Dark Side of the DNS Force
08.08.2016 Views
Share Embed Flag

Dark Side of the DNS Force

us-16-Wu-Dark-Side-Of-The-DNS-Force

us-16-Wu-Dark-Side-Of-The-DNS-Force

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
fj.twt

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

<strong>Dark</strong> <strong>Side</strong> <strong>of</strong> <strong>the</strong> <strong>DNS</strong> <strong>Force</strong><br />

ERIK WU<br />

ACALVIO, INC.

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Good<br />

Bad<br />

Ugly<br />

<strong>DNS</strong><br />

104.20.66.243

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Good<br />

Bad<br />

Ugly<br />

<strong>DNS</strong><br />

blackhat.com.<br />

<strong>DNS</strong><br />

104.20.66.243<br />

104.20.66.243

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Good<br />

Bad<br />

Ugly<br />

Registered Internet Domains<br />

1200<br />

1000<br />

800<br />

600<br />

400<br />

200<br />

0<br />

Internet Domain Names (in millions)<br />

1993<br />

1994<br />

1995<br />

1996<br />

1997<br />

1998<br />

1999<br />

2000<br />

2001<br />

2002<br />

2003<br />

2004<br />

2005<br />

2006<br />

2007<br />

2008<br />

2009<br />

2010<br />

2011<br />

2012<br />

2013<br />

2014<br />

2015<br />

2016<br />

Source Statista

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Good<br />

Bad<br />

Ugly<br />

Cloudflare/Spamhaus DDoSed via<br />

open <strong>DNS</strong> resolvers<br />

FLASHING IN<br />

MARCH 2013<br />

300gbps <strong>DNS</strong><br />

amplification<br />

attacks<br />

27.2M open<br />

<strong>DNS</strong> resolvers<br />

(in 2013)<br />

17.6M <strong>of</strong> today<br />

(>3yrs later)<br />

Responses Unique Correct Responses Wrong Port RA<br />

Source openresolverproject.org

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Good<br />

Bad<br />

Ugly<br />

<strong>DNS</strong> amplification DDoS attacks<br />

• Enablers<br />

• Open <strong>DNS</strong> resolvers<br />

• <strong>DNS</strong> amplifiers<br />

• Legit<br />

• Purpose-built<br />

• Spo<strong>of</strong>ed sending addresses (<strong>of</strong> victims)<br />

Open<br />

Resolver<br />

<strong>DNS</strong> Amplifier<br />

attacker<br />

Open<br />

Resolver<br />

victim

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Good<br />

Bad<br />

Ugly<br />

<strong>DNS</strong> amplification DDoS attacks<br />

<strong>DNS</strong> AMPLIFIER<br />

Legit | Purpose-built

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Good<br />

Bad<br />

Ugly<br />

<strong>DNS</strong> amplification DDoS attacks<br />

<strong>DNS</strong> AMPLIFIER<br />

Legit | Purpose-built

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Good<br />

Bad<br />

Ugly<br />

<strong>DNS</strong> amplification DDoS attacks<br />

<strong>DNS</strong> AMPLIFIER<br />

Legit | Purpose-built

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Good<br />

Bad<br />

Ugly<br />

<strong>DNS</strong> amplification DDoS attacks<br />

<strong>DNS</strong> AMPLIFIER<br />

Legit | Purpose-built

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Good<br />

Bad<br />

Ugly<br />

<strong>DNS</strong> amplification DDoS attacks<br />

• Mitigation options<br />

• Filter spo<strong>of</strong>ed sending addresses<br />

• Disarm amplifiers<br />

• Close open resolvers

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Good<br />

Bad<br />

Ugly<br />

High spikes <strong>of</strong> unique domains<br />

seen on Internet<br />

6000<br />

Unique Domain Names (in Millions)<br />

5000<br />

4000<br />

3000<br />

2000<br />

1000<br />

0<br />

Source: Nominum

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Good<br />

Bad<br />

Ugly<br />

What’s wrong with subdomains?<br />

blackhat.com.<br />

www.blackhat.com.<br />

m.blackhat.com.<br />

media.blackhat.com.<br />

wwww.blackhat.com.<br />

mwww.blackhat.com.<br />

mmww.blackhat.com.<br />

mmmw.blackhat.com.<br />

mmmm.blackhat.com.<br />

104.20.66.243<br />

NXDOMAIN

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Initial Trial<br />

Serious<br />

weapon<br />

Subdomain attack as a<br />

competitive edge<br />

• Online gaming sites’ availability is<br />

a key metrics<br />

• Subdomain attack was a novel<br />

abuse <strong>of</strong> <strong>DNS</strong> back in 2011/2012<br />

• Initially simple sequence number<br />

strings were used as prefixes to a<br />

competitor gaming site domain<br />

name to destruct <strong>the</strong> service <strong>of</strong> that<br />

gaming site:<br />

100000000.sf520.com.<br />

100000001.sf520.com.<br />

100000010.sf520.com.<br />

100000011.sf520.com.<br />

100000100.sf520.com.<br />

100000101.sf520.com.<br />

100000110.sf520.com.<br />

100000111.sf520.com.<br />

100001000.sf520.com.

