everything you need to know about ddos attacks

Everything You Need to Know About DDoS@DynInc

Everything You Need ToKnow About DDoS Attacks

Andrew SullivanDirector of DNS Engineering@DynInc


What We’ll Cover Today• What is a DDoS?• Why are there DDoSes?• What can happen?– Suppose you’re the target– Suppose you’re an amplifier

• Can outsourcing things help?• Can anycast help?• Appliances?

Focus primarily on DNSsince that’s where the pain is these days


Denial Of Service

• Just what the name implies• Lots of ways– Break code– Smash the stack– Lock out passwords– Request so much that nothing else

can get served– Stuff the network pipe so full that

nobody else can get in or out


Denial Of Service Target


Just scale


Moore’s Law


Denial Of Service (Traffic)


Distribute The Source


No, Really Distribute It


Not New

• Morris worm (“the Great Worm”) was in 1988

• Effective attacks were almost always “distributed” in some sense

• Issue now is the type of attack, and the resources available


DDoS Attack Sources?

• In the old days, always-on cable modems and a certain popular but vulnerable operating system

• Now, cheap or compromised (often virtual) hosts with lots of bandwidth

You’ll now run out of money for bandwidth before the bad guys run out of compromised servers.


Why Do They Do This?

Money

Politics

Religion


Traditional DDoS


Kill The C&C, You Kill The Attack


Wait. Spoofed Addresses?

• Most modern effective attacks come over User Datagram Protocol (UDP)

• Transmission Control Protocol (TCP) requires a handshake– You can tell who’s at the other end

• UDP has no handshake– Could be anybody – even someone pretending to

be someone else


Why Don’t We Fix That?

• We tried• Best Current Practice (BCP)

38 says that, if you run a network, you should never send things that shouldn’t come from you – “egress filtering”

• Some people don’t do it• There are no Internet Police– that cure worse than the disease anyway


Traditional DDoS


DNS DDoS: reflector


Key Attributes

• Uses DNS as an amplifier– Just a few octets for the query,

big answers (usual TXT records or something from DNSSEC)

• Relies on poor network security and UDP– Send query pretending to be the target

• Tricky to defend against– Might cause collateral damage


Amplification

• Small cost at traffic source (each member of the botnet)

• Innocuous traffic (DNS queries)– except for the spoofed address

• Query for a large Resource Record set– Big TXT record– RR type with lots of records– Some DNSSEC records


How Amplified?

• A query for the TXT records at dyn.com takes 25 octets (bytes)

• The answer for that is 442 octets (bytes)About 18 times bigger!

• Lots of domains look like this• Easy to get bigger responses• Not hard to create bigger responses• 18 times amplification on millions of

queries is a lot


What’s The Target?

• Could be the DNS service itself– Fill the transit

• Could be some other DNS service– Fill that service’s inbound transit

• Could be any other service– Fill that service’s inbound transit


Aside: Open Resolvers

• Open resolvers are indeed bad– Other kinds of attack, they’re critical

• Not the only vector for reflection attacks• Source of problem packets need not be a

resolver• Target need not be a resolver


Attack the DNS Service Itself

Abuse Queries

Legitimate Queries

Responses to Abuse Queries

Responses to Legitimate Queries


Attack Some Different Service

Responses to Legitimate

Queries

192.0.2.1

Abuse Queries(forged source

192.2.1)Responses to Abuse Queries

Legitimate Queries


Attack Some Different Service

192.0.2.1

Abuse Queries(forged source

192.2.1)Responses to Abuse Queries

http responses

http request


What Happens: You Are Authoritative

DNS Target

• You can’t answer legitimate queries you should be able to answer

• You may become a reflector– Depends on abuse source– Probably, since otherwise abuse

source would fall over too


What Happens: You Are DNS Amplifier

• You get identified as amplifier• People start restricting you – completely– with Response Rate Limiting (RRL)*


What happens: You Are Some Target Application

• All your bandwidth goes to receiving answers you didn’t ask for

• Your application is useless (or down) for your users

• This might cost you real cash (bandwidth overage) without any legitimate increase in traffic


What To Do: Outsource?

