amplification attacks とは 送信元を偽装した dns query による攻撃 帯域を埋める smurf attacks に類似 攻撃要素は IP spoofing amp 2006/07/14 Copyright (C) 2006 Internet Initiative Jap

DNS amplification attacks

Matsuzaki Yoshinobu

<[email protected]>

DNS amplification attacksとは

• 送信元を偽装したdns queryによる攻撃

– 帯域を埋める

– ‘smurf attacks’に類似

• 攻撃要素は

– IP spoofing

– DNS amp

IP spoofing + DNS amp

• IP spoofing

– 送信元IPアドレスを偽装したdns query

– 反射パケットを利用するため

• DNS amp

– UDP (簡単に利用できる)

– 大きな増幅率 =~ 60

– リゾルバ (dns cache)による分散

反射(reflection)

Sender IP spoofed packet repl y pa cket victim reflector src: victim dst: reflector dst: vict im src: ref lect or

増幅(amplification)

Sender

Sender

1. multiple replies

DNS amplification

Sender ANY ?xxx.example.com xxx.example.com IN TXT XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX DNS

DNS amplification attack

IP spoofed DNS queries DNS replies victim DNS Attacker DNS DNS DNS

攻撃の相関関係

DNS DNS DNS victim Command&Control DNS DNS stub-resolvers full-resolvers root-servers tld-servers example-servers botnet IP spoofed DNS queries

view of bot #1

Internet

size: =~60bytes

src IP: victim(IP spoofed) dst IP: various(DNS amp) protocol: udp

src port: various dst port: 53

QR: standard query QNAME: (specific one) • 過負荷

• 輻輳 DNS queries

DNS

DNS

view of bot #2

• a bot behind NAT box

bot #2

Internet

src IP: victim(IP spoofed) dst IP: various(DNS amp)

NAT

src IP: various(DNS amp) dst IP: NAT Router

src IP: NAT Router

dst IP: various(DNS amp) • NATテーブルの溢れ

• ICMP unreachの生成

DNS query – after NAT

DNS query – before NAT DNS reply

view of stub-resolver

DNS stub-resolver DNS full-resolvers size: =~60bytes src IP: victim bot#2(NAT) dst IP: stub-resolver QNAME: (specific one)

DNS queries size: =~4000bytes (ip fragmented) src IP: stub-resolver dst IP: victim bot#2(NAT) QNAME: (specific one)

DNS replies • 過負荷 • 輻輳 • stub-resolverにcache機能 • victim • bot#2(NAT) Internet

view of full-resolver

DNS full-resolver DNS • root-servers • tld-servers • example-servers • victim • bot#2(NAT) • stub-resolvers size: =~60bytes src IP: victim bot#2 stub-resolver dst IP: full-resolver QNAME: (specific one)

size: ~4000bytes (ip fragmented) src IP: full-resolver dst IP: victim bot#2(NAT) stub-resolver QNAME: (specific one)

DNS replies • 過負荷 • 輻輳 • RRのTTLが短ければ、コ ンテンツサーバへのquery Internet DNS queries

view of victim

Internet size: =~4000bytes (ip fragmented) src IP: full-resolvers stub-resolvers dst IP: victim DNS replies DNS DNS DNS • 輻輳

Attacker

対策は・・・

IP spoofed dns queries dns repl ies victim resolvers DNS IP spoofedパケットを破棄 =

Source Address Validation

外部からのrecursive queryを 破棄

=

Disable Open Recursive DNS

• ‘open relay’なリゾルバがいっぱい

– ISPのDNSサーバ

– 各組織のDNSサーバ

Source Address Validation

• BCP38/RFC2827

– All providers of Internet connectivity are urged

to implement filtering described in this

document to prohibit attackers from using

forged source addresses...

IIJ/AS2497の場合

• IIJ、全接続サ ー ビ ス に お い て 「Source

Address Validation」を 導入

– http://www.iij.ad.jp/pressrelease/2006/0308.html

• IIJではSource Address Validationの実装にuRPF

とACLを利用しています。

IIJの基本ポリシ

ピアISP 上流ISP ISP顧客 マルチホーム static顧客 シングルホーム static顧客 IIJ/AS2497

CISCO uRPF configuration

interface GigabitEthernet0/0

ip verify unicast source reachable-via rx

uRPF strict mode

interface GigabitEthernet0/0

ip verify unicast source reachable-via any

Juniper uRPF configuration

interface { ge-0/0/0 { unit 0 { family inet {

rpf-check;

} } } }

uRPF strict mode

interface { ge-0/0/0 { unit 0 { family inet {

rpf-check { mode loose; }

} } } }

世の中の動き

• RIPE – IP Anti-Spoofing Task Force

– EU地域での状況調査

– documentの作成、公開

参照先

• AL-1999.004 – DoS attacks using the DNS

– http://www.auscert.org.au/render.html?it=80

• The Continuing DoS Threat Posed by DNS Recursion

– http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf

• SAC008 – DNS Distributed DDoS Attacks

–

http://www.icann.org/committees/security/dns-ddos-advisory-31mar06.pdf