Learning Center
Plans & pricing Sign in
Sign Out

S2_Paul_Kane EU-17Jan


  • pg 1
									Workshop on sharing lessons learnt from large scale
             attacks on the Internet

                   Paul M Kane
                  Director, CommunityDNS

                     17th January 2008

                                                      January 2008

• Overview

  – CommunityDNS provides Domain Name System lookup services for 104 million (70%) of
    the world’s Internet domain names

  – TLD Registries supplement their own “in-house” DNS service with outsource providers to
    offer greater resilience to attack

  – Currently provide contracted services to 38 TLDs and 1 Root server operator under
    professional Service Level Agreements.

  – Growth in the availability of low cost bandwidth, and “always-on” vulnerable powerful home
    computers means that groups of compromised machines are available to attack DNS

  – A compromised home computer is capable of making over 1000 DNS queries per second
    but may only make 10 queries per second to avoid being detected. Put a globally
    distributed cluster of 10,000 machines together at 10 queries per second and the target of
    attack receives 100,000 queries per second.

  – Purpose of an attack is to isolate a user community from the global internet, the motivation
    being to inflict cyber-terrorism, extortion, or peer review of technical competence.
                                                                                                   January 2008
          Avoid single points of failure

• Traditionally, operators used standard DNS resolver (BIND) for Domain Name to IP
  address translation.

• Exposure to single point of failure, and limited capability, operators use multiple
  platforms (applications and hardware) BIND, NSD, CommunityDNS, and others,
  some run internally, others out-sourced to mitigate risk exposure.

• Optimise performance and IP peering servers are located in multiple geographical
  areas and on different backbones. Traditionally, DNS server operators published a
  single IP Address which directed traffic to specified server location. Easy to attack.

• Deployment multiple servers in an “Anycast” cloud, which is the publication of a
  single IP address and by manipulation of the routing tables to direct traffic to the
  “nearest” server to the query source.

• Anycast is a proven technology and works in conjunction with more traditional
  Unicast technologies.


                                                                                           January 2008
                  Anycast at work

• Routing tables/computers determine the routing path “in real time” and thus routing
  paths can (and do) change very quickly, each route has a variable “cost” and
  operators switch routes to reduce cost of transit.

• Anycast useful for single data packet questions (like DNS), not useful for multi-
  packet (TCP) queries as packets may end up at different servers on the Anycast

• Objective in mitigating the impact of an attack is to have an Anycast server as close
  to the source as possible (from a network topology perspective). By attracting “bad”
  traffic impact of an attack is reduced on “good” customers.

• Servers responding to the same address

• Works for both IPv4 and IPv6
                                                             Server locations
                                                              Amsterdam, Netherlands
                                                              Ashburn, VA
                                                              Brussels, Belgium
                                                              Chicago, IL
•   Example                                                   London, UK
                                                              San Jose, CA
                                                              Sydney, Australia
                                                              Tokyo, Japan
                                                              Vienna, Austria

                                                                                          January 2008
   Isolating “bad” traffic does not work

• All traffic passes via the “most efficient” route. “Efficient” can be defined as largest, fastest,
  cheapest all encapsulated in a Peering Agreement, between competing backbone providers and
  ISPs. Frequently packets travel half way around the world and back again as by virtue of
  optimised Peering.

• Some consider ccTLD as a geographical identifier, however in the vast majority of cases, the
  name servers that support a Domain Name are reliant upon and serviced by name servers that
  are not operated from within that same geographical area. Customers select their service
  provider based on price, service and functionality

• To demonstrate this we conducted test on
  Sunday 9th December to establish the
  origins of DNS traffic using a DNS
  Monitoring service (DNSMON) provided by

• Despite having servers in Amsterdam,
  London and Warsaw, traffic originating in
  Germany, Italy, Ireland, UK, Brazil was
  sent via Ashburn (Washington DC, USA)

• When conducting same test a few days
  later, a completely different set of results
  were obtained.

                                                                                                  January 2008
     Continuous analysis and monitoring

• To stay ahead of the game, requires
  ongoing infrastructure investment,
  continuous monitoring and analysis of traffic

• Multiple platform, multiple locations

• Traditionally operators provided for 10 times
  average load, now provide for 100 times
  average load to cope with “burst” attacks.

• Early warning via information sharing to
  identify likely types of attack

• Respecting operational diversity Industry
  develops Best Practice in various forums
  (like CENTR) to assist in identifying
  appropriate responses and infrastructure

• Policy and operational diversity is good as it
  build resilience, making it harder for bad
  guys to launch attacks.

                                                   January 2008
                  Looking to the future

• Isolating a national network that is under attach from real world traffic does not work as a
  methodology for reducing attacks. It assists the bad guys achieve their objectives!

• In an internationally interconnected economy, networks are optimised for performance and
  quality of service across national boundaries.

• For resilience, in an ideal world, having the ability to resolve all of the world’s domain names at
  a local/national level reduces the opportunity for attacks on DNS look-up infrastructure.

• Best real world approach is to have in excess of 100 name servers deployed around the world
  to maximise the ability to answer queries, and “attract” bad traffic to the nearest name server
  instance (from a network topology perspective).

• There is an important role for organisations to independently analyse various market and
  infrastructure conditions to ascertain the best location for servers to be located around the
  world that would promote a resilient service within Europe’s 27 member states. Care must be
  taken to avoid “one framework” for all EU markets as this makes the attackers job easier.


                                          Thank you.

                                                                                                        January 2008

To top