Can help in some ways• Large providers• Robust networks• Expert mitigation

Presents a new risk• Large providers are themselves a target• Large providers can have other customers who are

targets


How To Do: Outsource?

• Most people already outsourced– Let the registrar run it

• Research your options if you’re at risk– What are the vendor’s mitigation strategies?– Who will you be sharing your service with?– Does the vendor offer realistic promises?– What’s the vendor’s network profile?


What To Do: Anycast?

• Anycast is a trick: one IP address actually identifies several physically different machines located at different places in the network

• Relies on routing• It can help isolate attacks– attacks often all come from one or some small

group of networks– so, land in the same network data centre



Pro• Isolates attack traffic to particular anycast

regions• Can use it to reroute attack traffic to more

robust network location• Harder to fill many 10G or 40G transit paths

than one



Con• If you don’t know what an anycast is, you

don’t want to do it yourself• Requires network experts, operations staff,

and hardware• Not a solution to all victim scenarios


How To Do: Anycast?

• Get relevant network experts• Bring (some) money• Pick the right protocol– long-lived http streams are very bad candidates– short messages (like DNS) good candidates

• If you want to do this, outsourcing increasingly a good option

• Research provider’s history, participation in operator fora


What To Do: Appliances?

• Basically two strategies– Identify bad guys in advance, and spot and

quarantine– Use analysis to identify bad traffic

• Generally perform rate limiting on identified bad traffic

• Often quite good at identifying anomalies• If your pipe is full, it doesn’t matter


What Else To Do?

• There is no magic, general-purpose “DDoS protection”– Like saying “We will protect you from crime”

• Murder?• Fraud?• Traffic light violations?

• Techniques need to be tailored


RRL

• Response Rate Limiting is a technique in DNS servers

• Identifies repeated queries for the same name, type, and class from the same source– Inside the Time To Live for the record

• Infers that’s not a real resolver• Limits responses


RRL

Pro• If you’re running your own server, Turn It On

Now.• Evidence says it helps in the

majority of cases


RRL

Con• Some corner cases

(very short TTLs and high-value, high-traffic sites) with some issues

• Adds yet another tricky operational convention to DNS


What Else To Do?

• Press network operators to do BCP 38– Specify it in RFPs– Test for implementation

• Resist dilutions of secure protocols– Special-access ports for law enforcement,

government, and so on are also back doors for criminals

– We have enough compromised systems on the Internet

– Insecure protocols weaken security for all


Review


DDoS

• Just a special Denial of Service• Made easier / “worse” by network

environment we have• Not a new problem


DNS DDoS

• Mostly reflector attacks• Relies on issues with UDP• Even ordinary services

(e.g. TXT records) offer big amplification


Reflectors

• 2 victims• Target service can fail• Intermediate DNS servers get hit


Open Resolvers Not At Fault

• You can do a reflector attack with only authoritative servers involved

• You can’t do a reflector attack if you have good egress filtering everywhere


Solutions Depend On Your Use

• Outsourcing can help, but not everyone

• Anycast can help, but not in all cases

• Appliances can do nothing if they’re inside your data centre behind the same plugged “pipe”


August 7-8 | Manchester, NH- Limited registrants!

- Great keynotes!www.geeksummercamp.com

http://www.geeksummercamp.com/


New whitepaper!

Everything You Need To Know About A DDoS Attack

Download at http://dyn.com/content-hub/

http://dyn.com/content-hub/


Mike VeilleuxDirector of

Email Product

Steve WheelerDirector of

Deliverability

Email Webinar!Wednesday, July 24 2 PM EST I 19:00 GMT


Thank You!

Andrew SullivanDirector of DNS [email protected]

everything you need to know about ddos attacks

Technology