amplification attacks Matsuzaki Yoshinobu <maz@iij.ad.jp> 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 1
amplification attacks とは 送信元を偽装した dns query による攻撃 帯域を埋める smurf attacks に類似 攻撃要素は IP spoofing amp 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 2
IP spoofing + amp IP spoofing 送信元 IP アドレスを偽装した dns query 反射パケットを利用するため amp UDP ( 簡単に利用できる ) 大きな増幅率 =~ 60 リゾルバ (dns cache) による分散 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 3
反射 (reflection) Sender IP spoofed packet src: victim dst: reflector reflector reply packet src: reflector dst: victim victim 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 4
増幅 (amplification) 1. multiple replies Sender 2. bigger reply Sender 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 5
amplification ANY?xxx.example.com Sender xxx.example.com IN TXT XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXX 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 6
amplification attack Attacker IP spoofed queries replies victim 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 7
攻撃の相関関係 root-servers Command&Control stub-resolvers full-resolvers IP spoofed queries tld-servers example-servers botnet victim 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 8
view of bot #1 Internet 過負荷 輻輳 bot #1 queries size: =~60bytes src IP: victim(ip spoofed) dst IP: various( amp) protocol: udp src port: various dst port: 53 QR: standard query QNAME: (specific one) 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 9
view of bot #2 a bot behind NAT box reply src IP: various( amp) dst IP: NAT Router Internet query after NAT NAT テーブルの溢れ ICMP unreach の生成 NAT src IP: NAT Router dst IP: various( amp) query before NAT bot #2 src IP: victim(ip spoofed) dst IP: various( amp) 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 10
view of stub-resolver queries Internet full-resolvers victim bot#2(nat) size: =~60bytes src IP: victim bot#2(nat) dst IP: stub-resolver QNAME: (specific one) 過負荷 輻輳 stub-resolverにcache 機能がなければ 全てのqueryは full-resolverに転送される stub-resolver replies size: =~4000bytes (ip fragmented) src IP: stub-resolver dst IP: victim bot#2(nat) QNAME: (specific one) 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 11
view of full-resolver queries Internet root-servers tld-servers example-servers victim bot#2(nat) stub-resolvers size: =~60bytes src IP: victim bot#2 stub-resolver dst IP: full-resolver QNAME: (specific one) 過負荷 輻輳 RRのTTLが短ければ コンテンツサーバへのquery 数が増加する full-resolver replies size: ~4000bytes (ip fragmented) src IP: full-resolver dst IP: victim bot#2(nat) stub-resolver QNAME: (specific one) 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 12
view of victim Internet 輻輳 replies size: =~4000bytes (ip fragmented) src IP: full-resolvers stub-resolvers dst IP: victim victim 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 13
対策は Attacker IP spoofed dns queries resolvers IP spoofed パケットを破棄 = Source Address Validation dns replies 外部からの recursive query を破棄 = Disable Open Recursive victim 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 14
Disable Open Recursive open relay なリゾルバがいっぱい ISPのサーバ 各組織のサーバ 幾つかの ちょっと賢い機器 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 15
Source Address Validation BCP38/RFC2827 All providers of Internet connectivity are urged to implement filtering described in this document to prohibit attackers from using forged source addresses... 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 16
IIJ/AS2497 の場合 IIJ 全接続サービスにおいて Source Address Validation を導入 http://www.iij.ad.jp/pressrelease/2006/0308.html IIJ では Source Address Validation の実装に urpf と ACL を利用しています 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 17
IIJ の基本ポリシ ピア ISP 上流 ISP IIJ/AS2497 ISP 顧客 シングルホーム static 顧客 マルチホーム static 顧客 urpf strict mode urpf loose mode 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 18
CISCO urpf configuration urpf strict mode interface GigabitEthernet0/0 ip verify unicast source reachable-via rx urpf loose mode interface GigabitEthernet0/0 ip verify unicast source reachable-via any 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 19
Juniper urpf configuration urpf strict mode interface { ge-0/0/0 { unit 0 { family inet { rpf-check; } } } } urpf loose mode interface { ge-0/0/0 { unit 0 { family inet { rpf-check { mode loose; } } } } } 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 20
世の中の動き RIPE IP Anti-Spoofing Task Force EU 地域での状況調査 documentの作成 公開 RIRでanti-spoofing 実装を推進する手法の模索 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 21
参照先 AL-1999.004 DoS attacks using the http://www.auscert.org.au/render.html?it=80 The Continuing DoS Threat Posed by Recursion http://www.us-cert.gov/reading_room/-recursion033006.pdf SAC008 Distributed DDoS Attacks http://www.icann.org/committees/security/dns-ddos-advisory- 31mar06.pdf 2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 22
2006/07/14 Copyright (C) 2006 Internet Initiative Japan Inc. 23