SlideShare une entreprise Scribd logo

Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2015]

APNIC
APNIC

A lightning talks presentation at APRICOT 2015.

Internet
1  sur  16
Water Torture: A Slow Drip DNS DDoS Attack on QTNet Kei Nishida, Network Center Kyushu Telecommunication Network Co.,Inc
2 About QTNet • Company Name  Kyushu Telecommunication Network Co., Inc. (QTNet, for short)  Telecommunicasions carrier in Kyushu , Japan • Services  Wide-Area Ethernet  FTTH  Internet Access,VoIP,TV Q
3 What is Water Torture? • A type of Distributed denial-of-service attack to DNS Servers. • Authoritative DNS servers is the target of this attack. • However, as a side effect, Cache DNS Server(Internet service providers DNS server) ‘s load is increased. • Since January 2014, this attack has been reported around the world.  Attack is ongoing. January 2014 bps
Overview of the Attack part 1 4 Open Resolvers Cache DNS Server Authoritative DNS Server (example.com) AttackerBotnets DNS Query abcdefg1.example.com abcdefg2. example.com abcdefg3. example.com and so on 1. the Attacker command his botnets. 2. So many bots send to send a small number of random queries to open resolvers(Customer Broadband routers). 3. Open resolvers send random queries to Cache DNS Server. 4. Cache DNS Servers send random queries to Authoritative DNS Server. 1. 2. 3. 4.
Overview of the Attack part 2 5 • Authoritative DNS servers go down with many DNS queries which are sent by Cache DNS Servers(Internet service providers DNS servers) • Cache DNS Server(Internet Service providers DNS server) go down with many DNS queries which are sent by Open resolvers = customer broadband routers.
QTNet Case -Overview 6 • From 29 May. 2014, queries from botnets grown up. • QTNet Cache DNS Server was effected by these traffic.  Alarm occurs the system resources of Cache DNS Server has reached the limit value.  Some customers informed that they could not access some web sites by their devices. • To Block the Attack, we tried some measures.
QTNet Case -Traffic from Botnets 7 29 May 30 1 June31 • The areas which are colored indicate the specific botnet ip address. • 1/2 traffic was came from non specific botnet ip address. Traffic of 53 port destination from Internet to QTNet Network non specific specific
QTNet Case -Traffic from Botnets 8 • Is a tendency of traffic has changed from June 14. Traffic of 53 port destination from Internet to QTNet Network non specific 10 Jun 11 12 13 14 15
QTNet Case –Cache DNS Server 9
QTNet Case –How to Block the Attack 1 10 • We put the zones which is target of attack on Cache DNS Servers. Like this. $TTL xxxxxx @ IN SOA localhost. localhost. ( 2014052900 ; Serial [yyyymmddhh] xxh ; Refresh[xxh] xxh ; Retry [xxh] xxd ; Expire [xxd] xxd ) ; Minimum[xxd] IN NS localhost. • Cache DNS Server could reply “NXDOMAIN” without contacting to Authoritative DNS Server. However,…  The zone of target was changed frequently.  Our operators had to monitor the attack and put the zones manually 24 hours a day.
QTNet Case –How to Block the Attack 2 11 • We use the iptables module (hashlimit) on Cache DNS Servers.  The packets to the same authoritative DNS server from the cache DNS Server, setting a certain threshold by hashlimit.  The packets which are over the limits are rejected with icmp-port-unreachable message. So, Cache DNS Server can reply “SERVFAIL” without contacting to Authoritative DNS Server. Iptables Overview
QTNet Case – Additional measures 12 • The fundamental problems are open resolvers and traffic from the botnets. • We are asking customers to update their broadband router’s firmware(so as not be open resolvers).
QTNet Case – Additional measures 13 • We think IP53B.  Block the destination port 53(udp) traffic from the internet to QTNet customer(dynamic ip address only).
Summary 14 • QTNet could block “Water Torture: A Slow Drip DNS DDoS Attack “ by iptables hashlimit module.  Operation of "allow list" is necessary. • The fundamental problems are open resolvers and traffic from the botnets. • Some vendors have released the DNS protocol base block functions, not Layer-3 base block. We are expecting that these functions goes well.
References 15 • Yasuhiro Orange Morishita@JPRS: About Water Torture  http://2014.seccon.jp/dns/dns_water_torture.pdf (accessed Jun 7th 2015) • SECURE64 BLOG -Water Torture: A Slow Drip DNS DDoS Attack  https://blog.secure64.com/?p=377 (accessed Jun 7th 2015)
Thank you!

