Figure 1: DNS Amplification Variation Used in Recent DDoS Attacks (Update) |
Figure 2: The DDoS That Knocked Spamhaus Offline (And How We Mitigated It) |
DDoS describes how the sFlow monitoring standard can be used to rapidly detect and mitigate DDoS attacks on the target (victim) network. This article will examine how data centers that may be inadvertently hosting open DNS servers can use sFlow to identify servers participating in amplification attacks.
A hosting service provider has very little control over the services running on the physical and virtual servers running in the data center, and while one might hope that the customers carefully configure and monitor their DNS servers, the reality is that there are many openly accessible DNS servers. Using the network switches to monitor DNS operations is an attractive option, offering an agentless method of detecting and monitoring DNS servers wherever they are in the data center.
The sFlow standard is well suited to this task:
- sFlow is widely supported in physical and virtual switches
- sFlow is embedded within switch hardware and can be enabled in high traffic production networks without impacting performance.
- sFlow is scaleable, a single software analyzer can monitor hundreds of switches and tens of thousands of switch ports to deliver network wide visibility
- sFlow exports packet headers, allowing sFlow analysis software to perform deep packet inspection and report on DNS operations.
The following DNS attributes are extracted from the sFlow packet samples and can be included in flow definitions, or as filters:
Description | Name | Example |
---|---|---|
request=false, response=true | dnsqr | false |
op code | dnsopcode | 0 |
authoritative answer | dnsaa | false |
truncated | dnstc | false |
recursion desired | dnsrd | false |
recursion available | dnsra | true |
reserved | dnsz | 0 |
response code | dnsrcode | 0 |
number of entries in question | dnsqdcount | 1 |
number of entries in answer | dnsancount | 0 |
number of entries in name server section | dnsnscount | 0 |
number of entries in resources section | dnsarcount | 0 |
domain name in query | dnsqname | yahoo.com. |
query type code | dnsqtype | 15 |
query type name | dnsqtypename | MX(15) |
query class | dnsqclass | 1 |
The following flow definitions were created using sFlow-RT's embedded scripting API:
// track DNS query types setFlow('dnsqueries', {keys:'dnsqtypename',value:'frames',filter:'dnsqr=false',t:20}); // track DNS query domains for ANY(15) queries setFlow('dnsqany', {keys:'dnsqname', value:'frames', filter:'dnsqr=false&dnsqtype=255',t:20}); // track total DNS request rate for ANY(15) queries setFlow('dnsqanytot', {value:'frames', filter:'dnsqr=false&dnsqtype=255',t:20});Alternatively, the flow definitions can be specified by making calls to the REST API using cURL:
curl -H "Content-Type:application/json" -X PUT --data "{keys:'dnsqtypename', value:'frames', filter:'dnsqr=false',t:20}" http://localhost:8008/flow/dnsqueries/jsonUsing the script API has a number of advantages: it ensures that flow definitions are automatically reinstated on a system restart, makes it easy to generate trend charts (for example the graphite() function sends metrics to Graphite for integration in performance dashboards) and to automate the response when DNS anomalies are detected (for example, using the syslog() function to send an alert or http() to access a REST API on a device or SDN controller to block the traffic)
The table above (http://localhost:8008/activeflows/ALL/dnsqueries/html?aggMode=sum) shows a continuously updating, real-time, view of the top DNS queries - a bit like the Linux top command, but applied to the active flows. The table shows that the fourth most frequent query is the ANY(255) query type.
The ANY(15) query is often used for DNS amplification attacks since it asks the name server for all the records within the domain, resulting in a large response that amplifies the traffic in the attack.
The above chart (http://localhost:8008/activeflows/ALL/dnsqany/html?aggMode=sum) looks at the domain names being queried by the ANY(15) queries. Domain names in the list are known to be associated with DNS amplification attacks, see DNS Amplification Attacks Observer, so it appears that there are open DNS servers being used to amplify DNS attacks in this data center.
The trend chart above (http://localhost:8008/metric/ALL/sum:dnsqanytot/html) looks at the overall level of ANY(15) requests in the data center. The trend is increasing as a new DNS amplification attack is launched.
There are a number of more detailed flow definitions that can be created:
- identify the open name servers: include ipdestination in the flow definition
- identify target of the attack: include ipsource in the flow definition
- identify target country: include sourcecountry in the flow definition
- identify compromised hosts: include macsource in the flow definition
Figure 3: Performance aware software defined networking |
While this example focused on a data center hosting DNS servers, a similar approach could be used to monitor campus networks. Detecting hosts that are spoofing their source addresses and generating suspect DNS requests is a useful signature for identifying compromised hosts. In this case, the SDN controller would respond by isolating the compromised system from the rest of the network.
DNS amplification attacks are a serious problem that is difficult to address because the attacker is two steps removed from their victims (hidden behind compromised hosts and open DNS servers). DNS amplification attacks have limited impact on the intermediate networks and may go unnoticed, even though the combined effect of all the traffic arriving at the target network can be devastating. Software defined networking offers the promise of intelligent networks that can automatically respond the changing traffic conditions and security threats, providing a way to share and automate best practices and reducing operating costs to the point where intermediate networks can play a larger role in reducing the impact of these attacks.