Download IR_DNS_update_IAW2004

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
Document related concepts

Server Message Block wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Dynamic Host Configuration Protocol wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Lag wikipedia , lookup

Proxy server wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Transcript 
IEEE Information Assurance Workshop 2004
Enhanced Secure Dynamic
DNS Update with Indirect Route
David Wilkinson,
C. Edward Chow,
Yu Cai
06/11/2004
University of Colorado at Colorado Springs
Introduction to DNS




DNS: Domain Name System
DNS translates between domain names and IP
addresses.
Berkeley Internet Name Domain package (BIND).
DNS was designed two decades ago. DNS is
undergoing changes with various enhancements.





DNSSEC (DNS Security Extensions)
Dynamic DNS update and secure DNS update RFC
DNS for loading balancing and traffic distribution
Storing IPSec keying material in DNS
And many more
Introduction to SCOLD

SCOLD: Secure COLlective Defense system, designed
to defend against DDoS attack.

The key idea of SCOLD: follow intrusion tolerance and
network reconfiguration paradigm by providing alternate
routes via a set of proxy servers and alternate gateways
when the normal route is unavailable or unstable due to
network failure, congestion, or DDoS attack.

In SCOLD, the DNS is utilized to store the indirect
routing information, like the proxy server IP addresses
Introduction to SCOLD

Motivation of SCOLD:


Multiple gateways or multi-homing scheme are popular.
When the main gateway is under attack, the traffic should
be redirected through the alternate gateways.
 We may not want to reveal the alternate gateway IP
addresses to public domain, because otherwise they may
become new targets of attacks.
 We design to use proxy servers to protect the alternate
gateways and reroute the traffic.

A key technique in SCOLD is the enhanced secure
dynamic DNS update with indirect route. We refer to it as
the IR DNS update.
SCOLD Overview:
Target site under DDoS attack
Net-a.com
A
A
R
Net-b.com
A
DNS1
B
B
R
Net-c.com
B
C
DNS2
C
R
C
DNS3
Proxy3
Proxy1
Proxy2
Proxy4
R
DDoS attack Traffic
R1
R2
R3
DNS
Coordinator
Client Traffic
Target server
Target
SCOLD Overview:
The control flow
Net-a.com
A
A
R
Proxy1
Net-b.com
A
DNS1
B
B
R
Net-c.com
B
C
DNS2
R
Proxy2
Proxy4
R
Secure DNS update
SCOLD Control Msg
C
R1
R2
C
DNS3
Proxy3
R3
DNS
Coordinator
Target server
Target
SCOLD Overview:
Indirect Route
Net-a.com
A
A
R
Net-b.com
A
DNS1
B
B
R
Net-c.com
B
C
DNS2
C
R
C
DNS3
Proxy3
Proxy1
Proxy2
Proxy4
R
DDoS attack Traffic
Client Traffic
R1
R2
R3
DNS
Coordinator
Indirect Route
Target server
Target
The enhanced DNS update with
indirect route: IR DNS


Redefine the DNS record format for storing the additional
information.
A sample of the new DNS record in the DNS zone file:
target.targetnet.com. 10 IN
target.targetnet.com. 10 IN
10 IN
10 IN


A
ALT
ALT
ALT
133.41.96.71
203.55.57.102
203.55.57.103
185.11.16.49
The first line is a normal DNS entry, containing host
name and its IP address.
The next 3 lines contain the IP addresses of proxy
servers, as the newly defined “ALT” type (type 99).
Why DNS update with Indirect
Route?



In the scenario of DDoS attack, the main gateway of the
target server domain may become unavailable or
unstable. Therefore, the normal DNS update might
experience significant delay or even completely fail.
By setting up indirect route and perform the DNS update
via the indirect route, we can overcome the problem.
IR DNS can also be used to protect the Root DNS
servers.
IR DNS update
Client DNS
3. notify client
DNS server
Coordinator
1. raise alarm
2. notify proxy
4
6. Client
query DNS
5
Client
Target
Main GW
Proxy
Target DNS
4
Alt GW
5
4. request indirect route
5. secure DNS update via indirect route
4
5
Protect the root DNS server
DNS1
DNS2
Proxy1
R
Coordinator
Proxy2
R1
Proxy3
DNS3
SCOLD Control Msg
R2
Secure DNS update
Root
DNS
server
Implementation






