«Proceedings of 10th Global Engineering, Science and Technology Conference 2-3 January, 2015, BIAM Foundation, Dhaka, Bangladesh, ISBN: ...»
Proceedings of 10th Global Engineering, Science and Technology Conference
2-3 January, 2015, BIAM Foundation, Dhaka, Bangladesh, ISBN: 978-1-922069-69-6
A Realistic Approach and Mitigation Techniques for Amplifying
DDOS Attack on DNS
Muhammad Yeasir Arafat, Muhammad Morshed Alam and Feroz Ahmed
Domain name system (DNS) amplification attacks extremely exploit open recursive DNS servers
generally for performing bandwidth consumption amplifying distributed denial of service (DDoS)
attacks. The amplification effect lies in the fact that DNS response messages substantially larger than DNS query messages. In this paper, authors present and evaluate a practical approach that is able to distinguish between valid and bogus DNS replies. The propose scheme can effectively protect DNS servers acting both proactively and reactively. In this paper, authors shown DNS DDoS attack and also suggest a mechanism that can protect a DNS server from amplifying DDoS attacks especially the attacks targeting the bandwidth consumption of the victim server.
We propose a new defence based on Iptables and routine fail2ban detection. The attack flow detection mechanism detects attach flows based on the indication or stress at the server, since it is getting more difficult to identify bad flows only based on the incoming traffic patterns. Our analysis and the corresponding real-usage experimental results demonstrate that the propose scheme offers a flexible, strong and effective solution for amplifying DDoS attack on DNS.
Keywords: DDoS, DNS Amplification Attack, Recursive, UDP, iptables, fail2ban
1. Introduction Denial of service (DoS) attack is a malicious attempt to disrupt the service provided by networks or servers. The power of a DoS attack is amplified by incorporating over thousands of zombie machines through botnets and mounting a distributed DDoS attack. Although many defence mechanisms have been proposed to counter DDoS attacks, this remains a difficult issue, especially because the attack traffic tends to mimic normal traffic recently.
Over the past few years, the size and frequency of DDoS attacks have grown dramatically as attackers take advantage of botnets and other high-speed Internet access technologies to overcome their target’s network infrastructure. In fact, according to Arbor’s sixth annual worldwide Infrastructure security report, the largest-recorded DDoS attack has grown ten times in size from 2005 (10 Gbps) to 2013(300 Gbps). To make matters worse, the report also highlights a growing new trend with DDoS attacks. Not only are DDoS attacks getting larger and more frequent, but they are also becoming more sophisticated as they pinpoint specific applications (e.g., DNS, hyper text transport protocol (HTTP) or voice over internet protocol (VoIP) with smaller, stealthier attacks.
A DNS amplification attack is a popular form of DDoS, in which attackers use publically accessible open DNS servers to flood a target system with DNS response traffic. The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the target’s address. When the DNS server sends the DNS record response, it is sent instead to the target. Attackers normally submit a request for as much zone information as possible to maximize the amplification effect. In case of most attacks of this type observed by United States computer emergency readiness team (US-CERT), the spoofed queries sent by the attacker are of the type, “ANY” which returns all known information about a DNS zone in a single request. Because the size of the response is significantly larger than the request, the attacker is able to increase the amount of traffic directed at the victim. By
--------------------------------------------Department of Electrical and Electronic Engineering, School of Engineering and Computer Science, Independent University, Bangladesh, Email: email@example.com, firstname.lastname@example.org & email@example.com Proceedings of 10th Global Engineering, Science and Technology Conference 2-3 January, 2015, BIAM Foundation, Dhaka, Bangladesh, ISBN: 978-1-922069-69-6 leveraging a botnet to produce a large number of spoofed DNS queries, an attacker can create an immense amount of traffic with little effort. In addition, because the responses are legitimate data coming from valid servers, it is extremely difficult to prevent these types of attacks. While the attacks are difficult to stop, network operators can apply several possible mitigation strategies.
The remainder of this paper is organized as follows. We first discuss related study of amplify DoS attack in DNS in Section 2. Then, described the characteristic of amplifying DDoS attack in Section 3. In Section 4, we showed how to amplifying DDoS attack in DNS. In Section 5, we propose a mitigation technique based on iptables, open recursive solution in bind. In Section 5, we also showed how to save DNS server using linux IPtables rules called fail2ban and showed how to find the BOT from DNS log file. Finally, conclusions are presented in Section 6.
