Login

OARC Fall 2013 Workshop (Phoenix)

5–6 Oct 2013
Wild Horse Pass Resort
America/Phoenix timezone

Support

Blocking DNS Messages is Dangerous

6 Oct 2013, 11:10
45m
Komatke E/F (Wild Horse Pass Resort)

Komatke E/F

Wild Horse Pass Resort

www.wildhorsepassresort.com 5594 W. Wild Horse Pass Boulevard Chandler, Arizona 85226 USA

Speaker

Mr Florian Maury (ANSSI/FNISA)

Description

Internet entities are regularly affected by Distributed Denial of Service (DDoS) on various scales. Several methods can be leveraged to perform such attacks, but the most recent incidents were caused by throughput amplification via DNS servers. Improving the overall security of the French segment of the Internet is one of the missions of ANSSI (the French Network and Information Security Agency), which has led us to perform an analysis of the various DDoS mitigation techniques available to DNS operators. This research work shows that some of the most popular anti-DDoS strategies, currently deployed by prominent actors of the DNS community, could, under certain circumstances, make DNS cache poisoning attacks much easier, most often resulting in successful attacks taking less than a day.

Summary

The vulnerability affects not only infrastructures using general-purpose firewalls to filter DNS traffic but also those that use RRL, the technology that we found to be the most appropriate to deal with DNS DDoS amplification attacks. The presentation will go through a detailed description of the modus operandi of the attack and the underlying mathematical model. We will then expose our recommendations and how they address the discovered vulnerability. We will then describe the timeline that we followed to disclose our findings, including how actors have been contacted and what their feedbacks and concerns were regarding our proposed countermeasures. Several scenarios will be analyzed, including infrastructures using general-purpose firewall rate-limiting, so-called malformed packets filtering, RRL using a slip value different than 1, and some interesting setups that were brought to our attention by prominent DNS operators and designers. Finally, we will formulate some open questions regarding possible long term fixes.

Primary author

Mr Florian Maury (ANSSI/FNISA)

Co-author

Mr Mathieu Feuillet (ANSSI/FNISA)

Presentation materials

Powered by Indico v3.2.8