Dealing with DNS packet floods

Transcript

1. Dealing with DNS packet floods Marek Majkowski

2. 1. Network mitigations 2. All about dropping 3. Automation 2

3. Everyone gets flooded 3 Dec 2014 - dnsim ple Aug

   2012 - AT&T Dec 2010 - W ikileaks Dec 2014 - 1&1 Jul 2013 - Netw ork solutions M ay 2014 - UltraDNS Sep 2013 - EasyDNS

4. Usual traffic 4 pps 7 days →

5. Flood traffic 5 pps 7 days →

6. CF as authoritative DNS 6 DNS recursor Visitor CloudFlare Authoritative

   DNS

7. What hits us ! ! ! ! • DNS requests

   (pps) • SYN floods (bps) • Hit and run (TR / SLIP may not work) 7 ! $ dig example.com NS! ! ;; QUESTION SECTION:! ;example.com.! ! IN! NS! ! ;; ANSWER SECTION:! example.com.!21599! IN! NS! paul.ns.cloudflare.com.! example.com.!21599! IN! NS! emma.ns.cloudflare.com.!

8. Chapter 1 Network mitigation 8

9. Let’s talk about the scale 9 congestion 10M pps 6M

   pps 1.2M pps 0.3M pps

10. upstream: capacity game 10 upstream congestion more ports, null, topology

    ip 10M pps 6M pps 1.2M pps 0.3M pps

11. Topology: anycast 11

12. Topology: handle the null 12 example.com foo.com bar.com one.ns.cloudflare.com two.ns.cloudflare.com

    three.ns.cloudflare.com four.ns.cloudflare.com

13. New trend ! • “foo01.com”, “foo02.com”, “foo03.com” • Flood against

    all domains start at the same time • Beware of allocation of name servers 13

14. Scale: router 14 upstream congestion more ports, null, topology ip

    router 10M pps ECMP, flowspec ip,proto, length 6M pps 1.2M pps 0.3M pps

15. ECMP: spread it out 15 ECMP router dst ip: 1.2.3.4

    server #1 server #2 server #3 hash % 2 hash % 1 hash % 3

16. Flowspec ! ! ! • router-based, centrally managed firewall •

    uses BGP as transport • patchy vendor support, patchy ipv6 support • coarse grained, can’t inspect payload 16

17. Scale: DNS server 17 upstream congestion more ports, null, topology

    ip router 10M pps ECMP, flowspec ip, proto, length, 6M pps 1.2M pps DNS server 0.3M pps selective drops, just handle full payload

18. DNS server • Linux network stack is “slow” (??k pps

    per core) • No point in dropping - most of the work is to receive and parse the packet • We had rules, but weren’t too effective • Bind to specific IPs 1.2.3.4:53, not to 0.0.0.0:53 • (RRLs is another subject) 18

19. Scale: Iptables traditional 19 upstream congestion more ports, null, topology

    ip router 10M pps ECMP, flowspec ip, proto, length, 6M pps kernel 1.2M pps iptables traditional ip,proto, length, ! fixed offset bits DNS server 0.3M pps selective drops, just handle full payload

20. Iptables u32 • u32 module is well known • Hard

    to use and error prone • Well documented to use in DNS 20 ! iptables -m u32 —u32 \! ”6&0xFF=0x6 && 4&0x1FFF=0 && 0>>22&0x3C@4=0x29”!

21. Iptables BPF • BPF is better, more generic • Does

    fairly complex, yet fast matching 21

22. Scale: Iptables BPF 22 upstream congestion more ports, null, topology

    ip router 10M pps ECMP, flowspec ip, proto, length, 6M pps kernel 1.2M pps iptables bpf full payload DNS server 0.3M pps selective drops, just handle full payload

23. Chapter 2 Why dropping in BPF works 23

24. Tcpdump expressions • Originally: • Now: cls_bpf, seccomp-bpf, etc •

    xt_bpf implemented in 2013 by Willem de Bruijn • Need to deal with BPF byte code • Tools around it are scarce (tcpdump expressions) 24 ! ./iptables -A OUTPUT -m bpf --bytecode '6,40 0 0 14, 21 0 3 2048,48 0 0 \! 0 1 20,6 0 0 96,6 0 0 0,' -j! ! (as generated by tcpdump -i any -ddd ip proto 20 | tr '\n' ',')! tcpdump -n “udp and port 53”