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Initial Trial<br />

Serious<br />

weapon<br />

Aimed at high-value targets<br />

~200M unique subdomains<br />

<strong>of</strong> arkhamnetwork.org.

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Initial Trial<br />

Serious<br />

weapon<br />

Aimed at high-value targets

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Strings<br />

Position<br />

Composition<br />

Subdomain strings<br />

SUBDOMAIN STRINGS:<br />

• Fixed or varying length:<br />

• Time stamps:<br />

• Random strings<br />

• Random numbers<br />

• Sequence numbers<br />

• Dictionary words<br />

z5kr836ws<br />

qjkn<br />

zdecc7nnx<br />

styzcphur<br />

1465560729 1465561210<br />

WO423WWWOX5C FN88RBHXWX9J<br />

2967230841 4343234574<br />

1165885261118 1165885261119<br />

glassmaking dishwater

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Strings<br />

Position<br />

Composition<br />

Subdomain position<br />

SUBDOMAIN POSITION:<br />

• Left most<br />

• 2nd left most<br />

• 3rd left most<br />

• Any position on <strong>the</strong> left side <strong>of</strong> target domain<br />

zdecc7nnx.www.blackhat.com.<br />

m.zdecc7nnx.www.blackhat.com.<br />

n.m.zdecc7nnx.www.blackhat.com.

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Strings<br />

Position<br />

Composition<br />

Subdomain composition<br />

SUBDOMAIN COMPOSITION:<br />

• Single subdomain string<br />

• Multiple subdomain strings<br />

FN88RBHXWX9J.blackhat.com.<br />

WO423WW1WX5.FN88RBHXWX9J.blackhat.com.<br />

• Combination <strong>of</strong> constant and random strings<br />

a.FN88RBHXWX9J.blackhat.com.<br />

b.WO423WW1WX5.blackhat.com.

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Operation<br />

Mitigation<br />

Impact<br />

• Attacking target domain’s authoritative name servers<br />

• Collateral damages <strong>of</strong> <strong>DNS</strong> resolvers along <strong>the</strong> path<br />

• Enablers:<br />

• Subdomain generator<br />

• (optional) Open resolvers<br />

• (optional) Spo<strong>of</strong>ed sending addresses<br />

Resolver<br />

Resolver<br />

what is IP address<br />

<strong>of</strong> victim.com?<br />

victim’s name server<br />

victim.com.

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Operation<br />

Mitigation<br />

Operation Disruption<br />

Authoritative name server <strong>of</strong>ten serves more than one domain,<br />

so does <strong>DNS</strong> resolver (cache/recursive)<br />

A major ISP operation may be taken down by small-scale<br />

subdomain attacks<br />

• 2gbps vs 300gbps

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Operation<br />

Mitigation<br />

Mitigation Option<br />

• SUBDOMAIN ATTACKS MAY BE MITIGATED<br />

WITH VARYING RESULTS:<br />

• Drop queries with random strings<br />

• Limit queries with random strings<br />

• Limit queries per IP address<br />

• Limit queries per domain<br />

• Drop queries per domain<br />

• What about high-value targets?

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Innovation<br />

Defense<br />

<strong>Dark</strong> <strong>Side</strong> Innovation<br />

SIMPLE PROTOCOL ABUSE CAN BECOME A MAJOR<br />

SECURITY HEADACHE AND COSTLY MITIGATION:<br />

• <strong>DNS</strong> cache poisoning<br />

• <strong>DNS</strong> changer<br />

• <strong>DNS</strong> amplification<br />

• <strong>DNS</strong> subdomain<br />

• <strong>DNS</strong> tunneling

Intro<br />

Subdomain<br />

Mechanism<br />

Impact<br />

Outro<br />

Innovation<br />

Defense<br />

<strong>Dark</strong> <strong>Side</strong> Innovation<br />

ARMS RACE BETWEEN THE DARK-SIDE INNOVATIONS AND<br />

OURS IN CYBER SECURITY DEFENSE:<br />

The dark-side has<br />

repeatedly won <strong>the</strong> fight<br />

Rethinking <strong>of</strong> our<br />

defense strategy<br />

Any glitch in our defense is a winning<br />

amplifiable opportunity for <strong>the</strong> darkside,<br />

while vice versa is not true<br />

Deception to help rebalance <strong>the</strong><br />

asymmetric warfare situation between<br />

<strong>the</strong> dark-side and us

Thanks and Questions

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!