“The  accidental  hacker”   Registrarseminar  2013   Oslo,  NO     DNS  Amplifica7on wed,  december  4th,  2013   Marco  Davids     Norid  registrar  seminar  2013 1 Pleased  to  meet  you!   Personalia:   Marco  Davids   Technical  Advisor  @  SIDN              :  @marcodavids     2 SIDN   Registry  for  .nl  ccTLD   o  Based  in  Arnhem,  the  Netherlands   o  3 SIDN   Early December 2013: 5.377.690 domain names (1.673.979 DNSSEC, >30%) ~30 domain names per 100 inhabitants 7th TLD, after .com, .de, .net, .uk, .org and .info 4 Introduc7on   o  Case  study  (just  an  example)   o  Modus  operandi  of  DNS  amplifica7on   o  Countermeasures   o  5 Introduc5on   There  are  many  aWack  types:   6 (source: Verisign DDoS malware whitepaper) A7ack  vectors   ● - Upstream Internet Congestion ● - Internet Link Congestion Router TCAM/Buffer Exhaustion - ● ● - Router CPU Exhaustion Mitigation Exhaustion - ● ● - Server CPU Exhaustion ● - Server Session Exhaustion Firewall CPU / Memory Exhaustion - ● ● - Application Session Exhaustion ● - Database Connection Exhaustion CPU/Session Exhaustion- ● ● - Server Resource Exhaustion 7 A7ack  vectors  (2)     30% 27%2 6% 30% 25% 24% 22% 25% 2011 2012 20% 15% 11% 8% 8% 8% 10% 4% 5% 5% 0% Internet Firewall IPS/IDS Load The server SQL Server pipe Balancer under (saturation) (ADC) attack (source: KPN presentation) Who,  for  what?   9 Who,  for  what?   •  Kiddies   •  Distrac7on  (from  another  aWack)   •  Blackmail   •  Hack7vism   •  Cyber  warfare  /  terrorism   10