Recommandé

The NixOS project and deploying systems declaratively
The NixOS project and deploying systems declarativelyThe NixOS project and deploying systems declaratively
The NixOS project and deploying systems declaratively
Sander van der Burg
 
Contiki os timer tutorial
Contiki os timer tutorialContiki os timer tutorial
Contiki os timer tutorial
Salah Amean
 
vlan
vlanvlan
vlan
SMKN 2 SUKABUMI
 
Soal Modul A Linux Environment LKS SMK NTB 2018
Soal Modul A Linux Environment LKS SMK NTB 2018Soal Modul A Linux Environment LKS SMK NTB 2018
Soal Modul A Linux Environment LKS SMK NTB 2018
I Putu Hariyadi
 
Data Encryption Standard (DES).ppt
Data Encryption Standard (DES).pptData Encryption Standard (DES).ppt
Data Encryption Standard (DES).ppt
A2KAROGANHD
 
Asterisk Complete Training
Asterisk Complete TrainingAsterisk Complete Training
Asterisk Complete Training
Flavio Eduardo de Andrade Goncalves
 
New teknologi komunikasi data dan suara
New teknologi komunikasi data dan suaraNew teknologi komunikasi data dan suara
New teknologi komunikasi data dan suara
Ali Must Can
 
Ngelab Packet Tracer - Subnet, IP, DHCP, Server, DNS, Email, NTP, FTP, RIP, E...
Ngelab Packet Tracer - Subnet, IP, DHCP, Server, DNS, Email, NTP, FTP, RIP, E...Ngelab Packet Tracer - Subnet, IP, DHCP, Server, DNS, Email, NTP, FTP, RIP, E...
Ngelab Packet Tracer - Subnet, IP, DHCP, Server, DNS, Email, NTP, FTP, RIP, E...
David Adi Nugroho
 

Recommandé

The NixOS project and deploying systems declaratively
The NixOS project and deploying systems declarativelyThe NixOS project and deploying systems declaratively
The NixOS project and deploying systems declaratively
Sander van der Burg
 
Contiki os timer tutorial
Contiki os timer tutorialContiki os timer tutorial
Contiki os timer tutorial
Salah Amean
 
vlan
vlanvlan
vlan
SMKN 2 SUKABUMI
 
Soal Modul A Linux Environment LKS SMK NTB 2018
Soal Modul A Linux Environment LKS SMK NTB 2018Soal Modul A Linux Environment LKS SMK NTB 2018
Soal Modul A Linux Environment LKS SMK NTB 2018
I Putu Hariyadi
 
Data Encryption Standard (DES).ppt
Data Encryption Standard (DES).pptData Encryption Standard (DES).ppt
Data Encryption Standard (DES).ppt
A2KAROGANHD
 
Asterisk Complete Training
Asterisk Complete TrainingAsterisk Complete Training
Asterisk Complete Training
Flavio Eduardo de Andrade Goncalves
 
New teknologi komunikasi data dan suara
New teknologi komunikasi data dan suaraNew teknologi komunikasi data dan suara
New teknologi komunikasi data dan suara
Ali Must Can
 
Ngelab Packet Tracer - Subnet, IP, DHCP, Server, DNS, Email, NTP, FTP, RIP, E...
Ngelab Packet Tracer - Subnet, IP, DHCP, Server, DNS, Email, NTP, FTP, RIP, E...Ngelab Packet Tracer - Subnet, IP, DHCP, Server, DNS, Email, NTP, FTP, RIP, E...
Ngelab Packet Tracer - Subnet, IP, DHCP, Server, DNS, Email, NTP, FTP, RIP, E...
David Adi Nugroho
 
Elastix, TLS, SRTP y OpenVPN
Elastix, TLS, SRTP y OpenVPNElastix, TLS, SRTP y OpenVPN
Elastix, TLS, SRTP y OpenVPN
PaloSanto Solutions
 
Satellite communications
Satellite communicationsSatellite communications
Satellite communications
Muhammad Firzy Adha
 
