Professional Documents
Culture Documents
www.google.com
DNS servers are critical infrastructure
Frequently targeted to stop access to other
dependent services
DNS Resolver
DNS Attacks Have Evolved
Investigating
UDP Data Selects random victim domain endpoints and floods them with UDP packets and
Flood IP fragments.
TCP SYN
Floods random victim domain endpoints with spoofed TCP SYN packets.
Flood
TCP ACK
Floods random victim domain endpoints with spoofed TCP ACK packets.
Flood
TCP STOMP Intended to overcome DDoS mitigations; connects to random victim domain
(Data) Flood endpoints and floods them with TCP data.
HTTP Request Intended to overcome DDoS mitigations; connects to random HTTP endpoints
Flood in the victim’s domain and floods them with HTTP requests.
IoT-based toolkit used in DYN attack Floods ISP recursive DNS servers with randomized queries to a victim base
Multi-vector attack DNS Water domain name, causing the ISP DNS servers to perform the attack on the
victim’s authoritative DNS servers. As victim DNS servers become overloaded,
Torture Attack
9+ vectors, 300,000 to 500,000+ the ISP DNS servers retransmit attack queries to other authoritative DNS
servers in the victim’s enterprise.
devices
Valve Gaming Floods random Valve streaming engine endpoints in the victim’s domain with
Server Attack spoofed source-engine query packets.
GRE
Floods random victim domain endpoints with spoofed GRE IP or IP-over-
IP/Ethernet Ethernet-tunneled UDP packets.
Floods
How DNS is Vulnerable to DDoS
Common attacks
Network & resource-exhaustion attacks
Exploitation of DNS-specific functionality and
vulnerabilities
Common techniques
Accessible and easy to use toolkits and apps
DNS
Amplification attacks leveraging query-to-response
sizes
Reflection attacks using millions of unsecured open
DNS resolvers
And more…
DNS DDoS Attack Strategies
• DNS reflection/amplification
• DNS protocol anomaly
DELIVERY
• Repetitive ANY queries
• Random query names
VICTIM Enterprise ISP TLD Root
Name Recursive Authoritative Authoritative
• The DDoS of Things Server Server Server Server
Key Principles of Effective DDoS Protection
COST EFFECTIVE
Performance by design to offer solutions that make economic sense
DNS Protection: Thunder TPS (Threat Protection
System)
Thunder 14045
300 Gbps, 400 Mpps
TOP LEVEL DOMAIN (TLD)
Thunder 6435
152 Gbps, 220 Mpps Valid User
ISP
Attacker
Thunder 4435
38 Gbps, 55 Mpps
ENTERPRISE
Thunder 840
2 Gbps, 1.5 Mpps
Thunder TPS Multi-vector DNS Defenses
Network flood attacks > spoofing attacks > directed flood attacks > DNS reflection/amplification attacks > NXDOMAIN attacks
VALID USER
DNS QUERIES
Mitigate Drop Drop ANY Limit Drop abusive Execute Limit DNS Limit random Limit
general malformed request excessive FQDN length DNS request rate query name NXDOMAIN
network DNS query query queries to violation authentication by record type rates response
and protocol fully qualified request challenge requester
attacks Threat domain queries
Intelligence name (FQDN)
Blacklist
DDoS Queries
Valid User DNS Queries
DNS Defense Detail
Complete DNS
infrastructure protection
General attacks
DNS specific attacks
Increase security efficacy with
A10 Threat Reputation Lists Malware Lists
Validate
Dshield
Abuse.ch
Shadowserver
Service
More...
Dynamic Threat
Powered by ThreatSTOP Thunder TPS Intelligence Updates Thunder TPS
Built-in Behavioral Learning & Anomaly Detection
Thunder TPS
Policy-based Auto-mitigation & Auto-escalation
LEVEL 4–Wartime Continue tracking indicators, BGP black hole signaling Create custom regular expression
Zone threshold 4 Administrator manual intervention Create custom Berkley Packet Filter
Final Countermeasures
All level 3 mitigations
DNS-udp-authentication-force-retry Challenge
LEVEL 2–WARTIME Continue tracking indicators,
Malformed-DNS-query-check-extended Drop
Src-rate-limit-by-request-type Source query type rate limit
Increase Countermeasures Zone threshold 2
All level 1 mitigations Blacklist source
Malformed-DNS-query-check-basic
DNS-any-check
LEVEL 1–WARTIME Continue tracking indicators, FQDN-label-length Drop
Add Countermeasures FQDN-rate-limit-domain-name-suffix FQDN check
Zone threshold 1
FQDN-label-count Source rate limit
All level 0 mitigations Blacklist source
TCP-conn-miss-rate UDP-pkt-drop-ratio
LEVEL 0– TCP-pkt-drop-ratio UDP-pkt-rate
FTA L3/L4 packet anomaly check Drop
PEACETIME
Establish Baseline TCP-syn-rate UDP-src-threshold
No Countermeasures TCP-src-threshold UDP-zone-threshold
TCP-zone-threshold
UI
• Always-on protection
• Flexible L2 or L3 (integrated BPG, OSPF, IS-IS
Internet
routing) inline
• Down to 100 ms detection and mitigation interval
Core Network • Peace time learning mode
• Full ingress traffic visibility, no sampling
• Low latency (60 µs average)
THUNDER TPS • Symmetric supported
• Use case
• All-in-one network-wide DDoS protection
• Augment/offload legacy DDoS mitigation
End Customer
or Data Center
Services
Reactive Deployment (A10 Flow-based Detector)
Data Center
• Easy integration
• Rest API: aXAPI
Services
TPS On-box Reporting
Real-time situational awareness: all TPS devices and current attack status
aGalaxy Reporting
• New reporting framework
• Combined reporting across all TPS