Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

DNS Amp and its mitigation

advertisement 
UDP-based Amplification Attacks
and its Mitigations
Yoshiaki Kasahara
kasahara@nc.kyushu-u.ac.jp
1/21/2014
APAN 37th in Bandung, Indonesia
1
Summary
• If you have servers with global IP addresses…
1. Make sure you don’t have NTP servers
answering “monlist” query
2. Make sure you don’t have open DNS
resolvers
• (If you are a network admin) consider
implementing ingress/egress filter at the
border router
1/21/2014
APAN 37th in Bandung, Indonesia
2
UDP: User Datagram Protocol
• Defined in RFC 768
– This protocol provides a procedure for application
programs to send messages to other programs with
a minimum of protocol mechanism. The protocol is
transaction oriented, and delivery and duplicate
protection are not guaranteed. Applications requiring
ordered reliable delivery of streams of data should use
the Transmission Control Protocol (TCP) [2].
• Very simple, light weight protocol on top of IP
– Basically just add port numbers
1/21/2014
APAN 37th in Bandung, Indonesia
3
UDP-based protocols (examples)
•
•
•
•
•
•
•
•
DNS: Domain Name System
NFS: Network File System
NTP: Network Time Protocol
SNMP: Simple Network Management Protocol
DHCP: Dynamic Host Configuration Protocol
TFTP: Trivial File Transfer Protocol
Syslog
Streaming / VoIP
• UDP is used for...
– Simplicity
– Less overhead (latency)
– Broadcast / Multicast
1/21/2014
APAN 37th in Bandung, Indonesia
4
What’s wrong?
• Source Address Spoofing
– UDP itself doesn’t validate the peer address
– Send packets with spoofed source address, and
reply packets will go to the spoofed address
– Not a “new” problem (known before 2000)
• Traffic Amplification
– Servers may return packets larger than a client’s
query packet
1/21/2014
APAN 37th in Bandung, Indonesia
5
Normal Communication
Source
A
Dest.
B
Host A
Source
B
Dest.
A
Host B
1/21/2014
APAN 37th in Bandung, Indonesia
6
Source Address Spoofing
Source
C
Dest.
B
Host A
Host B
Source
B
Dest.
C
Host C
1/21/2014
APAN 37th in Bandung, Indonesia
7
Amplification
Source C
Source C
SourceB C
Dest.
SourceB C
Dest.
Dest.
B
Dest.
B
Query packets
Host A
Host B
Source B
Source B
SourceC B
Dest.
SourceC B
Dest.
Dest.
C
Dest.
C
Reply packets (with
large payloads)
Host C
1/21/2014
APAN 37th in Bandung, Indonesia
8
Distributed DoS
Botnet
Spoofed queries
Open UDP
Servers
Huge replies
Host C
1/21/2014
APAN 37th in Bandung, Indonesia
9
Mitigations
• It is almost impossible to mitigate attack at
the victim side
– DDoS packets might come from all over the world
• Vulnerable servers should be closed
• Ultimately spoofed packet should be
prohibited at the source side
– BCP38
1/21/2014
APAN 37th in Bandung, Indonesia
10
Ongoing targets (AFAIK)
• NTP
– More than 1M vulnerable servers (as of Jan-2014)
– (report from http://openntpproject.org/)
• DNS
– Almost 30M servers (as of Oct-2013)
– (report from http://openresolverproject.org/)
• SNMP
• chargen
• echo (reflection only)
1/21/2014
APAN 37th in Bandung, Indonesia
11
NTP
• Network Time Protocol
– Used to synchronize clock via the Internet
– NTP daemon (ntpd) can be used as both client and
server
• Around last Christmas, amplification attack
using NTP started to emerge
– Using “monlist” query against NTP servers to
amplify traffic
1/21/2014
APAN 37th in Bandung, Indonesia
12
monlist
• … is a remote command in older version of NTP that
sends the requester a list of the last 600 hosts who
have connected to that server
% ntpdc -nc monlist localhost
remote address
port local address
count m ver code avgint lstint
===============================================================================
::1
46902 ::1
9347 7 2
0
8
0
133.5.6.1
123 133.5.6.4
194 4 4
c0
958
0
133.5.1.6
123 133.5.6.4
194 4 4
c0
1022
198
38.229.1.13
16086 133.69.133.98
1 6 2
c0
0
7226
195.154.11.11
44953 133.69.133.98
1 7 0
c0
0
60524
133.5.164.185
123 133.5.6.4
1 3 1
c0
0
91996
• The reply of “monlist” is considerably larger than its
query
– Also it might leak intranet IP address usage
1/21/2014
APAN 37th in Bandung, Indonesia
13
How to fix
• Removed in ntpd 4.2.7p26 (development
version)
– Not in stable version yet
– Some venders had released fixes independently
• Workaround
– deny queries by “restrict” command
restrict default nomodify nopeer noquery notrap
restrict 127.0.0.1
# allow query from localhost
1/21/2014
APAN 37th in Bandung, Indonesia
14
Check your hosts
• Unix/Linux host might be running ntpd
• Even some gateway routers have the same function
• Send “monlist” command from another host and see the
result
% ntpdc -nc monlist 133.5.xxx.xxx
133.5.xxx.xxx: timed out, nothing received
***Request timed out
• If you see a list of IP addresses, your host can be abused
• You can use “nmap” network scanner to find if a host is
running NTP service or not
1/21/2014
APAN 37th in Bandung, Indonesia
15
Filtering?