2. Background and Related Study In the area of DNS traffic analysis, the most related work in this area is rendered by Oberheide et al. who analyse DNS queries that target dark net sensors. The authors characterize these traces and propose a mechanism to implement a secure DNS service on dark net sensors. Moreover, Paxson is among the first to pinpoint the threats of DNS reflectors on making DDoS attacks harder to defend. In another work, Tong, Xiao, WANG analyse corrupted DNS resolution paths and pinpoint an increase in malware that modified these paths and threatened DNS authorities.
In comparison to our work, Oberheide et al. have not linked or investigated any DNS DDoS traces through their analysis but solely focused on analysing DNS traffic. On the other hand, Paxson did not investigate dark net data. Therefore, all DNS amplification traces destined to unused IP addresses (dark net) cannot be detected through their analysis. However, dark net and other sources of data could be associated to extract further intelligence on DNS amplification DDoS activities such as the approximate number of infections. Future work could consider the latter task.
DNS queries and responses are mostly user datagram protocol (UDP) based, it is vulnerable to spoofing-based DoS attacks, which are difficult to defeat without incurring significant collateral damage. The key to prevent this type of DoS attacks is spoof detection. There is little research work towards the DNS amplification attacks. Adam, Zare provides a thorough analysis about reflection-based DoS attack. Two attack strategies against DNS are analysed. Unfortunately, these two attacks can be controlled by filtering out replies to spoofed request at the victim site and restricting recursive servers to serve local machines only. The DNS security extension (DNSSEC) is designed to provide data integrity and authentication instead of authenticating the requester. It has no protection against DoS attacks. Xi YE, Yiru YE present a simple and practical method that is able to distinguish between authentic and bogus DNS replies. The proposed scheme, acts proactively by monitoring in real time DNS traffic and alerting network administrators when necessary. Once the attack is confirmed, our approach is then activated to filter out all the illegitimate DNS responses by automatically updating firewall rules to ban bogus packets.
3. Characteristics of the DNS Amplification Attack In arrange to initiate a DNS amplification refection attack the attacker desires to execute two tasks. First task the attacker spoofs the address of the victim. This is the refection part; it wills origin all the replies from the DNS server to be directed to the victim's server. This can easily be done since in UDP no handshake like in transmission control protocol (TCP) is being done between the client and the server. Secondly the supplicant searches for responses that are several times bigger than the request. The attacker achieves an amplification factor because the response is several times larger than the request. The amplification can even be larger when DNSSEC is used, because of the signatures used the size of the response increases. The Proceedings of 10th Global Engineering, Science and Technology Conference 2-3 January, 2015, BIAM Foundation, Dhaka, Bangladesh, ISBN: 978-1-922069-69-6 amplification can even be larger when DNSSEC is used, because of the signatures used the size of the response increases. Now the attacker is ready to perform the attack. The attackers launch a stream of small queries originating from a group of infected computers (referred to as a botnet) to one or multiple authoritative DNS servers. The DNS servers will then reply to the resolver.
However, because the attacker spoofed the address of the victim, all the traffic is directed to the victim.
The victim gets overloaded with the amount of traffic send to it and possibly cannot make use of the internet connection anymore. Not only bandwidth is exhausted but also the resource on the client’s machine becomes flooded. The client’s machine can be so busy processing the incoming traffic that is exhaust the resources; this could lead to a halt of the client’s machine. So a DNS refection amplification attack could lead to two types of Denial of Service. DNS amplification attack process showed in Figure 1.
The bigger the amplification factor is, the quicker the bandwidth and resource consumption at the victim is inflicted. From the study of the DNS amplification attack, three major characteristics are identified. The first characteristic is that a DNS amplification attack must use port 53 and UDP protocol. The second characteristic of a DNS amplification attack is a massive volume of UDP packets over a very short time period (over 4000 UDP packets in response per second). The third characteristic of DNS amplification attack is that incoming and outgoing IP addresses of the packets do not match. Because attackers exploit IP spoofing, the incoming and outgoing IP addresses do not match in the victim server. Therefore through comparing the incoming and outgoing IP addresses an intelligent algorithm can detect if a DNS amplification attack has occurred.
