You are on page 1of 25

Ensure DNS Resilience From

Multi-vector DDoS Attacks


YOUR SECURE
APPLICATION
SERVICES COMPANY
DNS Infrastructure is a Primary Target
www.google.com
Here is where you = 74.125.224.72
should look
Here is where you
should look Enterprise Name
“Not in my cache, I
will go find it” TLD Server Server ns.google.com
… Authoritative
.com, .edu, .net…
“Here it is Root Server Authoritative
74.125.224.72”
“.”
Authoritative
ISP DNS Server
ISP.net
Cache
Name Server Recursive
page.corp.com
Authoritative

www.google.com
 DNS servers are critical infrastructure
 Frequently targeted to stop access to other
dependent services

DNS Resolver
DNS Attacks Have Evolved

"The successful DDoS attack on DYN is


merely a new twist on age-old warfare. ...
Classic warfare can be anticipated and
defended against.

But warfare on the internet, just like


in history, has changed. So let's…
realize and plan for more of these
sorts of attacks."
Paul Mockapetris, creator of the
Domain Name System (DNS)
UDP Random
Floods random victim domain endpoints with spoofed UDP packets.
Flood

Investigating
UDP Data Selects random victim domain endpoints and floods them with UDP packets and
Flood IP fragments.

TCP SYN
Floods random victim domain endpoints with spoofed TCP SYN packets.
Flood

TCP ACK
Floods random victim domain endpoints with spoofed TCP ACK packets.
Flood

TCP STOMP Intended to overcome DDoS mitigations; connects to random victim domain
(Data) Flood endpoints and floods them with TCP data.

HTTP Request Intended to overcome DDoS mitigations; connects to random HTTP endpoints
Flood in the victim’s domain and floods them with HTTP requests.

 IoT-based toolkit used in DYN attack Floods ISP recursive DNS servers with randomized queries to a victim base
 Multi-vector attack DNS Water domain name, causing the ISP DNS servers to perform the attack on the
victim’s authoritative DNS servers. As victim DNS servers become overloaded,
Torture Attack
 9+ vectors, 300,000 to 500,000+ the ISP DNS servers retransmit attack queries to other authoritative DNS
servers in the victim’s enterprise.
devices
Valve Gaming Floods random Valve streaming engine endpoints in the victim’s domain with
Server Attack spoofed source-engine query packets.

GRE
Floods random victim domain endpoints with spoofed GRE IP or IP-over-
IP/Ethernet Ethernet-tunneled UDP packets.
Floods
How DNS is Vulnerable to DDoS

Common attacks
 Network & resource-exhaustion attacks
 Exploitation of DNS-specific functionality and
vulnerabilities

Common techniques
 Accessible and easy to use toolkits and apps
DNS
 Amplification attacks leveraging query-to-response
sizes
 Reflection attacks using millions of unsecured open
DNS resolvers
 And more…
DNS DDoS Attack Strategies

• TCP/UDP/ICMP floods ATTACKER Cyber Criminal Hacker Prankster Hacktivists Competitor

• L3/L4 packet anomaly


• Spoofed source IP WEAPON IoT Botnet Open DNS Resolvers Infected Zombie Botnet

• DNS reflection/amplification
• DNS protocol anomaly
DELIVERY
• Repetitive ANY queries
• Random query names
VICTIM Enterprise ISP TLD Root
Name Recursive Authoritative Authoritative
• The DDoS of Things Server Server Server Server
Key Principles of Effective DDoS Protection

PRECISION WARTIME WORKFLOW


SCALABILITY
EFFICIENCY
Avoid costly detection and Optimize short term and More effective use of
mitigation mistakes protect long-term limited personnel
investments resources (automation)

COST EFFECTIVE
Performance by design to offer solutions that make economic sense
DNS Protection: Thunder TPS (Threat Protection
System)

SURGICAL  Highest precision by tracking 27+ behavioral indicators


MULTI-VECTOR  Best protection against multi-vector attacks
PROTECTION  Verisign partnership for hybrid protection

 Mitigate up to 300 Gbps of attack traffic per appliance


POWERFUL &  440M PPS & 128M sessions behavior tracked per appliance
EFFICIENT  60 common attacks mitigated in FTA hardware