• You need to allow query packets from your network to
external NTP servers, and their replies
– Many systems have preconfigured NTP servers such as
time.windows.com and time.apple.com
• Filtering by simple ACL is difficult
– Not all the client implementation uses ephemeral ports
• ntpd uses port 123 for both source and destination ports
– Cannot distinguish if a packet is a query or reply based on
its port numbers
• Modern (stateful) firewall should handle that properly
1/21/2014
APAN 37th in Bandung, Indonesia
16
DNS
• Domain Name System
– Hierarchical, distributed naming system
– Mainly used for mapping easily-memorable
domain names to numeric IP addresses
– One of fundamental components of the Internet
1/21/2014
APAN 37th in Bandung, Indonesia
17
DNS servers
• “DNS server” actually has two meanings
– “Authoritative” or “Contents” server
• Provide information of zones (≈ domains) to others
– “Recursive” or “Cache” server (resolver)
• Ask information to other “auth” servers on behalf of
“stub” resolver of client hosts
• Sometimes both function is on the same host
(hybrid server)
1/21/2014
APAN 37th in Bandung, Indonesia
18
(Simplified) Diagram
Authoritative Server of
“.” (root server)
Cache Server
Authoritative Server of
“jp”
Client PC
(Stub Resolver)
Authoritative Server of
“kyushu-u.ac.jp”
1/21/2014
APAN 37th in Bandung, Indonesia
19
Open Resolver
• … is a cache server which replies to recursive
query from everywhere
• Good target for DNS Amp
– Attackers can let it cache any data they want, to make
the amplification more efficient
• Your cache server should serve only for your
clients (inside your network)
– You can write “acl” in named.conf to limit clients’ IP
ranges
1/21/2014
APAN 37th in Bandung, Indonesia
20
Filtering?
• You cannot blindly filter DNS packets toward
your network
– Authoritative server must receive packets from all
the Internet
– You need to collect a list of authoritative servers
and exclude them
• But then you cannot filter hybrid (act as both auth and
cache) servers
1/21/2014
APAN 37th in Bandung, Indonesia
21
Response Rate Limiting (RRL)
• http://www.redbarn.org/dns/ratelimits
• Query toward auth server cannot be filtered
• Rate-limit to reduce impact of amplification
– Due to caching, auth server shouldn’t receive
repeating query from the same resolver
1/21/2014
APAN 37th in Bandung, Indonesia
22
Implementation
• BIND
– Officially supported from 9.9.4
– Patch available for 9.7 and 9.8
• Available at http://ss.vix.su/~vjs/rrlrpz.html
– This page discusses both RPZ (Response Policy Zone) and RRL
• Some Linux distributions independently backported
patches to their packages (including RHEL6, Debian etc)
• NSD
– Supported by both NSD3 (3.2.15 and later) and
NSD4
1/21/2014
APAN 37th in Bandung, Indonesia
23
Separating servers
• “BIND” (a reference implementation of DNS) has both
authoritative and cache server functionalities in one
binary
– In old days it was fine, but…
• If you are running one BIND instance for both
authoritative and cache server (hybrid),
• Please consider separating them to two different IP
addresses (possibly on separate hosts)
– Easier configuration and trouble shooting
– Easier filtering and rate control
1/21/2014
APAN 37th in Bandung, Indonesia
24
Legacy configuration
Hybrid Server
Client PC
(Stub Resolver)
Another
Cache Server
1/21/2014
APAN 37th in Bandung, Indonesia
Authoritative Servers
25
Separated configuration
Cache Server
Client PC
(Stub Resolver)
Auth. Server
Authoritative Servers
Another
Cache Server
1/21/2014
APAN 37th in Bandung, Indonesia
26
Other Protocols
• SNMP (port 161)
– If you know “community” string, you can send a query
packet and receive answer
– Some major implementation has the default string
“public” for read-only community (it is enough for
amplification)
• chargen (port 19)
– Fossil service emitting a large character stream
• echo (port 7)
– Return the same contents of received packets
• No amplification, reflection only
1/21/2014
APAN 37th in Bandung, Indonesia
27
Other Protocols
• These protocol should be filtered at the border router
• SNMP
– Don’t forget to change community string
• chargen and echo
– Check /etc/inetd.conf and make sure the service is disabled
#chargen dgram
udp
wait
root
internal
• On Windows, “chargen” and “echo” can be enabled by
enabling “Simple TCP/IP Services”
– Please make sure your PC doesn’t respond “telnet hostname
19”
• Scan your host by “nmap” if suspicious
1/21/2014
APAN 37th in Bandung, Indonesia
28
In Kyushu University...
