DNS Amplification Attacks

In recent months several attackers massively exploited recursive name servers to amplify DDoS attacks against several networks utilizing IP spoofing. Analysis of three of these attacks makes up the bulk of our study. The addendum to this paper contains a detailed description of three of these attacks.
The DNS uses a tree-like system of delegations. Recursion is the process of following the chain of delegations, starting at the Root zone, and ending up at the domain name requested by a user. A recursive name server may need to contact multiple authoritative name servers to resolve given name on behalf of the requester. Recursive name servers are similar to SMTP relays and web proxies. They all accept messages (including requests and queries) from clients, which are then forwarded to other servers as necessary.

Ideally, a recursive name server should only accept queries from a local, or authorized clients. Unfortunately, many recursive name servers accept DNS queries from any source. Furthermore, many DNS implementations enable recursion by default, even when the name server is intended to only serve authoritative data. We say that a name server is an “open resolver” if it provides recursion to non-local users.

To establish a perspective, spoofed ICMP attacks are historically well known. On many of today s networks, ICMP Echo replies (message type 0) can be seen at the network perimeter. These replies are generated due to spoofed packets with forged source addresses in the local network space used in remote attacks.

Similarly, recursive name servers can be induced to participate in DDoS attacks in a number of ways. A network of computers distributed on the Internet in a construct such as a Botnet, can send spoofed-address
queries to an Open Resolver (or resolvers) causing it to send responses to the spoofed-address target. Thereby, the resolver unwittingly participates in an attack on spoofed addresses. For example, high volumes DNS SERVFAIL (RCode 2) responses to a spoofed IP address can equal the damages of spoofed ICMP Echo replies (type 0) without revealing the identity of the attacker. Relatively small DNS requests can be employed to cause significantly larger replies from a name server to the spoofed IP address.

DDoS attacks using recursive name servers can create an amplification effect similar to the now-aged Smurf attack. The Smurf attack works by sending an ICMP Echo request (type 8, a ping) to broadcast addresses on affected networks. These receiving hosts in turn relay the request and a reply to the spoofed location is initiated. In the Smurf effect, on a multi-access broadcast network, one can expect every single ping to result in attack amplification by triggering replies from all the active computers on the amplification subnet.

The amplification effect in a recursive DNS attack is based on the fact that small queries can generate larger UDP packets in response. In the initial DNS specification, UDP packets were limited to 512 bytes. At most, a 60 byte query could generate a 512 byte response for an amplification factor of 8.5. This amplification effect has been used in DNS based attacks for some time (CIAC 1999) (gnupg 2002).

New RFC specifications,- in support of IPv6, DNSSEC, NAPTR and other extensions to the DNS system, - require name servers to return much larger responses to queries. This increased UDP payload capability is now being used to launch attacks with higher UDP response amplifications. These attacks employ the RFC 2671 (Extension Mechanisms for DNS - EDNS) specification to implement a mechanism whereby the request initiator can advertise a larger UDP buffer size to responders by using an OPT pseudo-RR in the additional data section of the request.

Thus, where the amplification of a standard Smurf attack relies on sending a packet to a broadcast address which then causes multiple systems to respond to a victim, DNS amplification occurs due to the response packet being significantly larger than that of the query. If an Open Resolver receives an EDNS (RFC 2671) query containing a large buffer advertisement, its reply to the possibly-spoofed requesting IP address can be quite large. A DNS query consisting of a 60 byte request can be answered with responses of over 4000 bytes amplifying the response packet by a factor of 60.

Both the attacked party and the exploited servers participating in the attack - the recursive name server (or servers) - can potentially experience a serious DDoS attack. One report on NANOG (NANOG #1) describes a deluge of DNS requests to an exploited server with some addresses making more than 250,000 requests in a short time frame. The server in this report was participating in one of the attacks which we study in this paper. In our case study the DNS entries have a long TTL (minimum-ttl:86400s (24 hours)) to force the exploited servers to cache the real authoritative name server s resource records.
We assume this was an attempt to avoid a DDoS on the real authoritative name server.

