Андрей Лескин (qratorlabs/hll)

Download Андрей Лескин (QratorLabs/HLL)

Post on 15-May-2015

1.069 views

Category:

Internet

2 download

Embed Size (px)

TRANSCRIPT

  • 1. UDP Amplifiers DNS QratorLabs/HLL

2. Amplifier ! 3. Amplifier ! TCP ! 4. Amplifier ! TCP ! UDP , 5. Amplifier ! TCP ! UDP , DNS, NTP, NetBIOS, etc , - ! 6. Bad guy Amplifier x60 Victim ! 7. . . dig isoc.org ANY 79 bytes vs 2885 bytes => margin: 36. 8. . . dig isoc.org ANY 79 bytes vs 2885 bytes => margin: 36. dig exploit-dns.net TXT FUUUUUUU. 9. . . dig isoc.org ANY 79 bytes vs 2885 bytes => margin: 36. dig exploit-dns.net TXT FUUUUUUU. ntpdc c monlist 127.0.0.1 , : 600 ... 4800 10. . . dig isoc.org ANY 79 bytes vs 2885 bytes => margin: 36. dig exploit-dns.net TXT FUUUUUUU. ntpdc c monlist 127.0.0.1 , : 600 ... 4800 ping 127.0.0.1 ICMP? 11. . ICMP 0 200 400 600 800 1000 1200 Gathered by radar.qrator.net ICMPAmplifiers 12. . DNS 0 50000 100000 150000 200000 250000 300000 350000 400000 450000 4% IPv4 Gathered by radar.qrator.net DNSAmplifiers 13. DNS Total servers: 11,675,538 (0.27% IPv4). Amplifiers (com. ANY): 6,424,050 (55% DNS) Gathered by radar.qrator.net 14. DNS Total servers: 11,675,538 (0.27% IPv4). Amplifiers (com. ANY): 6,424,050 (55% DNS) NTP Total servers: 108,374 ( ) >10x : 56425 >100x: 15543 >1000x: 10198 + Gathered by radar.qrator.net 15. DNS. 16. DNS. dnsscan.shadowserver.org openresolvertest.net good guys 17. DNS. dnsscan.shadowserver.org openresolvertest.net good guys 1x1.cz, isc.org, youtube.it, isc.org.cn , bad guys 18. DNS. dnsscan.shadowserver.org openresolvertest.net good guys 1x1.cz, isc.org, youtube.it, isc.org.cn , bad guys www.jrdga.info , DNS_Windows_SMTP_Overflow RCE 19. DNS. dnsscan.shadowserver.org openresolvertest.net good guys 1x1.cz, isc.org, youtube.it, isc.org.cn , bad guys www.jrdga.info , DNS_Windows_SMTP_Overflow RCE %20www.example.com ! 20. DNS. 21. . 22. Local EDNS0 512 , 4096 default by now, 65535 possible ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 23. Local EDNS0 512 , 4096 default by now, 65535 possible ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 Response Rate Limiting Slip Value , . 24. Local . RRL. ResolverBAD GUY AUTH NS RRL WALL 25. Local . RRL. ResolverBAD GUY AUTH NS RRL WALL src_ip: resolvers zone: target 26. Local . RRL. ResolverBAD GUY AUTH NS RRL WALL src_ip: resolvers zone: target target.zone A? 27. Local . RRL. ResolverBAD GUY AUTH NS RRL WALL src_ip: resolvers zone: target target.zone A? RRL DROP target.zone: 127.0.0.1 (MANY-MANY) Thanks! 28. Local EDNS0 512 , 4096 default by now, 65535 possible ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 Response Rate Limiting Slip Value , . DNSSEC , 29. Global Open Recursion , 30. Global Open Recursion , BCP-38/84 Ingress Packet Filtering. Prevent spoofed IP 31. Global Open Recursion , BCP-38/84 Ingress Packet Filtering. Prevent spoofed IP BGP FlowSpec (iptables, ) 32. Best practices 33. Best practices DNS The Internet 34. Best practices DNS The Internet 35. Best practices () DNS The Internet DNS 36. Best practices DNS The Internet 37. Best practices The Internet DNS 38. Best practices The Internet DNS dyn.com cloudns.net Qrator DNS 39. ! serenheit@highloadlab.com