Konfigurasi Site-to-Site IPSec VPN Tunnel di Mikrotik menggunakan GNS3
Konfigurasi Site-to-Site IPSec VPN Tunnel di Mikrotik menggunakan GNS3Konfigurasi Site-to-Site IPSec VPN Tunnel di Mikrotik menggunakan GNS3
Konfigurasi Site-to-Site IPSec VPN Tunnel di Mikrotik menggunakan GNS3
I Putu Hariyadi
 
Setting up Cisco WSA Proxy in Transparent and Explicit Mode
Setting up Cisco WSA Proxy in Transparent and Explicit ModeSetting up Cisco WSA Proxy in Transparent and Explicit Mode
Setting up Cisco WSA Proxy in Transparent and Explicit Mode
Dhruv Sharma
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
Sistem Operasi Jaringan ( Analisis Kebutuhan Perangkat hardware & software se...
Sistem Operasi Jaringan ( Analisis Kebutuhan Perangkat hardware & software se...Sistem Operasi Jaringan ( Analisis Kebutuhan Perangkat hardware & software se...
Sistem Operasi Jaringan ( Analisis Kebutuhan Perangkat hardware & software se...
Dewi Purnama Sari
 
SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018
SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018
SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018
Amazon Web Services
 
encryption and hash algorithms
encryption and hash algorithmsencryption and hash algorithms
encryption and hash algorithms
CARMEN ALCIVAR
 
Bab 5 media transmisi
Bab 5 media transmisiBab 5 media transmisi
Bab 5 media transmisi
EKO SUPRIYADI
 
Infrastruktur Mode Jaringan Wireless
Infrastruktur Mode Jaringan WirelessInfrastruktur Mode Jaringan Wireless
Infrastruktur Mode Jaringan Wireless
TsaniaNB
 
Session Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQSession Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQ
Alan Percy
 
Job 6 osilator colpitts dan hartley
Job 6 osilator colpitts dan hartleyJob 6 osilator colpitts dan hartley
Job 6 osilator colpitts dan hartley
Novita Lestari
 
TTNのご紹介_2023年版
TTNのご紹介_2023年版TTNのご紹介_2023年版
TTNのご紹介_2023年版
CRI Japan, Inc.
 
Conceptos y Protocolos de Enrutamiento (Capitulo 1)
Conceptos y Protocolos de Enrutamiento (Capitulo 1)Conceptos y Protocolos de Enrutamiento (Capitulo 1)
Conceptos y Protocolos de Enrutamiento (Capitulo 1)
Cristiān Villegās
 
Mengenal PBX
Mengenal PBXMengenal PBX
Mengenal PBX
David Adi Nugroho
 
Prensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection toolPrensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection tool
Issar Kapadia
 
Pertemuan09 virus,trojandanworm
Pertemuan09 virus,trojandanwormPertemuan09 virus,trojandanworm
Pertemuan09 virus,trojandanworm
Roziq Bahtiar
 
Teknik pengkodean sinyal
Teknik pengkodean sinyalTeknik pengkodean sinyal
Teknik pengkodean sinyal
pingkan lumongdong
 
CCNAv5 - S3: Chapter 7 EIGRP
CCNAv5 - S3: Chapter 7 EIGRPCCNAv5 - S3: Chapter 7 EIGRP
CCNAv5 - S3: Chapter 7 EIGRP
Vuz Dở Hơi
 
Praktikum wireless
Praktikum wirelessPraktikum wireless
Praktikum wireless
lalekmawale
 
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesPseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
APNIC
 
Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году
Qrator Labs
 

Contenu connexe

Tendances

SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018
SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018
SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018
Amazon Web Services
 
encryption and hash algorithms
encryption and hash algorithmsencryption and hash algorithms
encryption and hash algorithms
CARMEN ALCIVAR
 
Bab 5 media transmisi
Bab 5 media transmisiBab 5 media transmisi
Bab 5 media transmisi
EKO SUPRIYADI
 
Conceptos y Protocolos de Enrutamiento (Capitulo 1)
Conceptos y Protocolos de Enrutamiento (Capitulo 1)Conceptos y Protocolos de Enrutamiento (Capitulo 1)
Conceptos y Protocolos de Enrutamiento (Capitulo 1)
Cristiān Villegās
 
