제20회_해킹방지워크샵_(이재석)

IoT DDoS DNS (jaeseog@sherpain.net) (www.sherpain.net)

DDoS DNS DDoS /

DDoS(Distributed DoS)? B Asia Broadband B Bots connect to a C&C to create an overlay network (botnet) C&C Provider JP Corp. Bye Bye! Systems Become Infected Internet Backbone Bots attack B BM B B Europe Corp B B Controller Botnet master Connects Issues attack Command US Broadband The Peaceful Village 3

DDoS : akamai : akamai 4

상품화된 DDoS 공격 서비스 5

IoT DDoS 6

IoT DDoS : dyn Mirai Botnet zombie IoT DDoS -. default user/password, TCP 23/2323 port -. rebooting malware Mirai Botnet DDoS -. SYN flooding -. UDP flooding -. VSE query flooding -. GRE flooding -. ACK flooding -. Water Torture attack : -. HTTP GET,POST,HEAD attack -. IP (spoofed) DDoS. -. source code 7

DDoS DNS DDoS /

DNS(Domain Name Server) www.example.com domain name IP Hierachical 9

DNS(Domain Name Server) DNS Query Header Format & Query Type 0 15 16 31 identification flags number of questions number of answer RRs number of authority RRs number of additional RRs 12 bytes query name query type query class type value function type value function A 1 IPv4 address PTR 12 pointer record AAAA 28 IPv6 address MX 15 mail exchange record NS 2 name server TXT 16 readable information CNAME 5 canonical name ANY 255 all records 10

DNS(Domain Name Server) Host www.naver.com 변환요청 www.g.naver.com의 IP주소 Resolver DNS www.naver.com 변환요청 com 담당서버 www.naver.com 변환요청 naver.com 담당서버 www.naver.com 변환요청 g.naver.com 담당서버 Root ns.com www.g.naver.com 변환요청 ns.naver.com www.g.naver.com 의 IP 주소 ns.g.naver.com Recursion query 11 Iterative query

Simple Flooding ICMP, UDP Flooding -. DNS 1 2 3 ISP n 4 ISP A Access Router Much BIGGER Attack 6 Mbps DDoS - teeny tiny attack - well, to Transit ISP, not ISP A GE 10G Collateral Transit Target Damage ISP Target Gone 5 1M Attack 6 Fragmented Flooding -. fragmented packet DNS Resource 12

Simple Flooding DNS Query Flooding -. FQDN Query DNS Resource Zombie PC www.sherpain.net www.sherpain.net... www.sherpain.net www.sherpain.net Authoritative Server (sherpain.net) Zombie PC www.sherpain.net www.naver.com... www.daum.net www.hani.co.kr Authoritative Server (sherpain.net) 13

DNS Reflection/Amplification hacking & put large garbage record Authoritative Server (sherpain.net) net domain root domain Command DDoS to Botnet 192.168.1.109 Recursive DNS Server spoofed TXT or ANY type query x n Query n Bot Botnet 14 Victim (192.168.1.122)

DNS Reflection/Amplification Authoritative Server (sherpain.net) 192.168.1.109 Recursive DNS Server (caching) 1) x n Reply 2) TXT Record n Bot Botnet 15 Victim (192.168.1.122)

DNS Water Torture Attack Authoritative Server (sherpain.net) Authoritative Server (sherpain_networks.net) Authoritative Server (sherpa-in.net) Command DDoS to Botnet Recursive DNS Server n Bot Botnet Spoofed or Non-Spoofed 16 random subdomain query abc.sherpain.net xysdfsd.sherpain.net ssdfsdf.www.sherpain.net.. 12120sher.sherpain.net www.www.sherpain.net

DNS Water Torture Attack Authoritative Server (sherpain.net) Authoritative Server (sherpain_networks.net) Authoritative Server (sherpa-in.net) Recursive DNS Server n Bot Botnet 17

Phantom Domain Attack making phantom domain Root Server Phantom Domain Servers Phantom Phantom1 Phantom2 Phantom3 Phantomxxxx Command DDoS to Botnet Response : phantom.com is 1.2.3.4 Query : www.phantom.com Query : www.phantom.com never answer to the question Recursive DNS Server Query : www.phantom.com Query : www.phantom1.com Query : www.phantom2.com Query : www.phantom3.com... Query : www.phantomxxxx.com n Bot Botnet 18

DDoS : Out-of-Path vs. Inline Out-of-Path :, DDoS 2 Inline : L7 DDoS / : DNS ACL IX #1 IX #2 Sinkhole DDoS L4 L4 DNS Server Farm 19 DNS Server Farm

DDoS DNS DDoS /

IoT 21

Spoofing 22

Zombie PC ( ) (?) NXDOMAIN Querier 23

DNS DDoS Out-of-Path + In-line -. OOP DDoS -. In-line IX #1 IX #2 IX Netflow/sflow DDoS Sinkhole DDoS L4 DDoS 24 DNS Server Farm

Q n A jaeseog@sherpain.net 25