open resolvers and the threat of reflection attacks
play

Open Resolvers and the Threat of Reflection Attacks John Kristoff - PowerPoint PPT Presentation

Nov 19, 2022 •359 likes •626 views

Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI Networks Seminar jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 1 / 26 A Review of the DNS Lookup Process jtk (jtk@depaul.edu) ORs and

  1. Open Resolvers and the Threat of Reflection Attacks John Kristoff jtk@depaul.edu DPU CTI Networks Seminar jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 1 / 26

  2. A Review of the DNS Lookup Process jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 2 / 26

  3. What Does Verisign Like About This Picture? jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 3 / 26

  4. Resource Record (RR) format 1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | / / / NAME / | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | TYPE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | CLASS | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | TTL | | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | RDLENGTH | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--| / RDATA / / / +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 4 / 26

  5. DNS Message Format +---------------------+ | Header | +---------------------+ | Question | the question for the name server +---------------------+ | Answer | RRs answering the question +---------------------+ | Authority | RRs pointing toward an authority +---------------------+ | Additional | RRs holding additional information +---------------------+ jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 5 / 26

  6. DNS Message Header Format 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ID | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |QR| Opcode |AA|TC|RD|RA| Z | RCODE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | QDCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ANCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | NSCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ARCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 6 / 26

  7. Open Resolver • A DNS server that provides an answer or referral for anyone • Full open recursive name servers can be particularly problematic • It can be difficult to limit open recursion in practice • There are lots of open resolvers jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 7 / 26

  8. Amplification and Reflection Attacks Using Open Resolvers • Imagine... lots of bots • Imagine... lots of open recursive name servers • Imagine... a 4 KB TXT resource record • Imagine... source address spoofing • Imagine... queries that are less than 100 bytes • Imagine... jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 8 / 26

  9. Resolver probing, not scanning We could just send properly formatted DNS queries to TCP/UDP port 53 if all we cared about was finding name servers. However, we want to try to precisely identify resolver behavior, configuration and implementation. jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 9 / 26

  10. Some Remote Open Resolver Probing Questions • How do you really know if the server is recursing for you? • Are there questions a server answers for in unexpected ways? • Is the server you’re asking the only server at that address? • Are you getting a cached answer? • Are wildcards being used? jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 10 / 26

  11. Some Multifaceted Probing Techniques • Query for whoareyou.ultradns.net • Query for whoami.ultradns.net • Query for unique, but bogus top-level domain (TLD) • Fingerprint with fpdns • Query for unique name in a zone we control • Distribute query sources • Disable recursion desired (rd) bit • Query for popular names and NS RRsets • Query for unique, but bogus name in popular zones and TLDs jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 11 / 26

  12. Challenges to Remote Probing • Recursion available (ra) is an unreliable indicator • Non-exist name/TLD query doesn’t always result in NXDOMAIN • Adherence to TTL is inconsistent • High-speed querying difficultly and timeout handling • Various other unexpected answers due to config or implementation jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 12 / 26

  13. Caching Weirdness $ dig @61.46.219.237 whoareyou.ultradns.net +noall +answer ; <<>> DiG 9.2.2 <<>> @61.46.219.237 whoareyou.ultradns.net +noall +answer ;; global options: printcmd whoareyou.ultradns.net. 0 IN A 204.74.96.5 $ dig @61.46.219.237 whoareyou.ultradns.net +noall +answer ; <<>> DiG 9.2.2 <<>> @61.46.219.237 whoareyou.ultradns.net +noall +answer ;; global options: printcmd whoareyou.ultradns.net. 4294967292 IN A 204.74.96.5 jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 13 / 26

  14. Alternate Root $ dig @211.220.209.3 bogus-tld +noall +answer +authority ; <<>> DiG 9.2.2 <<>> @211.220.209.3 bogus-tld +noall +answer +authority ;; global options: printcmd realname. 86400 IN A 211.106.67.200 realname. 86400 IN NS update-psi.netpia.com. jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 14 / 26

  15. Wildcard $ dig @213.30.189.132 nanug.org +noall +answer ; <<>> DiG 9.2.2 <<>> @213.30.189.132 nanug.org +noall +answer ;; global options: printcmd nanug.org. 10000 IN A 62.210.183.75 nanug.org. 10000 IN TXT "toto" jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 15 / 26

  16. Flags and Inconsistency $ dig @213.215.76.84 +noall +comments +answer www.nanog.org ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52909 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 $ dig @213.215.76.84 +noall +comments +answer www.nanog.org ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43523 ;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; ANSWER SECTION: www.nanog.org. 86392 IN A 198.108.1.5 jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 16 / 26

  17. Query Amplification and Aggression? Auth Server #1 client 209.63.146.65#37695: query: researchprobe-3632192887.example.org IN A -E client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A -E client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A - client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A - client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A - client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A - Auth Server #2 client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A -E client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A -E client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A - client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A - client 208.187.120.2#4444: query: researchprobe-3632192887.example.org IN A - jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 17 / 26

