Denial of Service Attacks (Part 1): Open DNS Resolvers

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
denial-of-service attacks happen when a given resource such as that say a web server on the Internet as bombarded with bogus requests to the point where it becomes so saturated that it cannot respond to legitimate queries so for example on that web server let's say might be connected to the Internet we can draw the Internet as a cloud it might be connected to the Internet via a router and that router may only have let's say a 10 gigabit per second ports imagine if a router that has a port that can handle 10 gigabits per second of traffic okay if in this situation somebody sent a continuous stream of traffic to that web server at a rate that exceeded 10 gigabits per second then what would happen is that the the servers available bandwidth will be used up dealing with this this one source of traffic and as a result the web server would not be able to let's say have anything left any reserves left for being able to handle a jitter Macquarie's because it is being saturated by this bogus traffic ok the most straightforward way to mount such a denial of service attack is by having the attacker control or large number of systems on the Internet and then having those systems basically pummel the target system with with traffic ok and typically in these cases these systems that are doing this pummeling these systems are usually part of a of a botnet ok they're being controlled by the attacker as part of a botnet ok now that's one way to mount such an attack it's it's not a cheap way because you have to have access to all these buttons that it hosts when you mount the attack it turns out however that there are some attackers who have come up with more enterprising ways of being able to mount denial of service attacks in a way that requires fewer resources to mount ok and they can accomplish that aim via a very general purpose concept that we call amplification ok the idea behind amplification is that the attackers find ways where a small amount of work on their part can be amplified into a large amount of work on the part of the the target okay so the impact of a small amount of work is amplified in that sense okay and one of the ways in which we can mount an amplification attack rule and wait another tactic and mount such an attack is via being able to find on the internet somewhere a special kind of a domain name system server so a DNS server ok DNS server on the internet that has a specific property that I'm going to go into ok and what attackers are going to basically try to do is find a DNS server that's miss configured or configured depending on how you want to view things maybe it's set up rather to accept incoming queries from literally any system on the Internet ok now if you have such a DNS server that's set up to accept queries from anybody in the internet that type of DNS server is typically known in the technology parlance as an open resolver ok an open resolver and it's called an open resolver for the following reasons and it's open in the sense of being able to a really having the approach of openly responding to any query ok these DNS servers respond to acquired from any user anywhere in the world and they resolve those queries okay it's on contrast if you had a more safe DNS server better way to configure it a more safe practice would be to set up your DNS server so they can only respond to queries very specific hosts so for example if the DNS server let's say is being used in an enterprise setting then it might make sense to configure it so that it only accepts and resolves queries from systems whose IP addresses are in the range associated with that enterprise of that organization rather than than really just allowing queries from anybody under the Sun hopefully Matta makes some sense and maybe I should take a brief moment a brief segue to explain what I mean by resolve so a DNS server is essentially like a phone book for the internet they can translate a domain name like let's say Sourcefire calm into an Internet Protocol or IP address and with that IP address in hand traffic from one source host can then be correctly routed to its intended destination over the Internet okay that's DNS 101 and you can learn more about DNS through other resources but getting back into this particular video denial of service attacks that use open resolvers for amplification basically the basically work as follows what the attacker is going to basically do is he's going to craft a DNS query a DNS query a very specific kind of DNS query to this open resolvers this open DNS server on the Internet okay and this query is going to be designed it's actually going to be relatively small let's say it's going to be in the in the tens of bytes okay so back in his queries in the tens of bytes in length now he's going to design this query so that it has a large response okay and the reason it for that is if you can design a quarry so they can request let's say for example imagine you buy it's a query that requests all the DNS records associated with a particular zone okay and the zone file itself could then be quite large for example in addition to containing let's say information about a particular a particular name server it might also contain information about a backup name server or might contain information about a mail a mail server or it could contain information about aliases okay so you can see already quite a long list there's also information about ipv4 addresses and ipv6 addresses and information about a DNS set keys and so on and so forth and so you can quickly start to see that a single request might elicit a very very healthy or very lengthy response if that a quest is appropriately crafted and it turns out that with the right query in place the response all this information is going to be tained in this zone file