Jun Ho Huh Research Scientist Cybersecurity Lab Saurabh Verma Ali Hamieh Jun Huh Ho Siva Raj Rajagopalan Maciej Korczynski Nina Fefferman 1 Motivation money talks 2 Its becoming very serious ID: 733538
Download Presentation The PPT/PDF document "Stopping amplified DNS DDoS attacks thro..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Stopping amplified DNS DDoS attacks through query rate sharing between DNS resolvers
Jun Ho Huh
Research ScientistCybersecurity Lab
Saurabh Verma,
Ali Hamieh, Jun Huh Ho, Siva Raj Rajagopalan, Maciej Korczynski, Nina Fefferman.Slide2
1
Motivation
money talks!Slide3
2
It’s becoming very serious!
(disrupting the internet)Slide4
3
What’s the problem?
Amplified DNS DDOS (ADD) Attack
Amplified using DNS resolvers (could be a open DNS resolver, open DNS proxies authorative DNS servers , unknown)
1 Gbps connection x10
10 compromised trigger machines with 1Gbps
1 Mbps connection
Amplification factor of 50x
Attacker with 1Mbps
500 Gbps hits target machine from amplifiersSlide5
4
Let’s see the existing solutions first...Slide6
5
Things to realize (design goals)…Slide7
6
Key Idea 1
What’s one thing we need to detect ADD attacks at the source (dns resolver) with high confidence?
Answer: Accumulated DNS query rates hitting the target server from all resolvers!Slide8
7
How to get accumulated DNS query rates before target goes down?
Answer: Share DNS query rates of target among resolvers involved in attack.
Key Idea 2 Slide9
8
Quick look at existing protocols for aggregate computation
Gossip protocols – Push-Pull sum protocol, A1/ A2 (
Mehyar
et.al. ). Converges to true aggregate value in O(
) messages in O(
) rounds.
Problem is most of them requires weak synchronous communication and “N
” should be known in advance, which is not possible in our case.
Nevertheless, these existing protocols supports the theoretical motivation for our approach.
Slide10
9
We present you DRS-ADAMSlide11
10
DRS-ADAM Architecture
known-list
Validate response
LAD
LAD
Process information
Process information
DNS Resolver
unknown-list
dns response
dns response
unknown-list
resolver messages
resolver messages
resolver messages
Victim HostSlide12
11
Iterative Query Rate Sharing Algorithm
Slide13
12
Complexity, LAD
O(
N
) w.r.t each resolver.
Overall complexity of our algorithm is O(
). Possible to reduce to O(
N
) but have to sacrifice robustness.
LAD performs threat assessment.
LAD threat bandwidth= accumulated DNS query rate × amplification factor × average query size. This is self sufficient to detect attacks
To save computation, we avoid creating machine learning models, here.Slide14
13
Prototype Implementation
Typ
e
Reserved [0]
Length
Target IP
Query Rate (IEEE 754 single/binary 32 float)
Resolver 1 IP
Resolver N IP
0 1 2 3
Target Agent
Resolver Agent
Resolver Detector
LAD
Resolver Agent
Resolver Detector
LAD
Query rate, DNS IP
DNS IP, threshold
DNS IP, threshold
DNS Resolver
DNS Resolver
Target Host
DRS-ADAM Packet StructureSlide15
14
Experiment and Results
Emulated TopologySlide16
15
HPA Graph (It’s scalable!)Slide17
16
Mitigation TimeSlide18
17
DRS-ADAM vs. BIND RRL Slide19
18
System WorkloadSlide20
19
Partial Deployment of DRS-ADAMSlide21
20
Discussion and Conclusion