  18. Bad Defaults $ dig @202.146.225.194 bogus-tld +noall +comments +answer ; <<>> DiG 9.2.2 <<>> @202.146.225.194 bogus-tld +noall +comments +answer ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30140 ;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; ANSWER SECTION: bogus-tld. 3600 IN A 10.61.32.1 jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 18 / 26

  19. ORNS Candidate Data Sets • 51,196 reflector attack, Feb. 2006 • 191,966 ORNS from Duane Wessels, March 2006 • 2,660,229 somethings querying us, March 2006 jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 19 / 26

  20. Netblocks - Attack Set jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 20 / 26

  21. Netblocks - Duane’s Set jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 21 / 26

  22. Netblocks - Our Flows jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 22 / 26

  23. ORNS Netblocks - Our Flows (˜14%) jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 23 / 26

  24. Referrer Netblocks - Our flows (˜2%) jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 24 / 26

  25. Building and Maintaining A Resolver Probing System • Where do you get candidate probing addresses from? • Where do you probe from? How fast? Will you get filtered? • What queries do you send? • Logs, packet captures or responses. What do you do with them? • How do you re-test and maintain accuracy? • How do you share the data and/or alert administrators? • What else can you do with this data? jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 25 / 26

  26. End - Work in Progress • [dns-research01 | dns-research02].cti.depaul.edu • DNS prototype probing systems with web interface • TLD zone monitoring and analysis jtk (jtk@depaul.edu) ORs and Attacks September 21, 2006 26 / 26

Recommend

Probing for Open DNS Resolvers John Kristoff jtk@depaul.edu Midwest Security Workshop jtk

Probing for Open DNS Resolvers John Kristoff jtk@depaul.edu Midwest Security Workshop jtk

Probing for Open DNS Resolvers John Kristoff jtk@depaul.edu Midwest Security Workshop jtk (jtk@depaul.edu) DNS Probing September 30, 2006 1 / 9 Open Resolvers Recursive - open access to a full resolver Forwarder - proxy access to a

371 views • 9 slides
Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von Mobilfunk-Botnetzen im Hinblick auf DoS-Angriffe)

311 views • 20 slides
Looking at DNS traces: What do we know about resolvers? lafur Gu mundsson Shinkuro

Looking at DNS traces: What do we know about resolvers? lafur Gu mundsson Shinkuro

Looking at DNS traces: What do we know about resolvers? lafur Gu mundsson Shinkuro Ogud@shinkuro.com Motivation: Open Questions What is the market share for resolver X What can we deduct from traces to a subset of authorative

623 views • 19 slides
DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS

DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS

DNS Resolvers Considered Harmful Kyle Schomp, Mark Allman, and Michael Rabinovich 2 DNS resolvers abstract complexity and offer the possibility of improved performance and better scalability . Why are they harmful? 3 Resolvers Are Vulnerable

618 views • 34 slides
Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017 www.lookingglasscyber.com PRESENTER: Allan Thomson, CTO Dr Jamison Day, Principal Data Scientist 2017 LookingGlass Cyber Solutions Inc. 1 What threats are

344 views • 21 slides
Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M.

Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M.

Mining Threat-intelligence from Billion- scale SSH Brute-Force Attacks Yuming Wu 1 , Phuong M. Cao 1 , Alexander Withers 2 , Zbigniew T. Kalbarczyk 1 , Ravishankar K. Iyer 1 1 University of Illinois at Urbana-Champaign (UIUC) 2 National

421 views • 14 slides
OSD Funded and Developed Open Air IRCM Threat Simulators and Methodology UNCLASSIFIED 1

OSD Funded and Developed Open Air IRCM Threat Simulators and Methodology UNCLASSIFIED 1

UNCLASSIFIED OSD Funded and Developed Open Air IRCM Threat Simulators and Methodology UNCLASSIFIED 1 UNCLASSIFIED Legacy Threat Stimulators Legacy Missile Warning Sensors (MWS) typically required only stimulation, not simulation

700 views • 32 slides
UPnP: Unlimited Proxies and Pwnage Waylon Grange Sr. Threat Researcher, Symantec

UPnP: Unlimited Proxies and Pwnage Waylon Grange Sr. Threat Researcher, Symantec

UPnP: Unlimited Proxies and Pwnage Waylon Grange Sr. Threat Researcher, Symantec @professor__plum Exploits long forgotten UPnP (SSDP) DDoS P n P U Most people think of DDoS attacks when asked about UPnP abuse These attacks are

489 views • 32 slides
CS371m - Mobile Computing Content Providers And Content Resolvers Content Providers One of

CS371m - Mobile Computing Content Providers And Content Resolvers Content Providers One of

CS371m - Mobile Computing Content Providers And Content Resolvers Content Providers One of the four primary application components: activities content providers / content resolvers services broadcast receivers 2 Android

728 views • 50 slides
Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering

Hoda Rohani Anastasios Poulidis Supervisor: Jeroen Scheerder System and Network Engineering July 2014 DNS Main Components Server Side: Authoritative Servers Resolvers (Recursive Resolvers, cache) Client Side: Stub resolvers

429 views • 30 slides
Assessment What is Threat Assessment Threat assessment is the process of gathering

Assessment What is Threat Assessment Threat assessment is the process of gathering

Threat Assessment What is Threat Assessment Threat assessment is the process of gathering information to understand the threat of violence posed by a person. Threat management is the process of developing and executing plans to mitigate

332 views • 15 slides
Panel discussion: Open reflection - on TSO/DSO interactions ENTSO-G/ACER Balancing Workshop 12.