We implement the IR DNS update on BIND v. 9.2.2
and Redhat Linux v. 8 / 9.
The indirect route is implemented by using IP tunnel
protocol
The BIND 9 DNS server was enhanced.
The DNS dynamic update utility (nsupdate) was
enhanced as a new program named “nsreroute”
The domain name resolve library (v.2.3.2) was
enhanced
An agent program runs on each participating node
(DNS servers, proxy servers, gateways) listening for
the control message.
Implementation


All the control messages are encrypted using Secure
Sockets Layer (SSL) and all participating nodes must
be mutually authenticated.
Nsreroute and input_file format:
• nsreroute input_file
• reroute client.clientnet1.com. victimDNSserver1.victimnet.com.
victimDNSserver2.victimnet.com. <victim DNS 1 address> <victimDNS 2
address> <proxy server address 1> <proxy server address 2> ... <proxy server
address N>
• reroute client.clientnet2.com. victimDNSserver1.victimnet.com.
victimDNSserver2.victimnet.com. <victim DNS 1 address> <victimDNS 2
address> <proxy server address 1> <proxy server address 2> ... <proxy server
address N>
Experimental Results
Experimental Results
Experimental Results
1. Overhead of resolve library and DNS server is limited
2. Overhead of IP tunnel is acceptable
3. There is a limit on how many client DNS servers one IR
DNS update can handle concurrently.
4. Overhead of Indirect Route is acceptable compared with
the impact of DDoS attacks.
• 70-300% overhead vs. possibly infinity
Conclusion




We present the design and implementation of the IR
DNS update.
It is an essential part of the SCOLD system, but can also
serve as a useful extension to the existing DNS update
utility.
BIND 9 DNS package is modified to support IR DNS
update. IP tunnel was utilized to implement indirect
routing. New ALT 99 type data is defined and a new DNS
update utility named nsreroute is developed.
The preliminary results show that SCOLD can improve
the network security, availability and performance.
References














[1] P. Mockapetris, “Domain Names--Implementation and Specification”, RFC 3658, Nov. 1987
[2] P. Mockapetris, “Domain Names--Concepts and Facilities”, RFC 1034, Nov. 1987
[3] Internet Systems Consortium, “ISC BIND”, http://www.isc.org/index.pl?/sw/bind/
[4] The SANS Institute, “How To Eliminate The Ten Most Critical Internet Security Threats”
http://www.sans.org/top20/top10.php, 2001
[5] Internetnews.com, “Massive DDoS Attack Hit DNS Root Servers”,
http://www.internetnews.com/ent-ews/article.php/1486981
[6] Edward Chow, Yu Cai, “Secure Collective Defense system (SCOLD)”,
http://cs.uccs.edu/~scold/doc/ SCOLD_globecom2004.doc, submitted to Globecom 2004
[7] DNSSEC, http://www.dnssec.net/
[8] Dynamic DNS update, RFC 2136,
http://www.faqs.org/rfcs/rfc2136.html
[9] Secure DNS update, RFC 3007,
http://www.faqs.org/rfcs/rfc3007.html
[10] Y. Shim, et al., “Extension and Design of Secure Dynamic Updates in Domain Name
Systems”, 5th Asia-Pacific Conference on Communications, 1998
Related documents
CSCI6268L36
CSCI6268L36
Chapter 5 : The Internet: Addressing & Services
Chapter 5 : The Internet: Addressing & Services
The Great Firewall of China
The Great Firewall of China
Design and Implementation of Alternative Route Against DDOS
Design and Implementation of Alternative Route Against DDOS
Chapter 23 - William Stallings, Data and Computer
Chapter 23 - William Stallings, Data and Computer
Using DNS as an Access Protocol for Mapping Identifiers to Locators
Using DNS as an Access Protocol for Mapping Identifiers to Locators
Midterm Review - UTK-EECS
Midterm Review - UTK-EECS
DNS
DNS
Network
Network
Lab 9
Lab 9