can literally can literally take up not just tens a bike but can literally take up potentially thousands of lights okay so it's going to be much much bigger than the initial initial request okay and in fact if you kind of work out the math what typically happen is that the the request size will be anywhere from depending on how this is done maybe thirty to fifty two perhaps even a hundred times bigger than the size of the initial request okay so it's quite a large factor in fact there's a sizable gap between the query size and the response size and this is really why we use a nomenclature of amplification to describe what's going on here the the tens of bytes have now been amplified into thousands of bytes okay now that's kind of the first aspect of the tag to translate this amplification concept into an actual denial of service attack the attacker is basically going to do the following is going to basically spoof he's going to spoof or or Forge the IP address in the packet that he sends out so for example when he has a DNS query um it turns out that a DNS query is typically going to be sent to a DNS server over a protocol known as UDP okay and somewhere in this protocol in one of these packets you have to send the IP address Internet Protocol address that you're sending this data from so typically in a legitimate use case this would be the IP address let's say of the of the the origin so for example let's say this guy is located at the address that are no 13.5 got seven that would be the IP address that would be included inside of this UDP packet in a legitimate case however what the attacker is going to do is instead of sending a legitimate IP address he's going to instead send the IP address that corresponds to the target he's going to find out what this guy's IP address so maybe this guy is an IP address of of of 2.4 dot 6.8 and the attacker is basically we would just poof the IP address in this path I'm going to say this is he's going to write the address to that 4.6 got eight in here okay and the reason you can do this is it turns out that DNS requests as I mentioned earlier are sent over a protocol known as UDP or the user Datagram protocol and messages in this protocol really just go in one direction so there is no kind of back and forth handshake as you might see with the protocol at TCP for example and because there's no back and forth handshake there's no opportunity for the DNS server to really know if it's talking to the right person it never has a chance to ascertain that information and so as a result the attacker can simply modify the source address and the DNS server will think the packet was received from the victim so instead of actually responding to the attacker all this traffic is going to be sent to the victim instead it's going to be sent a 2.4 Dot 6.8 instead of being sent to 1.3 at 5:00 at 7 simply because the DNS server thinks that it's 2 dot 4 dot 6.8 that was actually sending the initial request okay now to make matters worse from the exacerbate the situation when a packet of data is too large it can exceed what's known as the path maximum transition maximum maximum transmission unit or the the path MTU okay and when you exceed a path into you your data packets get fragmented and look at fragmented into a bunch of smaller packets okay and so imagine that they're getting they're going to get fragmented into this one big packet the package will get fragmented into a bunch of smaller packets and these smaller packets will then all be sent eventually to the the target web server and the target web server that's to take all these smaller packets and reassemble them into a single larger package that just adds to me the complexity that that is executed on behalf of the target server the amount of for target server does is just increase that much more when you factor in the cost of reassembling packets and so maybe one quick physical analogy might be appropriate you know it's like imagine you are playing a prank on someone by let's say calling or pizza delivery place making a large order and then giving them the address of the person you're actually playing the prank if the pizza place doesn't really verify the authenticity of the caller employ any other security measures let's say take your credit card number then the victim will receive an unexpected and a large number of pizzas delivered to their house okay amplification attacks via DNS resolvers work on this same principle a small initial request is used to generate a very extensive response and by providing a fake IP address this extensive response gets sent to the target rather than being sent back to the real origin which was the attacker okay and then by repeating this process by making repeated requests the attacker can quickly saturate the available bandwidth of a particular web server and thereby cause that server to deny service in response to a subsequent legitimate request
Info
Channel: Sourcefire
Views: 20,254
Rating: 4.8620691 out of 5
Keywords: spamhaus, Denial of Service, ddos, dos attack, open DNS resolvers, DNS attack, ddos attacks, open dns
Id: Ajw79kWMYkY
Channel Id: undefined
Length: 12min 11sec (731 seconds)
Published: Thu Mar 28 2013
Related Videos
Denial of Service Attacks (Part 3): TCP SYN Flooding
Sourcefire
54K
Denial of Service Attacks (Part 2): The Ping of Death
Sourcefire
33K
Denial of Service and Intrusion Detection - Information Security Lesson #11 of 12
Dr. Daniel Soper
26K
How DNS Works - Computerphile
Computerphile
359K
Unleash Your Super Brain To Learn Faster | Jim Kwik
Mindvalley Talks
11M
USENIX Enigma 2017 — Drawing the Foul: Operation of a DDoS Honeypot
USENIX Enigma Conference
2.7K
DNS recursive query vs. Iterative query
Sunny Classroom
79K
What is a Web Application Firewall (WAF)?
F5 DevCentral
136K
How To Pay Yourself As An LLC
Karlton Dennis
1M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.