WARTIME  24/7 DSIRT support when under attack


WORKFLOW  Automated mitigation escalation & A10 Threat Intelligence
EFFECTIVENESS  Full RESTful API coverage for automation
Thunder TPS: DNS Defense at Scale

ROOT Mitigation Capacity

Thunder 14045
300 Gbps, 400 Mpps
TOP LEVEL DOMAIN (TLD)

Thunder 6435
152 Gbps, 220 Mpps Valid User
ISP
Attacker

Thunder 4435
38 Gbps, 55 Mpps
ENTERPRISE

Thunder 840
2 Gbps, 1.5 Mpps
Thunder TPS Multi-vector DNS Defenses
Network flood attacks > spoofing attacks > directed flood attacks > DNS reflection/amplification attacks > NXDOMAIN attacks

VALID USER
DNS QUERIES

Mitigate Drop Drop ANY Limit Drop abusive Execute Limit DNS Limit random Limit
general malformed request excessive FQDN length DNS request rate query name NXDOMAIN
network DNS query query queries to violation authentication by record type rates response
and protocol fully qualified request challenge requester
attacks Threat domain queries
Intelligence name (FQDN)
Blacklist

DDoS Queries
Valid User DNS Queries
DNS Defense Detail

Complete DNS
infrastructure protection
General attacks
DNS specific attacks
Increase security efficacy with
A10 Threat Reputation Lists Malware Lists

Intelligence Bad Actors


Honeypots Detect
Correlate

Validate
Dshield
Abuse.ch
Shadowserver

Service
More...

 Collective intelligence from millions of Dynamic Threat Intelligence


devices Cloud

 Block threats proactively from known bad


actors accessing DNS services

 Block malware’s ability to call home,


eliminating data destruction or exfiltration

 Included with DSIRT support Thunder TPS Thunder TPS

Dynamic Threat
Powered by ThreatSTOP Thunder TPS Intelligence Updates Thunder TPS
Built-in Behavioral Learning & Anomaly Detection

Consolidate detection & mitigation in one device for effective in-line


protection UDP Sessions

 Automatically builds profiles of peacetime traffic


 Reduce the need for manual thresholds in policies
 Significant deviations indicate potential attack Baselining &
Anomaly Detection
 Complements detection done by countermeasures
 Peacetime policy can include minimal to no countermeasures
 Invoke countermeasures only when abnormal patterns are observed

Thunder TPS
Policy-based Auto-mitigation & Auto-escalation

 Challenge: many environments are understaffed Ops Driven


in operations Manual Countermeasures

 Intelligent automation needed with option for manual


override Level 4–Wartime
Final Countermeasures
 Mitigation policy contains multiple protection levels
Auto-Escalation Incident
 Level 0: peacetime End
Level 2–Wartime
 Level 1-4: wartime defense Increase
Countermeasures
 Operation driven, manual intervention

 Protection level automatically escalated depending on Level 1–Wartime


the degree & persistence of anomaly Added Countermeasures

 Administrators have the option to manually Level 0–Peacetime


intervene at any stage of an attack No Countermeasures
Ex. DNS Services Automatic Mitigation Escalation Policy
TRACKED INDICATORS MITIGATION APPLIED ACTION

LEVEL 4–Wartime Continue tracking indicators, BGP black hole signaling Create custom regular expression
Zone threshold 4 Administrator manual intervention Create custom Berkley Packet Filter
Final Countermeasures
All level 3 mitigations

dns-udp-authentication-force-tcp Advance challenge


LEVEL 3–WARTIME Continue tracking indicators, dst rate-limit-request Drop
Final Countermeasures Zone threshold 3 All level 2 mitigations Destination rate limit
Blacklist source

DNS-udp-authentication-force-retry Challenge
LEVEL 2–WARTIME Continue tracking indicators,
Malformed-DNS-query-check-extended Drop
Src-rate-limit-by-request-type Source query type rate limit
Increase Countermeasures Zone threshold 2
All level 1 mitigations Blacklist source

Malformed-DNS-query-check-basic
DNS-any-check
LEVEL 1–WARTIME Continue tracking indicators, FQDN-label-length Drop
Add Countermeasures FQDN-rate-limit-domain-name-suffix FQDN check
Zone threshold 1
FQDN-label-count Source rate limit
All level 0 mitigations Blacklist source