4. Amplification DoS Attack on DNS An ANY query returns all the records for a specific domain name despite of the record type.
When launch to a recursive server, the server can solely return the records that it has cached.
The server can have to be compelled reply, despite of available recursion. This is currently the Proceedings of 10th Global Engineering, Science and Technology Conference 2-3 January, 2015, BIAM Foundation, Dhaka, Bangladesh, ISBN: 978-1-922069-69-6 most frequent attack because the ANY request usually returns a large collection of resource records, making a high amplification ratio.
Hacker creates their own domain and increases the DNS response size so that they can get higher amplification. In this case they use the domain fkfkfkfa.com which is not a legitimate domain name. Now check the interesting part not the animation. Command of DNS attack is given below [root@ns3 ~]# dig ANY fkfkfkfa.com @103.12.178.XXX +edns=0 +notcp +bufsize=4096 In this command using UDP packet with buffer size 4096. It says that the query takes 83 msec, server who response to this query. This is the part where are interested. It’s a 64 byte query and response is 4002 byte. Average DNS query size is 64 bytes but if we look at the response it is 4002 bytes. That means it’s amplifying the request by roughly 4002/64 = 62x times amplification.
Query output showed in Figure 2.
Figure 2: Response size of query
So 83.69.230.xxx can launch 1Mbps of DNS query, he can amplify it by 64 times and can send 64Mbps of traffic to ietf.org. It’s really impressive. That’s why it’s important to secure your DNS.
Usually I have 20/25 queries/second. But there are few spikes where I have 70 queries/second and most of them are ANY query. When I check my DNS query log what I get is really interesting.
To track my DNS query I have configured bind graph. Bellow is the output in Figure 3:
Proceedings of 10th Global Engineering, Science and Technology Conference 2-3 January, 2015, BIAM Foundation, Dhaka, Bangladesh, ISBN: 978-1-922069-69-6
5. Proposed Mitigation Mechanism In this paper, we approach some mechanism that can protect DNS amplifying attack, especially, the attacks targeting the resources, including consume bandwidth. It is not difficulty to lunch a DNS amplification attack, because 75% name server in world is an open resolver. Therefore, DNS amplification attacks may be stealthier and more dangerous for the DNS servers, owing to its amplification in attack effect and its difficulty to trace the attacker. The configuration information has been limited to Berkeley Internet Name Daemon (BIND9) and Microsoft’s DNS Server, which are two widely deployed DNS servers on federal networks.
5.1 Approach 1: Iptables Conventional host based firewall using IPtables. In practice there may be thousands of nodes.
Billions of packets can be directed at the victim, taking up all available bandwidth or causing DoS. The following Perl script has been developed to stop DoS attacks. There is a script for dropping packets from a offending IP/range if it exceeds 30 requests per second let’s say for our purposes the range is 220.127.116.11/24 #!/bin/bash /sbin/iptables -I INPUT 1 -p udp --dport 53 -m limit --limit 30/sec -s 18.104.22.168/24 -j ACCEPT /sbin/iptables -I INPUT 2 -p udp --dport 53 -s 22.214.171.124/24 -j DROP /sbin/iptables -I OUTPUT 1 -p udp --dport 53 -m limit --limit 30/sec -d 126.96.36.199/24 -j ACCEPT /sbin/iptables -I OUTPUT 2 -p udp --dport 53 -d 188.8.131.52/24 -j DROP /sbin/iptables -I FORWARD 1 -p udp --dport 53 -m limit --limit 30/sec -s 184.108.40.206/24 -j ACCEPT /sbin/iptables -I FORWARD 2 -p udp --dport 53 -s 220.127.116.11/24 -j DROP /sbin/iptables -I FORWARD 1 -p udp --dport 53 -m limit --limit 30/sec -d 18.104.22.168/24 -j
ACCEPT/sbin/iptables -I FORWARD 2 -p udp --dport 53 -d 22.214.171.124/24 -j DROP Proceedings of 10th Global Engineering, Science and Technology Conference 2-3 January, 2015, BIAM Foundation, Dhaka, Bangladesh, ISBN: 978-1-922069-69-6
5.2 Approach 2: Disabling Recursion on Authoritative