《dns 安全防护新技术》由会员分享,可在线阅读,更多相关《dns 安全防护新技术(32页珍藏版)》请在金锄头文库上搜索。
1、DNS安全防护新技术,Guo Qing,议程,DNS四大威胁 DNS 安全架构 DNS 5.19案例 DNS专业防护,DNS 四大威胁,DNS DDOS Flood attack DNS amplification attacks DNS毒化 Cache劫持 重定向 DNS 异常查询 Malformed Query DNS溢出 - ATLAS 零日漏洞 内网蠕虫,DNS遭受攻击的一些特征,Almost lost internet connections: www, email, 几乎无法上网 或上网速度很慢, Very low internet connections, 互联网用户得不到本地D
2、NS回应 DNS servers: CPU/Memory 几乎 100% Layer-4 switches, the same, plus abnormally high parallel session amount, Source IP address of the incoming traffic: widely scattered. ,DNS服务宕机,DDOS?,DNS故障导致后果,授权DNS,服务宕机,被攻击 自身故障,攻击防护 定期自查,解决方案,网络拥塞,重定向 数据重传,默认应答 控制DNS缓存递归,解决方案,DNS请求数据,用户入网接入,接入中断,无法解析 上网缓慢,更改DN
3、S指向有效DNS,解决方案,著名网站监控,流量下降,访问减少 用户数少,通报电信 通知客户,解决方案,DNS Response DDoS 5.19,Pattern: x81x82x00x01x00x00x00x00x00x00x04tockx04usnox04navyx03milx00x00x01x00x01,4) If the spoofed replies have right TXID, update cache with: = = 7.7.7.7,Cache poisoning attack,Attacker,Local DNS,2) Check cache for: = No
4、 Do we have name server entry for ? = Yes,3) Lets ask , Server,1) Attacker sends a request for ,议程,DNS四大威胁 DNS 安全架构 DNS 5.19案例 DNS专业防护,DNS安全架构与应对,架构层面 Anycast 网络层面 清洗中心 Anti-DDOS 入侵防护 Anti-Intrusion 内网感染Anti-Botnet 应用层面 授权DNS补丁 劫持毒化 Cache Malformed Query,DNS安全加固防护 清洗 vs.IPS,云火墙 IPS/IDS,DNS 服务加固,Inte
5、rnet,云清洗 Peakflow SP CP/TMS,Sensor Base威胁数据库,防火墙,1.Anti-DDOS,3. Anti-Botnet,Peakflow/X,Peakflow SP CP/TMS,云火墙 IPS 实现,2.Anti-Intrustion,Peakflow/X,Peakflow CP,CP/TMS : DNS 服务的安全防护 旁路 vs. 串接,Protection DNS Field Regex Countermeasure DNS Anti-Spoofing Countermeasure DNS Rate Limiting Countermeasure DNS
6、 Cache Poison Detection and Countermeasure,Peakflow SP TMS,DNS Servers,Peakflow SP TMS,Visibility and Detection Track Top DNS Objects per Mitigation Provide more context during attacks DNS Request Type Report Provide more visibility into DNS request traffic Report the following DNS request types A,
7、AAAA, NS, CNAME, SOA, PTR, MX, TXT,DNS Servers,Port Span,Peakflow SP TMS,Peakflow SP TMS,Secure DNS servers and infrastructure from major attacks,IPS Correlation DNS Signature,3708.0 - AnalogX Proxy Socks4a DNS Overflow 4602.0-4 - Beagle (Bagle) Virus DNS Lookup 4615.0-3 - Beagle.B (Bagle.B) Virus D
8、NS Lookup 4620.0 - DNS Limited Broadcast Query 5537.0 - ICQ Client DNS Request 5538.0 - AIM Client DNS request 5539.0 - Yahoo Messenger Client DNS Request 5540.0 - MSN Messenger Client DNS Request 5493.0 - Llsrpc Bind 5766.0 - DNS Resolution Response Code Execution 5858.0-4 - DNS Server RPC Interfac
9、e Buffer Overflow 6013.0-1 - IRCBOT_JK DNS Lookup 6050.0-1 - DNS HINFO Request 6064.0 - BIND Large OPT Record DoS 6013.0-1 - IRCBOT_JK DNS Lookup 6050.0-1 - DNS HINFO Request,6051.0-1 - DNS Zone Transfer 6052.0-1 - DNS Zone Transfer from High Port 6053.0-1 - DNS Request for All Records 6054.0-1 - DN
10、S Version Request 6055.0-2 - DNS Inverse Query Buffer Overflow 6056.0-2 - DNS NXT Buffer Overflow 6057.0-2 - DNS SIG Buffer Overflow 6058.0-1 - DNS SRV DoS 6059.0-2 - DNS TSIG Overflow 6060.0-3 - DNS Complain Overflow 6061.0-1 - DNS Infoleak 6062.0-1 - DNS Authors Request 6063.0-1 - DNS Incremental
11、Zone Transfer 6064.0 - BIND Large OPT Record DoS 6065.0 - DNS Query Name Loop DoS 6066.0 - DNS Tunneling 6067.0 - DNS TSIG Bugtraq Overflow,Regional Fingerprint Server,云指纹共享策略,Regional In-Cloud Fingerprint Sharing,主要功能: 运营商内部“云”计划共享策略,省网或地市网络CP设备可与Fingerprint服务器进行通信,获得网络内部的安全威胁数据信息。,功能优势: 用户可上传或下载网络
12、安全威胁特征 CP设备间可共享特征库信息,资源共享 对新型攻击(New Attacks)或第零日攻击(Zero-day Attacks)具有预见性和防范措施 构成运营商内部安全联盟,节省投资 有利于为大型企业用户(例如,银行)提供流量清洗服务,部署在骨干网络,省/城域网监测系统,省/城域网监测系统,省/城域网监测系统,议程,DNS四大威胁 DNS 安全架构 DNS 5.19案例 DNS专业防护,DNS Attacks - When & What?,OCT 2002,JUN 2004,OCT 2004,JAN-FEB 2006,NOV 2004,NOV 2002,FEB 2007,Root Se
13、rver Attacked Duration:1 hour Multi-modal: smurf, ICMP, port 53 “7” Root Servers appear unreachable Impact: No noticeable user effect,UltraDNS TLD Servers Attacked Duration: 24 hours + ICMP 0,8 and then port Easily filtered - uses pure volume of packets to disable Results in 2-way traffic load Impac
14、t: No noticeable user effect,Akamai attacked Duration: 4 hours No mitigation possible Port 53, UDP, valid queries Multi-millions queries per second Impact: Global Impact,DDoS for hire (extortion) The golden age for worms/trojans The perfect DNS DDoS in the wild No protocol based defense or mitigatio
15、n Attack on Bandwidth, not applications or servers - 11 Gbps+ Impact: Significant collateral damage,January-February .com, .net (Verisign), .org (UltraDNS) Utilized open recursive servers Average attack 7-10 Gbps TLD Operators have no successful defense Impact: Considerable user impact,G, L & M Root
16、 Servers, Other TLDs (UltraDNS)? Utilized large bogus DNS UDP queries from many bots Aggregate attacks 10 Gbps+ Mitigate: Special Hardware Impact: 90% Traffic dropped localized user impact,NOV 2006,UUNet Attack - 2nd Level DNS UDP/53, auth servers for bank.foo Spoofed source IPs - 800 Kpps Impact: End-user/customer Mitigated with C
