The document discusses recent developments in DNS, including DNS cookies, DNSSEC, and DANE for SMIME authentication. It describes how DNS cookies provide weak authentication for queries and responses to help mitigate DDoS attacks. It outlines how DNSSEC and the DANE protocol enable SMIME authentication via DNS resource records. The document also summarizes evolving DNS amplification attacks and methods to mitigate them, such as limiting queries from misbehaving clients and blacklisting open recursive resolvers.
Certyfikowany PL Kierowca, Tata, Obywatel, Podatnik
DNS - Co nowego w świecie (D)i(N)o(S)aurów.
DNS Dobrze znany i szeroko wykorzystywany protokół w sieciach i Internecie.
Czy wydarzyło się coś nowego? Czy coś pozmieniało się w standardach?
Może pojawiła się nowa forma ataku?
Postaram się opowiedzieć co sieci piszczy w temacie DNS.
Jeżeli czas i jakość Internetu w trakcie konferencji pozwoli może uda się zademonstrować bardzo modne ostatnio zjawisko ;-) Co dokładnie?
Nie powiem.
Zapraszam na Sesje!
Prowadzący
Adam Obszyński (Infoblox)
Historia DNS – 2/3 slajdy
Q – DNS Cookies + DANE???
DDOS – Ataki + ochrona np. fetches albo foresight
Pupularnosc – konflikty w ggTLD
Historia DNS – 2/3 slajdy
Q – DNS Cookies + DANE???
DDOS – Ataki + ochrona np. fetches albo foresight
Pupularnosc – konflikty w ggTLD
Paul Mockapetris
Notify Poul Vixie
Historia DNS – 2/3 slajdy
Q – DNS Cookies + DANE???
DDOS – Ataki + ochrona np. fetches albo foresight
Pupularnosc – konflikty w ggTLD
If query received with bad or no Server Cookie, send back short error message
Bad guy Resolver behind a NAT
Could get Server Cookie and attack other resolvers behind the NAT
Solution: Mix Resolver Cookie into Server Cookie hash so multiple resolvers that appear to be at the same IP address are distinguished
Anycast Servers
Need to use the same server secret or assure that queries from the same resolver usually go to the same server
dig +dnssec type52 _443._tcp.www.freebsd.org
Icann51
dig +dnssec type52 _443._tcp.www.freebsd.org
dig +dnssec type52 _443._tcp.www.freebsd.org
dig +dnssec type52 _443._tcp.www.freebsd.org
Historia DNS – 2/3 slajdy
Q – DNS Cookies + DANE???
DDOS – Ataki + ochrona np. fetches albo foresight
Pupularnosc – konflikty w ggTLD
ICAN 49
CHECK YOUR NS records….
Deployment of myTAC 2-Factor (2FA) authentication modules. SMS – Computer authentication with verification using SMS Smart – Smartphone application-based (IOS & Android)
Points of Protection
– Authentication Process
– Password Recovery
It may be a faster rate as well…1000s of packets per second is possible and we have seen it
Responses start with NXDOMAIN , gradually more to ServFail as the load increase and then non-responsive as the target vitcim’s DNS fails
Target could be the internal recursive server in which case the volume of these queries from each client will be higher. If the target is a website (maybe a gaming site or govt site), then the volume is slower from each client to avoid detection but more number of clients will originate these queries to DDoS the target victim.
Phantom domain mitigation - Automatic black-holing of non-responsive and misbehaving servers, and the zones they serve
A list of known dead servers and zones is created
ADP drops all queries to these servers on the non-responsive list
For traffic to flaky servers and zones, rate limiting is applied
Any server that exceeded the limit of responsiveness will be sent fewer queries for a configurable of time
Limits configured through CLI
2. Adjustable recursive timeout
Timeout for recursive name lookup can be lowered to quickly free up DNS resolver resources under attack
Prevents maxing out on the number of outstanding DNS queries
What is the default now?? Are we changing the default??
Configured through CLI
we had given this to some customers who were experiencing NXD attack. We are now productizing this.
A misbehaving server can pretend to be authoritative for lots of domains . So blackhole these servers.
We have learnt through the customer experiences and the pcap files, there are multiple flavor of attacks that need different ways of mitigation.
Henry Stern, Farsight | ICANN50 | London
How to get data?
False positivies
Historia DNS – 2/3 slajdy
Q – DNS Cookies + DANE???
DDOS – Ataki + ochrona np. fetches albo foresight
Pupularnosc – konflikty w ggTLD