Preventing DNS Fragmentation and Large DNS Packet Attacks

Often times, attackers will attempt to perform very rudimentary attacks against DNS resolvers in an attempt to cause a Denial of Service. It is not uncommon to see attackers crafting a DoS attack composed mostly of UDP packets destined to port 53 with invalid payloads containing the ‘more-fragments’ bit set. In some cases, the packets may contain the ‘non-more-fragments’ bit set with packets of specific lengths, typically larger than the average size of a normal DNS packet.

Many flow analysis tools and IDP products have the ability to look for IP fragmentation misuse based on parameters that the operator may set; these tools are invaluable as an early warning system to alert the network administrator that their infrastructure is under attack.

Insofar as being able to mitigate these types of attacks, a few simple approaches can be utilized by a network administrator in order to filter this type of traffic using simple ACLs or firewall filters on routers or other types of equipment capable of filtering at Layers 3 and 4. Normally, is is not typical to see DNS queries which are fragmented, therefore the following Juniper firewall-filter should effectively filter the fragmented packets:

For packets containing the ‘non-more-fragments’ bit set, or which all packets within the attack flows share a common packet size (typically this will be large, on the order of 540 bytes or larger), a network administrator can easily filter those on the router as well. Normally we should not expect to see queries of this large size, so the following could be effectively used to filter these types of attacks as well.  In this example we are filtering UDP or TCP packets destined to port 53, with a size of either 540 bytes or 1480:

NOTE: It is more than likely a network administrator would need to adjust the above packet sizes after analysis of the packet size used in the attack vector using whatever flow reporting or network visibility tools are in use, since it is unlikely an attacker would use the exact same packet sizes listed in the example above.

Book Review :: Extreme Exploits: Advanced Defenses Against Hardcore Hacks (Hacking Exposed)


Extreme Exploits: Advanced Defenses Against Hardcore Hacks (Hacking Exposed)
by Victor Oppelman, Oliver Friedrichs, and Brett Watson
Paperback: 448 pages
Publisher:  McGraw-Hill Osborne Media
ISBN-13: 978-0072259551

4starsGood coverage of darknets, honeynets, and triggered blackholes

First I must admit that I know and have worked with several of the authors of this book. I was given an autographed copy of the book late last year, however seeing as the book was published in 2005 I didn’t think there would be much along the lines of useable information seeing as many of the security threats and vulnerabilities have evolved quite a bit since then. However, as I started reading the book I quickly realized much of the information was still relevant today as it was several years ago. The chapters on ISP Security Practices and Securing the Domain Name System had very good coverage of many of the techniques used throughout Service Provider networks to secure their network and DNS infrastructure.

I particularly enjoyed reading the sections on using egress packet filters to restrict data leaks from within an organization – a particular problem today with the prevalance of Internet Worms and other Malware which often attempt to communicate back to their centralized Command & Control (C&C) hosts. The chapter on ‘Sinkholes and Backscatter’ has very good coverage on a wide variety of topics such as using Darknets and Honeynets to monitor malicious traffic and other nasties emanating throughout your network, as well as using techniques such as Triggered Blackhole Routing to propagate filters quickly and dynamically to drop DDoS and other malevolent traffic.

I would have to disagree with Dr. Anton Chuvakin that the chapters on Digital Forensics were disappointing. Personally, I learned quite a bit from these chapters and came away from reading them with a whole arsenal of new tools to use with which I can perform my own digital forensics on compromised systems. The coverage of Foremost, memdump, and some of the advanced digital forensic tools was top notch.

All in all, I would say this is still a good book for anyone involved in Network Security. Much of the information covered is still relevant in today’s networks. If the authors attempt to release a second edition I would suggest coverage of adapting Triggered Blackhole techniques to be used in more modern DDoS Mitigation scenarios. Additionally, discussion of new techniques used for Malware C&C and coverage of Fast-flux and Double-flux techniques used by the attackers to create more robust and reliable networks would be welcomed.

Book Review :: OSPF and IS-IS: Choosing an IGP for Large-Scale Networks


OSPF and IS-IS: Choosing an IGP for Large-Scale Networks
by Jeff Doyle
Paperback: 480 pages
Publisher: Addison-Wesley Professional
ISBN-13: 978-0321168795

5starsA welcome addition to any networking library

If you consider yourself a student of routing protocols and enjoy coverage of graph theory from the perspective of its application to link-state routing protocols, this text will certainly be a welcome addition to your library. This book not only provides information regarding ‘how’ link-state routing protocols work, it also provides information regarding ‘why’ the link-state routing protocols behave as they do, and why the protocol designers made certain choices in the development of these protocols. While it might seem a daunting task especially to the novice reader to learn about two routing protocols side-by-side, it is this treatment which makes this text so worthwhile. Being able to compare these two protocols and identify their similarities and differences simultaneously will ultimately help the network designer pick the right protocol for the job in a given network environment.

This book goes beyond IGP fundamentals by giving practical advice to the network designer which can assist in the planning and implementation of a scalable IGP deployment. For example, in the chapter on Area Design, the author states that “a useful guideline when designing a network is that network control traffic should never exceed 5 percent of the available bandwidth of any link in the network, and in normal circumstances should not exceed 1 percent”. The author then presents various formulas which can be used to determine the amount of bandwidth used by the protocol control traffic based on the number and type of LSAs which are expected to be present in a given network. Arguably one of the best chapters in the book is the chapter on Scaling. This chapter has some of the best coverage of the various modifications which router vendors make to their link-state protocol implementations in order to make routers perform calculations more rapidly, enhance flooding of Link-State updates, and other changes designed to make the protocols scale to support very large networks.