Panel discussion: Open reflection - on TSO/DSO interactions ENTSO-G/ACER Balancing Workshop 12.

Panel discussion: Open reflection - on TSO/DSO interactions ENTSO-G/ACER Balancing Workshop 12. Juni 2018 Eva Hennig, Thga AG Munich, Chair of Eurogas Distribution Committee The operation of the grids will change with a wider variety of gases

431 views • 7 slides
Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process

Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process

Hardware Enclave Attacks CS261 Threat Model of Hardware Enclaves Intel Attestation Process Service Untrusted (IAS) Enclave Enclave Code Trusted Process Process Enclave Other Data Enclave OS and/or Hypervisor Off-chip devices 2

531 views • 24 slides
Topic 9: Lighting &amp; Reflection models Lighting &amp; reflection The Phong reflection

Topic 9: Lighting &amp; Reflection models Lighting &amp; reflection The Phong reflection

9/10/2016 Topic 9: Lighting &amp; Reflection models Lighting &amp; reflection The Phong reflection model diffuse component ambient component specular component Spot the differences Terminology Illumination The transport

339 views • 5 slides
Future Banking and Financial Attacks Konstantinos Karagiannis Director, Ethical Hacking, BT

Future Banking and Financial Attacks Konstantinos Karagiannis Director, Ethical Hacking, BT

Future Banking and Financial Attacks Konstantinos Karagiannis Director, Ethical Hacking, BT Advise Assure 2 Agenda/topics covered Threat overview Advanced User Enumeration and DDoS Trading Turret and Timing Attacks Internal and External User

365 views • 35 slides
Cybersecurity in 2020 A Reflection on the Previous Decade &amp; How to Prepare for the Next Tech

Cybersecurity in 2020 A Reflection on the Previous Decade &amp; How to Prepare for the Next Tech

Cybersecurity in 2020 A Reflection on the Previous Decade &amp; How to Prepare for the Next Tech Terms Vulnerability Payload Exploit Advanced Persistent Threat Zero Day Exploit Dark Web Malware 5G Technology

500 views • 17 slides
Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel attacks Kochers

1.19k views • 77 slides
Topic 10: Lighting &amp; Reflection models Lighting &amp; reflection The Phong reflection

Topic 10: Lighting &amp; Reflection models Lighting &amp; reflection The Phong reflection

Topic 10: Lighting &amp; Reflection models Lighting &amp; reflection The Phong reflection model diffuse component ambient component specular component Spot the differences Terminology Illumination The transport of

1.08k views • 30 slides
Topic 8: Lighting &amp; Reflection models Lighting &amp; reflection The Phong reflection

Topic 8: Lighting &amp; Reflection models Lighting &amp; reflection The Phong reflection

Topic 8: Lighting &amp; Reflection models Lighting &amp; reflection The Phong reflection model diffuse component ambient component specular component Showtime Logistics Welcome back Professor Singh is away for the

1.24k views • 87 slides
Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to

Honeymoon Threat Restoration Rescue Phases of Disaster Despair Threat Threat Phase: Small events serve as a warning or threat to normal living. A disaster has not yet oc- curred, but there is a sense of impending doom. Individual

604 views • 6 slides
BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John

BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John

BIOS and Secure Boot Attacks Uncovered Ruxcon 2014 Advanced Threat Research, Intel Security John Loucaides (presenting) In n The he Be Begi ginnin nning Was as The he Leg egacy acy BI BIOS.. S.. Leg egacy acy BI BIOS 1. CPU

1.36k views • 101 slides
Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on

Protecting Free and Open Communications on the Internet Against Man-in-the-Middle Attacks on Third-Party Software Jeffrey Knockel, Jedidiah Crandall Computer Science Department University of New Mexico Recent News Iran: forged SSL

569 views • 27 slides
CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan

CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan

CSE 127: Introduction to Security Lecture 11: Network Attacks Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Stefan Savage, David Wagner, and Nick Weaver Threat Modeling for Network Attacks Basic security goals:

804 views • 31 slides
What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape

DDoS &amp; Modern Threat Motives Dan Holden Director, ASERT What Does This Advanced Threat Landscape Look Like? Advanced Threat Landscape Geo-poli:cal More defenses ? App/Content t a

1.13k views • 44 slides

More recommend