Partial DDoS • Not all DDoS are strong enough to bring all servers down • Some lead to partial failure (Root DNS Nov 2015 [3]) • Partial failure: some of the available authoritative fail to answer all queries, or take longer to answer; then users experience longer latencies • In this case, how would users experience the attack? 23

  26. Experiment E: 50% success DDoS, TTL: 30min OK SERVFAIL No answer normal 50% packet loss normal 20000 (both NSes) 15000 answers 10000 5000 0 0 10 20 30 40 50 60 70 80 90 100110120130140150160170 minutes after start 4000 Median RTT 3500 Mean RTT 75%ile RTT 3000 90%ile RTT latency (ms) 2500 2000 1500 1000 500 0 0 20 40 60 80 100 120 140 160 minutes after start Good ! Most clients are happy, as they retry (but takes longer) 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao,

On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao,

On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA Transit-link DDoS attack: a powerful type of volumetric DDoS attack

438 views • 25 slides
DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
DDoS: Barbarians At The Gate(way) Examination of actors, tools and defenses #whoami Dave Lewis

DDoS: Barbarians At The Gate(way) Examination of actors, tools and defenses #whoami Dave Lewis

Text DDoS: Barbarians At The Gate(way) Examination of actors, tools and defenses #whoami Dave Lewis @gattaca dave@akamai.com It left me wanting Game Plan Actors Attacks Tools Trends Data Now what? Actors: For Hire Current(ish)

1.03k views • 77 slides
.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS A)ack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos A)acks Few Qmes

150 views • 13 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

1 DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology of work DDoS tactics in-the-wild and how to improve Ready, set, FACEPALM! Q&A ~$ whoami 3 Moshe Zioni, Head of Research,

656 views • 47 slides
Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim to DDoS mitigation service SOS "I am getting DoSd" 2 DDoS Transport Choice SOS : Requirements Emergency signal.

247 views • 5 slides
Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense e Quan Jia, Huangxin Wang, Dan Fleck, Fei Li, Angelos Stavrou, Walter Powell Presented by Surya Mani Content u Motivation u Related Work u

262 views • 23 slides
Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. Independent academic R&D division of Nexusguard building next

764 views • 44 slides
Preference Defenses: New Value Ordinary Preference Defenses: New Value, Ordinary Course and

Preference Defenses: New Value Ordinary Preference Defenses: New Value, Ordinary Course and

Presenting a live 90 minute webinar with interactive Q&A Preference Defenses: New Value Ordinary Preference Defenses: New Value, Ordinary Course and Contemporaneous Exchange Managing the Audit Process, Mitigating Regulatory Sanctions, and

893 views • 52 slides
Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent the access to a computer system to it's legitimate users. DDoS: DoS attack on the network using a lot of different source IP Why:

327 views • 16 slides
DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How DDoS works UDP Data Client Server Response TCP DDoS Distributed denial-of-service attack Attacker targets a victim from a number of

356 views • 22 slides
A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon guillaume.valadon@ssi.gouv.fr RIPE 70 - May, 11 2015 ANSSI - http://www.ssi.gouv.fr/guide-ddos & https://goo.gl/UL8M1 1/12 ANSSI Created on July 7th 2009,

142 views • 12 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall

Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall

Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall 2011 Distributed Denial of Service (DDoS) Exhaust resources of a target, or the resources it depends on Resources: CPU, Memory, Bandwidth

427 views • 23 slides
Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim fons.mijnen@os3.nl max.grim@os3.nl 2 DDoS attacks DDoS attacks are a problem internet users have faced for many years, and is still relevant today. 3 DDoS

531 views • 52 slides
East Shore Resiliency Open House September 26, 2017 A more resilient New York City A more

East Shore Resiliency Open House September 26, 2017 A more resilient New York City A more

East Shore Resiliency Open House September 26, 2017 A more resilient New York City A more resilient NYC is one where neighborhoods, buildings and infrastructure can withstand and recover quickly from flooding and climate events.

155 views • 11 slides
Employer Defenses Common Safety Violations Keeping Tennesseans Safe 2 TN-OSHA Neither the TN

Employer Defenses Common Safety Violations Keeping Tennesseans Safe 2 TN-OSHA Neither the TN

Drug Testing Employer Defenses Common Safety Violations Keeping Tennesseans Safe 2 TN-OSHA Neither the TN OSH Act nor the TN-OSHA Rules address drug testing. Workers Compensation Drug Free Workplace Program Chapter 0800-02-12 Rules of

281 views • 9 slides
Introducing Green Infrastructure for Coastal Resilience National Oceanic and Atmospheric

Introducing Green Infrastructure for Coastal Resilience National Oceanic and Atmospheric

Introducing Green Infrastructure for Coastal Resilience National Oceanic and Atmospheric Administration (NOAA) Office for Coastal Management What well talk about today 1. Green infrastructure concepts 2. Practices 3. Getting to

1.53k views • 73 slides
Clickjacking: Attacks and Defenses University of Cyprus Department of ComputerScience Advanced

Clickjacking: Attacks and Defenses University of Cyprus Department of ComputerScience Advanced

Clickjacking: Attacks and Defenses University of Cyprus Department of ComputerScience Advanced Security Topics Name: Soteris Constantinou Instructor: Dr. Elias Athanasopoulos Authors: Lin-Shung Huang, Alex Moshchuk, Helen J. Wang, Stuart

1.65k views • 81 slides
PreAccident Podcast Human Performance Highly Reliable Organizations Todd Conklin PhD Human

PreAccident Podcast Human Performance Highly Reliable Organizations Todd Conklin PhD Human

Todd Conklin PreAccident Podcast Human Performance Highly Reliable Organizations Todd Conklin PhD Human Performance Improvement/ HRO Toddconklin@ gmail.com Never take a sleeping pill And a laxative at the same time. In any order

647 views • 29 slides
Presentation for the Baltic Defence College Annual Conference on Russia Non-linear warfare:

Presentation for the Baltic Defence College Annual Conference on Russia Non-linear warfare:

Presentation for the Baltic Defence College Annual Conference on Russia Non-linear warfare: The Russian Challenge Panel IV: Euro-Atlantic responses to Russian nonlinear warfare Taking Away the Open Battlefield: Breaking the cycle

228 views • 6 slides
Congressional Budget Office January 7, 2014 Presentation on the Projected Costs of U.S. Nuclear

Congressional Budget Office January 7, 2014 Presentation on the Projected Costs of U.S. Nuclear

Congressional Budget Office January 7, 2014 Presentation on the Projected Costs of U.S. Nuclear Forces, 2014 to 2023 at the Center for Nonproliferation Studies Michael Bennett, National Security Division This presentation provides information

235 views • 6 slides
Overview of TTAB Oppositions The following is a brief overview of U.S. trademark stored

Overview of TTAB Oppositions The following is a brief overview of U.S. trademark stored

Overview of TTAB Oppositions The following is a brief overview of U.S. trademark stored information, and tangible things that are in opposition proceedings. Oppositions before the possession, custody, or control of the party and that the

200 views • 3 slides

More recommend