I am a stickler for accuracy, especially when it comes to technical textbooks. I pride myself on my ability to spot technical and grammatical errors in texts such as these, however I must say as I read this book I was very impressed that I found very little errors beyond just the simple grammatical and typographical. Jeff Doyle is an experienced writer, and it should come as no surprise that the technical content in this book is extremely well-vetted, accurate, and error-free. Ultimately, if you are a network operator, designer or architect and are interested in broadening your understand of link-state protocols coupled with the ability to more fully understand the technical distinctions between OSPF and IS-IS, this book is without a doubt one of the best options on the market today.

Book Review :: Designing and Developing Scalable IP Networks

Scaleable Networks

Designing and Developing Scalable IP Networks
by Guy Davies
Hardcover: 302 pages
Publisher: Wiley
ISBN-13: 978-0470867396

3starsDecent information with a hefty price tag…

The title of this book “Designing and Developing Scalable IP Networks” would lead one to believe that reading this book would give the reader special insight into certain architectural approaches that would enable the network designer to build very large and expansive networks. And while the book certainly did provide some useful information, I found it lacking somewhat in details. The author does not delve into the minutiae of the various protocols, such as message types, protocol interaction, etc. Instead, the author assumes the reader already has a solid understanding of the basic principles of IP networking and the protocols associated with IP routing and switching. The author states early on that the book is meant to “examine the architectural and design principles that can be applied to designing and building scalable IP and MPLS networks”, however after a thorough reading I did not find that I was substantially more educated in the subject matter. And herein lies the crux – this book, which is priced in at a whopping $130 – is far more expensive than other texts of a similar nature, some of which cover far more expansive material and cost considerably less. Furthermore, the book is too light on details to be sufficiently useful to someone who is new to the industry and looking to gain a better understanding of what is required to build large-scale networks, and is unlikely to provide the experienced network architect with useable knowledge beyond that which he or she may already possess.

That being said, there is decent treatment of MPLS and Generalized MPLS, MPLS VPNs, QoS, and IPv6. And there certainly are a few good nuggets of information to be found throughout the book. For example, there is very good information on route-reflection, such as the pro’s and con’s of using the same cluster-id on a pair of route-reflectors running in a pair. It also examines practical deployment information for such mechanisms as graceful-restart, citing the fact that enabling BGP graceful-restart without enabling a similar mechanism in the IGP is likely to reduce the benefit of enabling such a mechanism in the first place. And while this is one of the few texts that I have seen on the market that broaches the subject of graceful-restart, I welcome the author to include more information on this subject in subsequent editions.

All in all I would say that this is a good desk side reference if one wants a text which covers the main protocols and mechanisms in use in large Service Provider networks, but if you are looking for a text which will enable you to build large-scale networks you might be somewhat disappointed in the treatment, especially considering the hefty price tag of this item.

Danny McPherson talks with Verizon Business about Arbor’s 2007 Worldwide Infrastructure Security Report

Danny McPherson, Chief Security Officer at Arbor Networks, talks with Verizon Business’ Stefan Fouant about the complex set of challenges facing the service provider community.  What are the most pressing security issues facing providers today, and how do they plan to address them? Listen to this podcast to learn more.

Book Review :: Configuring NetScreen Firewalls


Configuring NetScreen Firewalls
by Rob Cameron
Paperback: 600 pages
Publisher: Syngress
ISBN-13: 978-1932266399

2starsBetter off waiting for a Second Edition…

I read a lot of books, and while I don’t review all of them, I am often compelled to write a review when a book stands out, either for it’s clear leadership and technical distinction in the marketplace, or for it’s extreme lack thereof. In this case, I was compelled to write the review based on the latter.

Seeing as this is the only Netscreen book on the market, I had high expectations for it. When one looks at the credentials of the numerous authors, it reads like a veritable list of leaders in the Security industry. As such, I was rather excited when I picked up this book. As I began reading this book, I quickly realized that it was not going to meet my expectations. Clearly this book was rushed to market, another sign that the primary concern of many publishers is not in producing quality, but rather quantity. This book suffers from many of the same problems I see with other books on the market with multiple contributing authors, which is that the voice isn’t consistent throughout the book. Some chapters have diagrams, screen shots, or CLI commands outlining various procedural steps, whereas these details are noticeably absent in others.

In addition, this book is littered with many errors throughout, both typographical as well as technical. In some cases, as other reviewers point out, sentences simply stop abruptly mid-sentence. The text often refers to diagrams which don’t even exist. There are numerous references to find additional information in other chapters which are non-existent.

With regards to technical content, the authors certainly could have added more detail, especially considering the number of authors who contributed to this text. For example, the chapter on Routing does a good job of telling the reader how to enable BGP, but provides no details on how to actually configure a BGP neighbor. Another example is URL filtering which is discussed in the chapter on Attack Detection and Defense. While the authors do a good job of describing the various modes to support URL filtering (redirect vs. integrated), there is no explanation of how redirection actually takes place and no diagrams to provide for comprehensive understanding of the subject matter.

I can’t blame the authors entirely for the many flaws in this book, as any decent technical editor should have been able to spot many of these errors prior to publication. One wonders whether the technical editors even read the book as many of the errors are so blatant that it’s inconceivable that so many managed to slip through. I’m disappointed in Syngress for publishing a book with so many errors, and this has definitely led me to believe that Syngress does not want to maintain a leadership position of publishing technical content of the highest magnitude, but rather they are only concerned with being the first to market with a particular product.

I will give this book 2 stars in that it is indeed a noble attempt at covering a wide array of topics, as well as for being the only book in the industry which covers this subject matter. I suggest that the authors should examine the possibility of releasing a second edition which may fix these blatant errors, as well as hiring some decent technical editors.