25. 25 $ ./bpfgen -o 14 -s dns -- *.example.com! ldx

    4*([14]&0xf)! ; l3_off(14) + 8 of udp + 12 of dns! ld #34! add x! tax! ; a = x = M[0] = offset of first dns query byte! ; st M[0]! ! lb_0:! ; ldx M[0]! ; Match: *! ldb [x + 0]! add x! add #1! tax! ; Match: 076578616d706c6503636f6d00 '\x07example\x03com\x00' mask=00000000000000000000000000! ld [x + 0]! jneq #0x07657861, lb_1! ld [x + 4]! jneq #0x6d706c65, lb_1! ld [x + 8]! jneq #0x03636f6d, lb_1! ldb [x + 12]! jneq #0x00, lb_1! ret #1! ! lb_1:! ret #0! $ ./bpfgen -o 14 dns -- *.example.com! 18,177 0 0 14,0 0 0 34,12 0 0 0,7 0 0 0,80 0 0 0,12 0 0 0,4 0 0 1,7 0 0 0,64 0 0 0,21 0 7 124090465,64 0 0 4,21 0 5 1836084325,64 0 0 8,21 0 3 56848237,80 0 0 12,21 0 1 0,6 0 0 1,6 0 0 0,!

26. BPF bytecode • Open source: • https://github.com/cloudflare/bpftools • Can match

    various patterns: • *.example.com • ??.example.com • *{1-4}.example.com • —case-insensitive *.example.com • —invalid-dns 26

27. Just DROP. 27

28. • Valid traffic ! ! • Indirect floods, using recursors

    ! ! • Direct floods, spoofing source IP What hits AUTH 28

29. What should AUTH do 29 traffic category scale perfect action

    real traffic,! valid requests 1K pps answer indirect flood,! using recursors 200K pps answer spoofed packets 100M pps drop

30. What should AUTH do 30 traffic category scale perfect action

    real traffic,! valid requests 1K pps answer real users indirect flood,! using recursors 200K pps answer some users, maybe spoofed packets 100M pps drop no users

31. Spot fake packets • “your heart condition?.foo.com” • “www.foo.com,foo.com” •

    “http://foo.com” • “ubhcbattr.foo.qdedezsbm.gov.foo” • “www.foo.com” • “avhiwhun.www.foo.com” • “xtnqafzfb.foo.com” 31

32. Spot fake packets • “your heart condition?.foo.com” • “www.foo.com,foo.com” •

    “http://foo.com” • “ubhcbattr.foo.qdedezsbm.gov.foo” • “www.foo.com” • “avhiwhun.www.foo.com” • “xtnqafzfb.foo.com” 32 ← spoofed ← spoofed ← spoofed ← 99% spoofed ← likely spoofed ← may be real ← may be real

33. More selectors • Anycast helps • Blacklisting non-regional IPs •

    Whitelisting valid recursor IPs • Unusual EDNS • Correlation in IP TTL • Correlation in IP ID • Unusual upper/lower case 33

34. Managing the impact 34 traffic category scale perfect action *.example.com

    ! - whitelist! (ratelimited) *.example.com ! - whitelist *.example.com real traffic,! valid requests 1K pps answer answer answer drop indirect flood,! using recursors 200K pps answer some dropped drop drop spoofed packets 100M pps drop drop drop drop

35. Scale: Iptables is slow 35 upstream congestion more ports, null,

    topology ip router 10M pps ECMP, flowspec ip, proto, length, 6M pps kernel 1.2M pps iptables bpf full payload DNS server 0.3M pps selective drops, just handle full payload

36. Floodgate 36 Network card RX Queue #1 RX Queue #2

    RX Queue #N RX Queue #? CPU #1 CPU #2 CPU #N user space Ethernet

37. Scale: Floodgate 37 upstream congestion more ports, null, topology ip

    router 10M pps flowspec ip, proto, length, network card 6M pps floodgate full payload kernel 1.2M pps iptables full payload DNS server 0.3M pps selective drops, just handle full payload

38. Chapter 3 Mitigation infrastructure 38

39. Accuracy takes time 39 upstream congestion more ports, null, topology

    ip router 10M pps flowspec ip, proto, length, network card 6M pps floodgate full payload kernel 1.2M pps iptables full payload DNS server 0.3M pps selective drops, just handle full payload

40. Tools development timeline 40 null tcpdum p scripts tcpdum p

    m anually flowspec lim its in dns server HH in dns server centrally m anaged bpf sflow aggregation floodgate autom ation Mitigation Detection iptables bpf

41. The pain is increasing 41 pps 30 days →

42. Manual attack handling 42 sflow pretty analytics command line iptables

    rules iptables mgmt sflow aggregation Operator servers switch switch switch

43. Sflow analytics 43

44. Iptables management 44

45. 45

46. Automatic attack handling 46 API Gatebot sflow analytics iptables rules

    iptables mgmt sflow aggregation servers switch switch switch

47. Gatebot 47

48. Summary • Time to mitigation is critical • Want to

    be as selective as possible • Automation is a process, not a project 48 Thanks marek@cloudflare.com and good luck!

49. 49