Pertemuan09 virus,trojandanworm
Pertemuan09 virus,trojandanwormPertemuan09 virus,trojandanworm
Pertemuan09 virus,trojandanworm
Roziq Bahtiar
 

Tendances (20)

Elastix, TLS, SRTP y OpenVPN
Elastix, TLS, SRTP y OpenVPNElastix, TLS, SRTP y OpenVPN
Elastix, TLS, SRTP y OpenVPN
 
Satellite communications
Satellite communicationsSatellite communications
Satellite communications
 
Konfigurasi Site-to-Site IPSec VPN Tunnel di Mikrotik menggunakan GNS3
Konfigurasi Site-to-Site IPSec VPN Tunnel di Mikrotik menggunakan GNS3Konfigurasi Site-to-Site IPSec VPN Tunnel di Mikrotik menggunakan GNS3
Konfigurasi Site-to-Site IPSec VPN Tunnel di Mikrotik menggunakan GNS3
 
Setting up Cisco WSA Proxy in Transparent and Explicit Mode
Setting up Cisco WSA Proxy in Transparent and Explicit ModeSetting up Cisco WSA Proxy in Transparent and Explicit Mode
Setting up Cisco WSA Proxy in Transparent and Explicit Mode
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
Sistem Operasi Jaringan ( Analisis Kebutuhan Perangkat hardware & software se...
Sistem Operasi Jaringan ( Analisis Kebutuhan Perangkat hardware & software se...Sistem Operasi Jaringan ( Analisis Kebutuhan Perangkat hardware & software se...
Sistem Operasi Jaringan ( Analisis Kebutuhan Perangkat hardware & software se...
 
SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018
SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018
SPEKE-ing of Content Protection & DRM (MAE302) - AWS re:Invent 2018
 
encryption and hash algorithms
encryption and hash algorithmsencryption and hash algorithms
encryption and hash algorithms
 
Bab 5 media transmisi
Bab 5 media transmisiBab 5 media transmisi
Bab 5 media transmisi
 
Infrastruktur Mode Jaringan Wireless
Infrastruktur Mode Jaringan WirelessInfrastruktur Mode Jaringan Wireless
Infrastruktur Mode Jaringan Wireless
 
Session Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQSession Border Controllers - Top 10 FAQ
Session Border Controllers - Top 10 FAQ
 
Job 6 osilator colpitts dan hartley
Job 6 osilator colpitts dan hartleyJob 6 osilator colpitts dan hartley
Job 6 osilator colpitts dan hartley
 
TTNのご紹介_2023年版
TTNのご紹介_2023年版TTNのご紹介_2023年版
TTNのご紹介_2023年版
 
Conceptos y Protocolos de Enrutamiento (Capitulo 1)
Conceptos y Protocolos de Enrutamiento (Capitulo 1)Conceptos y Protocolos de Enrutamiento (Capitulo 1)
Conceptos y Protocolos de Enrutamiento (Capitulo 1)
 
Mengenal PBX
Mengenal PBXMengenal PBX
Mengenal PBX
 
Prensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection toolPrensentation on packet sniffer and injection tool
Prensentation on packet sniffer and injection tool
 
Pertemuan09 virus,trojandanworm
Pertemuan09 virus,trojandanwormPertemuan09 virus,trojandanworm
Pertemuan09 virus,trojandanworm
 
Teknik pengkodean sinyal
Teknik pengkodean sinyalTeknik pengkodean sinyal
Teknik pengkodean sinyal
 
CCNAv5 - S3: Chapter 7 EIGRP
CCNAv5 - S3: Chapter 7 EIGRPCCNAv5 - S3: Chapter 7 EIGRP
CCNAv5 - S3: Chapter 7 EIGRP
 
Praktikum wireless
Praktikum wirelessPraktikum wireless
Praktikum wireless
 

En vedette

Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году
Qrator Labs
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed
Great Bay Software
 

En vedette (17)

Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesPseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
 
Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году Состояние сетевой безопасности в 2016 году
Состояние сетевой безопасности в 2016 году
 
