Harness Your Internet Activity

Drilling Down into DDoS

APRICOT 2015

Fukuoka, Japan

Bruce Van Nice

• 2 Terabytes of data analyzed per day

– Anonymized from ISPs worldwide

– Estimate about 3% of ISP DNS resolver traffic

• Team of data scientists

• Algorithms searching for:

– DDoS

– Bots

– Malware

– Machine generated traffic

– Etc

3

Nominum Research

• DNS-based DDoS attacks increasing

– DNS Amplification

– Random subdomain attacks – focus of this presentation

• Attack vectors

– Open home gateways

– NEW - Bot malware

• Stress on DNS worldwide

4

Introduction

5

DNS Queries – One Day’s Data 02/09/15

88%

12%

DNS Queries

"Good" Queries

Malicious Queries

80%

15%

5%

Malicious Queries

Random Subdomain

Amplification

Bot Command & Control

6

Random Subdomain Attack Trends

2014 Data

7

Random Subdomain Attacks

RANDOM TARGET NAME

Example query:

wxctkzubkb..liebiao.800fy.com

• Queries with random subdomains - answer NXD

• Lots of work for resolvers - recursion

• Lots of works for authoritative servers - large spikes

nbpdestuvjklz.pay.shop6996.com.

1lHecqrP.xboot.net.

hxdfmo.iyisa.com.

a6ca.cubecraft.net.

8

Different Kinds of “Random”

Different Random Label Patterns = Different Attacks

Alexa 1000 Names Rank

baidu.com. 5

blog.sina.com.cn. 13

xlscq.blog.163.com. 56

amazon.co.uk. 65

www.bet365.com. 265

www.lady8844.com. 389

d3n9cbih5qfgv5.cloudfront.net. 458

www.appledaily.com.tw. 565

asus.com. 702

9

Popular Names are Attacked

Attacks on popular names

must be handled carefully:

Fine Grained Policy, Whitelists

About 9% of names attacked are popular

Attack on asus.com (computers and phones)

– 190 legitimate subdomains

Attack on mineplex.com (minecraft gaming site)

– 78 legitimate subdomains

~ 2% of queries are to legitimate subdomains

10

Need to Protect Good Traffic to Popular Domains

Attacks Using Open DNS Proxies

1

Internet

Query with

randomized

subdomains 2

Authoritative

ServerCompromised

hosting

Recursive

queries

Open DNS Proxy

(Home Gateway)

3NXD

responses

ISP

Target

Web Site

Attacks Using Open DNS Proxies

ISP

Resolver

12

Open Resolvers in Asia Pacific

-

5

10

15

20

25

30

Mill

ions

Open Resolvers

13

Open Resolvers Are Declining

Feb 13 2014 Jan 28 2015

Open Resolver Project Data

Actual

Trend

Attacks Using Bots

Internet

2

Authoritative

Server

Recursive

queries

Bot infected

devices

3NXD

responses

ISP

Target

Web Site

ISP

ResolverQueries

with randomized

subdomains

1

1. Bots scan networks for home gateways or

other vulnerable devices

2. Attempt to login with default passwords

3. Load malware on gateway

4. Malware sends huge volumes of specially

crafted DNS queries

15

What’s Happening?

Other vectors are possible:

Bots with loaders

Rompager

16

Bots are Everywhere! 02/09/15

Threat Type Query CountSpybot 1,679,616 Vobfus 925,323 Nitol 883,376 Gamarue 878,672 VBInject 864,944 Spambot 613,449 Ramnit 418,984 Bladabindi 90,486 Palevo 60,324 Sdbot 59,314

Threat Type Query CountDorkbot 52,935 Morto 35,912 Sality 35,711 Virut 32,027 SMSsend 16,000 Jeefo 14,645 Gbot 11,853 GameOver 9,407 Phorpiex 5,875 Buzus 5,123

Bots that can install additional software

on a compromised host

17

“Things” Generate Intense Attack Traffic

0

2

4

6

8

10

Mill

ions

Query Counts from Attacking IPsOne hours data – APAC provider network

# IPs involved in attack1 206

200 IPs sourced ~83M queries

15 IPs sourced ~61M queries

1 IP sourced ~ 9M queries

18

2 Days Attack Data

0

75

150

225

300

Number of IPs used in attack per hour

Nov 16

19:00

Nov 18

8:00

19

Example Attack Data

0%

20%

40%

60%

80%

Attack Queries as a Percentage of Total Traffic

Nov 16

19:00

Nov 18

8:00

70% of queries

from attack

20

Why These Attacks Hurt

BorderHome

GatewayResolver Authority

Spoofed IP

Query (UDP): Ivatsnkb.web.pay1.cn

Proxy query,

translate IPRecursion

NXDNXD

NXDSpoofed IP

Proxy query,

translates IP

Spoofed IP

Query (UDP): Ivatsnkb.web.pay1.cn

Proxy query,

translate IPRecursion

Truncate

Bad Case

Worse Case

Response

Rate

LimitingRetry TCP

NXDNXD

NXD

Proxy query,

translates IPSpoofed IP

Attacker

21

Response Rate Limiting can Aggravate

Proxy query,

translate IPRecursion

Truncate

Response

Rate

Limiting

BorderHome

GatewayResolver AuthorityAttacker

Retry TCP

Authority

Fails

High traffic

with

TCP overhead

Resolver doesn’t

get responses,

tries new Authorities,

cascading failures

Spoofed IP

Randomized queries

Resolver stress

TCP overhead

• Every RSD requires recursion

• “Normal” incoming queries are 80% cached

• Equivalent load is:

1/(1- 0.8) = 5

• For 8,000 QPS of attack traffic equivalent load is:

8,000 x 5 = 40,000 QPS

22

Some Simple Math

Very rough estimate of additional workload

• Attacks on popular domains complicate filtering

• Home Gateways mask spoofed source IP

• Bots operate wholly within provider networks

– Filtering DNS at borders won’t work

• Observed tendency for cascading failures

• RRL by authorities increases work for resolvers &

authorities

– This seems to have gone away for now

23

Attacks Cause Many Problems

• Block bad traffic at ingress to resolvers

– Minimize work

– Eliminate stress on entire DNS hierarchy

• Near-real time block lists and fine grained policy

– Protect good traffic - whitelist legitimate labels for “core”

domains

24

Solution

• New generation of DNS Based DDoS

• Open Home Gateways remain a problem

• Malware based exploits create broad exposure

• Filter DNS traffic at ingress to resolvers

– Protect good queries – fine grained filters

– Drop bad queries – protect resolvers, authorities and

targets

25

Summary