By combining different response types, the amplification effect can reach up to a factor higher than 60. If, for example, the response consists of a 122 byte A type response, a 4000 byte TXT response, and a 222 byte SOA response, the total response consists of 4320 bytes. This yields an amplification factor
of 73.

Other amplifications are possible depending on the query size and the experienced packet distributions in an actual attack. Due to networking limits, traffic collisions and other factors, the effective rate of an attack will be significantly smaller than the amplification s theoretical upper limit.

The full paper can be found at : http://www.isotf.org/news/DNS-Amplification-Attacks.pdf


Sursa
2009-02-13 15:23:11



Comenteaza





Ultimele 25 posturi adăugate

05:36:29BACOVIA LICEAN... —» Leo Butnaru
14:27:38Moldoveanul care l-a bătut pe Figo. Secu-unicul: 29 de meciuri căpitan al URSS la fotbal. L-a vrut Bayern Munchen 💥🔥🚀 —» Sandu GRECU
12:47:29SCRIITORI - VICTIME ALE GULAGULUI —» Leo Butnaru
04:44:42DESPRE ȘAH ȘI NU NUMAI —» Leo Butnaru
18:49:09Handbalul a unit Moldova, România și Ucraina la Sîngerei: gazdele au câștigat Memorialul „Simion Prașcă” 🤾‍♂️ —» Sandu GRECU
08:54:32O întâlnire cu Teodor Buzu —» Biblioteca de Arte 'Tudor Arghezi'
20:01:51Un simplu Mulțumim, GEOTERMAL 🙏 —» Sandu GRECU
14:35:22„Cornova ungheneană” – la Biblioteca „Dimitrie Cantemir” —» BPR Ungheni's Blog
05:37:05RELAȚIA TA CU ALTER EGO —» Leo Butnaru
05:36:33RECITIND, REGÂNDIND ECLEZIASTUL —» Leo Butnaru
13:24:12Pocăința lui Ion Șoltoianu. O viață ca un scenariu de film. Despre pușcărie, politică și sport. Atenție, Rizea! 💥🔥🔝 —» Sandu GRECU
10:46:57Moldova, pe turnul emblematic al Vienei —» Fine Wine
10:24:00Modelul de succes al companiei „Garma Grup” inspiră viitoarea generație de AgriCOOLtori ☘️ —» Sandu GRECU
17:03:37PLUS LA PRECEDENTELE 11 —» Leo Butnaru
12:54:55PRINTRE LAUREAȚI —» Leo Butnaru
07:22:51Grand Gold pentru The Governor Saperavi Forte —» Fine Wine
13:52:30Carolina Bogatiuc: „Republica Moldova lucrează deja cu UE pe toate grupurile de capitole de negociere” ✨ —» Sandu GRECU
11:43:14Ambasada Chinei nu are loc de Falun Dafa?! —» Curaj.TV | Media alternativă
10:35:26Equinox lansează două vinuri noi —» Fine Wine
15:33:45Cine a trăit aici înainte de daci? Ce dezvăluie ADN-ul —» Curaj.TV | Media alternativă
12:39:32Mă simt un mesager al culturii moldovenești… —» Biblioteca de Arte 'Tudor Arghezi'
09:16:54Federația Moldovenească de Fotbal a creat Fondul destinat susținerii Centrelor de Pregătire a Copiilor și Juniorilor din Republica Moldova 💲 —» Sandu GRECU
08:33:35Patru stiluri, o confirmare: Radacini ia aur la Mondial de Bruxelles —» Fine Wine
05:50:28DESCHIS MIRĂRII —» Leo Butnaru
16:32:18„O afacere europeană înseamnă să fii mereu alături de oameni, prin fapte reale” – Cristina Aramă, Manager Afaceri Corporative, Kaufland Moldova 💫 —» Sandu GRECU