From Policy to Practice: Addressing and Routing in 2014 by Geoff Huston [APRI...
From Policy to Practice: Addressing and Routing in 2014 by Geoff Huston [APRI...From Policy to Practice: Addressing and Routing in 2014 by Geoff Huston [APRI...
From Policy to Practice: Addressing and Routing in 2014 by Geoff Huston [APRI...
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
Dns Amplification Zafiyeti
Dns Amplification ZafiyetiDns Amplification Zafiyeti
Dns Amplification Zafiyeti
 
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
2016년 4분기 주요 정보보안 소식 20170101 차민석_공개판
 
IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed IoT DDoS Attacks: the stakes have changed
IoT DDoS Attacks: the stakes have changed
 
The DNS Tunneling Blindspot
The DNS Tunneling BlindspotThe DNS Tunneling Blindspot
The DNS Tunneling Blindspot
 
Network Security in 2016
Network Security in 2016Network Security in 2016
Network Security in 2016
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnet
 
MIRAI: What is It, How Does it Work and Why Should I Care?
MIRAI: What is It, How Does it Work and Why Should I Care?MIRAI: What is It, How Does it Work and Why Should I Care?
MIRAI: What is It, How Does it Work and Why Should I Care?
 
State of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of BotnetsState of the Internet: Mirai, IOT and History of Botnets
State of the Internet: Mirai, IOT and History of Botnets
 
IoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat LandscapeIoT - the Next Wave of DDoS Threat Landscape
IoT - the Next Wave of DDoS Threat Landscape
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 

Similaire à Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2015]

DMMS presentation25
DMMS presentation25DMMS presentation25
DMMS presentation25
Yuri Alimov
 
DMMS presentation29
DMMS presentation29DMMS presentation29
DMMS presentation29
Yuri Alimov
 

Similaire à Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2015] (20)

KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
DMMS presentation25
DMMS presentation25DMMS presentation25
DMMS presentation25
 
Drilling Down Into DNS DDoS
Drilling Down Into DNS DDoSDrilling Down Into DNS DDoS
Drilling Down Into DNS DDoS
 
SFMap (TMA 2015)
SFMap (TMA 2015)SFMap (TMA 2015)
SFMap (TMA 2015)
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam ObszyńskiPLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
PLNOG14: DNS, czyli co nowego w świecie DNS-ozaurów - Adam Obszyński
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
 
Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1Session for InfoSecGirls - New age threat management vol 1
Session for InfoSecGirls - New age threat management vol 1
 
ARW03o.ppt
ARW03o.pptARW03o.ppt
ARW03o.ppt
 
UDP Flood Attack.pptx
UDP Flood Attack.pptxUDP Flood Attack.pptx
UDP Flood Attack.pptx
 
DMMS presentation29
DMMS presentation29DMMS presentation29
DMMS presentation29
 
DDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL LeeDDOS Mitigation Experience from IP ServerOne by CL Lee
DDOS Mitigation Experience from IP ServerOne by CL Lee
 
SWIFT: Tango's Infrastructure For Real-Time Video Call Service
SWIFT: Tango's Infrastructure For Real-Time Video Call ServiceSWIFT: Tango's Infrastructure For Real-Time Video Call Service
SWIFT: Tango's Infrastructure For Real-Time Video Call Service
 
DevOops - Lessons Learned from an OpenStack Network Architect
DevOops - Lessons Learned from an OpenStack Network ArchitectDevOops - Lessons Learned from an OpenStack Network Architect
DevOops - Lessons Learned from an OpenStack Network Architect
 
Private cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austinPrivate cloud networking_cloudstack_days_austin
Private cloud networking_cloudstack_days_austin
 
DDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP InfrastructuresDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP Infrastructures
 
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
 
DrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoSDrupalCon Vienna 2017 - Anatomy of DDoS
DrupalCon Vienna 2017 - Anatomy of DDoS
 
Successes and Challenges of IPv6 Transition at APNIC
Successes and Challenges of IPv6 Transition at APNICSuccesses and Challenges of IPv6 Transition at APNIC
Successes and Challenges of IPv6 Transition at APNIC
 

Plus de APNIC

Plus de APNIC (20)

APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 

Dernier

Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 

Dernier (20)

Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 

Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2015]