• Timeline
– Feb. 2013
• Sporadically seen spoofed DNS query to open resolvers
– Apr. 2013
• Started to filter DNS packets from outside except registered
authoritative DNS servers
– Sep. 2013
• Massive spoofed DNS traffic toward some of these (excluded) DNS
servers observed
• DoS protection based on simultaneous session count enabled on
our firewall
– Jan. 2014
• Spoofed NTP traffic toward a switch consume 100% CPU
• NTP filtering installed
1/21/2014
APAN 37th in Bandung, Indonesia
29
Some Details
• Massive DNS traffic to our network in Sep. 2013
– Some of our hybrid DNS servers were used as
reflectors
– The traffic itself was not huge enough to fill our uplink,
but ...
– Our (next generation) firewall collapsed by its DPI
functionality
• Several signatures to inspect DNS traffic (to detect some
malwares) consumed 100% resources
• Internet connection became very unstable (maybe because
DNS traffic was choked)
1/21/2014
APAN 37th in Bandung, Indonesia
30
At that time...
• Cache-only DNS servers had already been filtered
• Authoritative servers were visible from the Internet
– and some of them were hyblid open resolvers...
– We postponed to tell them fix these servers (my bad)
• After the attack, we started to fix these servers, but
spoofed traffic won’t stop
– Maybe attackers didn’t care much about individual targets
• We enabled DoS protection (limiting the number of
simultaneous sessions)
– … which causes other problems (it is another story)
1/21/2014
APAN 37th in Bandung, Indonesia
31
Ingress Filtering
• BCP38 (RFC2827): Network Ingress Filtering:
Defeating Denial of Service Attacks which employ
IP Source Address Spoofing
– https://tools.ietf.org/html/bcp38
– First published as RFC2267 in 1998
– Revised in 2000
• Idea is simple
– Drop packets entering a network at the border router
whose source address is not same as the assigned
network address of the origin network
1/21/2014
APAN 37th in Bandung, Indonesia
32
Ingress Filtering: Example
Source
133.5.1.1
Kyushu University
133.5.0.0/16
The Internet
Source 192.168.1.1
Allow packets with valid source address only
1/21/2014
APAN 37th in Bandung, Indonesia
33
Caveats
• Conventional Mobile IP will break
– A mobile device will send packets with their home
address (triangle routing)
– Need to tunnel returning packet by home agent
• Reverse path tunneling
• Multihoming
– Discussed in BCP84 (RFC 3704)
1/21/2014
APAN 37th in Bandung, Indonesia
34
Egress Filtering
• Similar Idea to Ingress Filtering
– Drop packets leaving the network at the border
router which violate the security policy of the
network (such as the source address is not same
as the assigned network address)
• Bad customers won’t implement Egress Filter
• Still useful for larger edge network with many
consumers (such as universities, enterprise…)
1/21/2014
APAN 37th in Bandung, Indonesia
35
Egress Filtering: Example
Source
133.5.1.1
Kyushu University
133.5.0.0/16
The Internet
Source 192.168.1.1
Allow packets with valid source address only
1/21/2014
APAN 37th in Bandung, Indonesia
36
Summary (again)
• If you have servers with global IP addresses…
1. Make sure you don’t have NTP servers
answering “monlist” query
2. Make sure you don’t have open DNS
resolvers
• (If you are a network admin) consider
implementing ingress/egress filter at the
border router
1/21/2014
APAN 37th in Bandung, Indonesia
37
References
• Please try the following URL to check your
systems and read how-to
– http://openntpproject.org/
• NTP Scanning Project
– http://openresolverproject.org/
• Open Resolver Project
1/21/2014
APAN 37th in Bandung, Indonesia
38
Thank you for your attention!
Yoshiaki Kasahara
kasahara@nc.kyushu-u.ac.jp
1/21/2014
APAN 37th in Bandung, Indonesia
39
Related documents
Rupture and variable coupling behavior of the Mentawai segment of
Rupture and variable coupling behavior of the Mentawai segment of
CV : Dr Suhono Harso Supangkat Indonesia
CV : Dr Suhono Harso Supangkat Indonesia
CURRICULUM VITAE - UEC Center For International Programs and
CURRICULUM VITAE - UEC Center For International Programs and
Geography Hunt
Geography Hunt
Shinjin-Ken Goes to Campus 2015 About Us
Shinjin-Ken Goes to Campus 2015 About Us
«Photo» - b Hotel Bali
«Photo» - b Hotel Bali
ITB Call for Papers 2014a
ITB Call for Papers 2014a
Download
advertisement