DNS Amplification Attack - ANY+RD - NANOG Archive...DNS(Amplificaon(A;acks(D(ANY+RD @dynchip...
Transcript of DNS Amplification Attack - ANY+RD - NANOG Archive...DNS(Amplificaon(A;acks(D(ANY+RD @dynchip...
Applying the Golden Rule to Customer Service@Ma;_Toy@DynInc
DNS Amplification Attack - ANY+RD
October 2012
Tuesday, October 23, 2012
DNS AmplificaBon A;acks -‐ ANY+RD@dynchip@DynInc
History• First seen by Dyn in November 2011
• Seen on both our consumer and enterprise authoritaBve products (Standard DNS and DynECT Managed DNS)
• h;p://dyn.com/acBve-‐incident-‐noBficaBon-‐recent-‐chinanetany-‐query-‐floods/ -‐ 2-‐Dec-‐2011
Tuesday, October 23, 2012
DNS AmplificaBon A;acks -‐ ANY+RD@dynchip@DynInc
A;ack Vector• Recursion bit set (RD=1)
• QTYPE=ANY
• DNSSEC signed domains
• No EDNS
3
Tuesday, October 23, 2012
DNS AmplificaBon A;acks -‐ ANY+RD@dynchip@DynInc
A;ack Queries by Day
4
1-Sep-2012
3-Sep-2012
5-Sep-2012
7-Sep-2012
9-Sep-2012
11-Sep-2012
13-Sep-2012
15-Sep-2012
17-Sep-2012
19-Sep-2012
21-Sep-2012
23-Sep-2012
25-Sep-2012
27-Sep-2012
29-Sep-2012
Tuesday, October 23, 2012
DNS AmplificaBon A;acks -‐ ANY+RD@dynchip@DynInc
Anycast Region
5
7%
24%
68%
Europe Asia/Pacific North America
Tuesday, October 23, 2012
DNS AmplificaBon A;acks -‐ ANY+RD@dynchip@DynInc
Top Targets
6
IP ASN Org Country
23.29.116.196 13354 EBLGLOBAL US
113.21.221.18 45474 NEXUSGUARD HK
122.248.238.198 38895 AMAZON SG
64.31.29.26 46475 LIMESTONE US
114.141.72.36 32787 PROLEXIC SG
103.22.245.55 6939 HURRICANE HK
122.248.245.102 38895 AMAZON SG
113.21.221.21 45474 NEXUSGUARD HK
121.12.116.52 4134 CHINANET CN
114.141.72.40 32787 PROLEXIC SG
Tuesday, October 23, 2012
DNS AmplificaBon A;acks -‐ ANY+RD@dynchip@DynInc
Blocking Sources• Custom script, reads query logs, blocks sources with a high rate of ANY+RD queries.
• Pros– Very effecBve at blocking sources
• Cons– Blocks legiBmate queries too
– Slow to respond to new a;acks (~1 min)
7
Tuesday, October 23, 2012
DNS AmplificaBon A;acks -‐ ANY+RD@dynchip@DynInc
BIND RRL Patch• Response rate limiBng– h;p://www.redbarn.org/dns/ratelimits
• Pros– Very fast on detecBng floods– TCP fallback for legit resolvers (“slip”)– No full block of client IP
• Cons– IneffecBve against fast qname changes
8
Tuesday, October 23, 2012
DNS AmplificaBon A;acks -‐ ANY+RD@dynchip@DynInc
BIND RRL Patch -‐ Standard DNS
9
Tuesday, October 23, 2012
DNS AmplificaBon A;acks -‐ ANY+RD@dynchip@DynInc
Chip MarshallNetwork and Security [email protected]
Tuesday, October 23, 2012