  • 1. Water Torture: A Slow Drip DNS DDoS Attack on QTNet Kei Nishida, Network Center Kyushu Telecommunication Network Co.,Inc
  • 2. 2 About QTNet • Company Name  Kyushu Telecommunication Network Co., Inc. (QTNet, for short)  Telecommunicasions carrier in Kyushu , Japan • Services  Wide-Area Ethernet  FTTH  Internet Access,VoIP,TV Q
  • 3. 3 What is Water Torture? • A type of Distributed denial-of-service attack to DNS Servers. • Authoritative DNS servers is the target of this attack. • However, as a side effect, Cache DNS Server(Internet service providers DNS server) ‘s load is increased. • Since January 2014, this attack has been reported around the world.  Attack is ongoing. January 2014 bps
  • 4. Overview of the Attack part 1 4 Open Resolvers Cache DNS Server Authoritative DNS Server (example.com) AttackerBotnets DNS Query abcdefg1.example.com abcdefg2. example.com abcdefg3. example.com and so on 1. the Attacker command his botnets. 2. So many bots send to send a small number of random queries to open resolvers(Customer Broadband routers). 3. Open resolvers send random queries to Cache DNS Server. 4. Cache DNS Servers send random queries to Authoritative DNS Server. 1. 2. 3. 4.
  • 5. Overview of the Attack part 2 5 • Authoritative DNS servers go down with many DNS queries which are sent by Cache DNS Servers(Internet service providers DNS servers) • Cache DNS Server(Internet Service providers DNS server) go down with many DNS queries which are sent by Open resolvers = customer broadband routers.
  • 6. QTNet Case -Overview 6 • From 29 May. 2014, queries from botnets grown up. • QTNet Cache DNS Server was effected by these traffic.  Alarm occurs the system resources of Cache DNS Server has reached the limit value.  Some customers informed that they could not access some web sites by their devices. • To Block the Attack, we tried some measures.
  • 7. QTNet Case -Traffic from Botnets 7 29 May 30 1 June31 • The areas which are colored indicate the specific botnet ip address. • 1/2 traffic was came from non specific botnet ip address. Traffic of 53 port destination from Internet to QTNet Network non specific specific
  • 8. QTNet Case -Traffic from Botnets 8 • Is a tendency of traffic has changed from June 14. Traffic of 53 port destination from Internet to QTNet Network non specific 10 Jun 11 12 13 14 15
  • 9. QTNet Case –Cache DNS Server 9
  • 10. QTNet Case –How to Block the Attack 1 10 • We put the zones which is target of attack on Cache DNS Servers. Like this. $TTL xxxxxx @ IN SOA localhost. localhost. ( 2014052900 ; Serial [yyyymmddhh] xxh ; Refresh[xxh] xxh ; Retry [xxh] xxd ; Expire [xxd] xxd ) ; Minimum[xxd] IN NS localhost. • Cache DNS Server could reply “NXDOMAIN” without contacting to Authoritative DNS Server. However,…  The zone of target was changed frequently.  Our operators had to monitor the attack and put the zones manually 24 hours a day.
  • 11. QTNet Case –How to Block the Attack 2 11 • We use the iptables module (hashlimit) on Cache DNS Servers.  The packets to the same authoritative DNS server from the cache DNS Server, setting a certain threshold by hashlimit.  The packets which are over the limits are rejected with icmp-port-unreachable message. So, Cache DNS Server can reply “SERVFAIL” without contacting to Authoritative DNS Server. Iptables Overview
  • 12. QTNet Case – Additional measures 12 • The fundamental problems are open resolvers and traffic from the botnets. • We are asking customers to update their broadband router’s firmware(so as not be open resolvers).
  • 13. QTNet Case – Additional measures 13 • We think IP53B.  Block the destination port 53(udp) traffic from the internet to QTNet customer(dynamic ip address only).
  • 14. Summary 14 • QTNet could block “Water Torture: A Slow Drip DNS DDoS Attack “ by iptables hashlimit module.  Operation of "allow list" is necessary. • The fundamental problems are open resolvers and traffic from the botnets. • Some vendors have released the DNS protocol base block functions, not Layer-3 base block. We are expecting that these functions goes well.
  • 15. References 15 • Yasuhiro Orange Morishita@JPRS: About Water Torture  http://2014.seccon.jp/dns/dns_water_torture.pdf (accessed Jun 7th 2015) • SECURE64 BLOG -Water Torture: A Slow Drip DNS DDoS Attack  https://blog.secure64.com/?p=377 (accessed Jun 7th 2015)