TCP-conn-miss-rate UDP-pkt-drop-ratio
LEVEL 0– TCP-pkt-drop-ratio UDP-pkt-rate
FTA L3/L4 packet anomaly check Drop
PEACETIME
Establish Baseline TCP-syn-rate UDP-src-threshold
No Countermeasures TCP-src-threshold UDP-zone-threshold
TCP-zone-threshold

Administrators have the option to manually intervene at any stage of an attack


ISP DDoS Defenses Topology
NA EMEA
Multiple Multiple
Peers Peers
Description
 Reactive deployment for infrastructure and down aGalaxy with
stream business customer protection Flow Detector
Flows

 Proactive deployment for DNS services Edge


API

Benefits TPS TPS

 Comprehensive DDoS Defenses Scrubbing Scrubbing


 Surgical protection
DNS
 Cost effective scalability TPS

 DNS DDoS resilience Backbone

UI

GUI, REST API (aGAPI)


Down Stream DNS
Data Center
Subscribers Server Farm
Next Steps to Ensure DNS Resilience

 Calculate adequate capacity required


Request a
 For peak traffic conditions now
hardware
 To support business for the next 2-4 years appliance or
virtual evaluation
 Monitor and baseline environments
 Determine your current threat level
 Gain real-time threat visibility

 Ensure DDoS protections are in place


Learn more –
 Determine DDoS policy
DNS solution
 Automate wartime protection level escalation brief and TPS
data sheet
 Prepare internal and external procedures
 Personnel notification and escalation staff
 External (and internal) communication plan
Thank You
Backup Slides
Proactive Asymmetric Deployment

• Always-on protection
• Flexible L2 or L3 (integrated BPG, OSPF, IS-IS
Internet
routing) inline
• Down to 100 ms detection and mitigation interval
Core Network • Peace time learning mode
• Full ingress traffic visibility, no sampling
• Low latency (60 µs average)
THUNDER TPS • Symmetric supported
• Use case
• All-in-one network-wide DDoS protection
• Augment/offload legacy DDoS mitigation
End Customer
or Data Center

Services
Reactive Deployment (A10 Flow-based Detector)

Internet • Orchestrated, single-vendor, DDoS-focused


solution
Flow
Core Network
Detector aGalaxy • aGalaxy platform orchestrates actions within the
Flow
Telemetry solution
• Flow detector analyzes, baselines, and detects
BGP aGalaxy 5000 TPS anomalies
aXAPI • Notifies aGalaxy platform
Clean Traffic • aGalaxy signals attack and mitigation template to
mitigators
THUNDER TPS
• TPS makes BGP call to route traffic to TPS
Data Center
• TPS scrubs traffic and re-injects traffic to destination

• Up to 500k flows per second DDoS detection


Services in a single appliance
Reactive Deployment (Partner Flow-based Detector)
• With a flow-based detection
• Integrate with existing DDoS detection
Internet
DDoS Detection • DDoS detection partners
FlowTraq
GenieNRM
• FlowTraq, GenieNRM, Kentik (SaaS) and more
Core Network
Kentik (SaaS) • Scalable, centralized DDoS protection
Flow Others
Telemetry • Oversubscribed protection bandwidth
• Not in path during peace time
BGP
aXAPI • Limitations of sampling based detection
• Less accurate (sample of traffic, not all)
Clean Traffic • Longer time to mitigate
• May not inspect for application layer attacks (e.g.
THUNDER TPS for slow-and-low)

Data Center
• Easy integration
• Rest API: aXAPI

Services
TPS On-box Reporting

 Protected Destination and Zone Summary Report


 Incident Summary Report
aGalaxy DDoS Defense Focused Dashboard

Pending operator action Under mitigation (22) No mitigation needed (26)


(1)

Real-time situational awareness: all TPS devices and current attack status
aGalaxy Reporting
• New reporting framework
• Combined reporting across all TPS

• On-demand and scheduled reports


• Types of reports
• Protected Destination Detailed
• Protected Destination Summary
• Protected Destination Incident
• Protected Destination Incident Summary
• Protected Zone Detail
• Protected Zone Summary
• Protected Zone Incident
• Protected Zone Incident Summary
• Device Inventory

You might also like