DNS Amplification Attacks

In recent months several attackers massively exploited recursive name servers to amplify DDoS attacks against several networks utilizing IP spoofing. Analysis of three of these attacks makes up the bulk of our study. The addendum to this paper contains a detailed description of three of these attacks.
The DNS uses a tree-like system of delegations. Recursion is the process of following the chain of delegations, starting at the Root zone, and ending up at the domain name requested by a user. A recursive name server may need to contact multiple authoritative name servers to resolve given name on behalf of the requester. Recursive name servers are similar to SMTP relays and web proxies. They all accept messages (including requests and queries) from clients, which are then forwarded to other servers as necessary.

Ideally, a recursive name server should only accept queries from a local, or authorized clients. Unfortunately, many recursive name servers accept DNS queries from any source. Furthermore, many DNS implementations enable recursion by default, even when the name server is intended to only serve authoritative data. We say that a name server is an “open resolver” if it provides recursion to non-local users.

To establish a perspective, spoofed ICMP attacks are historically well known. On many of today s networks, ICMP Echo replies (message type 0) can be seen at the network perimeter. These replies are generated due to spoofed packets with forged source addresses in the local network space used in remote attacks.

Similarly, recursive name servers can be induced to participate in DDoS attacks in a number of ways. A network of computers distributed on the Internet in a construct such as a Botnet, can send spoofed-address
queries to an Open Resolver (or resolvers) causing it to send responses to the spoofed-address target. Thereby, the resolver unwittingly participates in an attack on spoofed addresses. For example, high volumes DNS SERVFAIL (RCode 2) responses to a spoofed IP address can equal the damages of spoofed ICMP Echo replies (type 0) without revealing the identity of the attacker. Relatively small DNS requests can be employed to cause significantly larger replies from a name server to the spoofed IP address.

DDoS attacks using recursive name servers can create an amplification effect similar to the now-aged Smurf attack. The Smurf attack works by sending an ICMP Echo request (type 8, a ping) to broadcast addresses on affected networks. These receiving hosts in turn relay the request and a reply to the spoofed location is initiated. In the Smurf effect, on a multi-access broadcast network, one can expect every single ping to result in attack amplification by triggering replies from all the active computers on the amplification subnet.

The amplification effect in a recursive DNS attack is based on the fact that small queries can generate larger UDP packets in response. In the initial DNS specification, UDP packets were limited to 512 bytes. At most, a 60 byte query could generate a 512 byte response for an amplification factor of 8.5. This amplification effect has been used in DNS based attacks for some time (CIAC 1999) (gnupg 2002).

New RFC specifications,- in support of IPv6, DNSSEC, NAPTR and other extensions to the DNS system, - require name servers to return much larger responses to queries. This increased UDP payload capability is now being used to launch attacks with higher UDP response amplifications. These attacks employ the RFC 2671 (Extension Mechanisms for DNS - EDNS) specification to implement a mechanism whereby the request initiator can advertise a larger UDP buffer size to responders by using an OPT pseudo-RR in the additional data section of the request.

Thus, where the amplification of a standard Smurf attack relies on sending a packet to a broadcast address which then causes multiple systems to respond to a victim, DNS amplification occurs due to the response packet being significantly larger than that of the query. If an Open Resolver receives an EDNS (RFC 2671) query containing a large buffer advertisement, its reply to the possibly-spoofed requesting IP address can be quite large. A DNS query consisting of a 60 byte request can be answered with responses of over 4000 bytes amplifying the response packet by a factor of 60.

Both the attacked party and the exploited servers participating in the attack - the recursive name server (or servers) - can potentially experience a serious DDoS attack. One report on NANOG (NANOG #1) describes a deluge of DNS requests to an exploited server with some addresses making more than 250,000 requests in a short time frame. The server in this report was participating in one of the attacks which we study in this paper. In our case study the DNS entries have a long TTL (minimum-ttl:86400s (24 hours)) to force the exploited servers to cache the real authoritative name server s resource records.
We assume this was an attempt to avoid a DDoS on the real authoritative name server.

By combining different response types, the amplification effect can reach up to a factor higher than 60. If, for example, the response consists of a 122 byte A type response, a 4000 byte TXT response, and a 222 byte SOA response, the total response consists of 4320 bytes. This yields an amplification factor
of 73.

Other amplifications are possible depending on the query size and the experienced packet distributions in an actual attack. Due to networking limits, traffic collisions and other factors, the effective rate of an attack will be significantly smaller than the amplification s theoretical upper limit.

The full paper can be found at : http://www.isotf.org/news/DNS-Amplification-Attacks.pdf

2009-02-13 15:23:11


Ultimele 25 posturi adăugate

14:43:17CEREȚI vs. CERE-ȚI – când punem cratima? —» Moldova Creștină
10:05:33Graduation @ #Precept Institute for South Sudan Refugees in Uganda 🇺🇬 —» Moldova Creștină
09:35:01”Nu te baza pe alții! Privește, învață, fă și taci!” sau Despre cum să fii optimist —» Sunt MAMĂ!
09:20:02De ce copiii mei au hainele murdare? —» Sunt MAMĂ!
12:01:45De ce reușesc să fac atât de multe lucruri timp de o zi —» Sunt MAMĂ!
11:50:40Disciplinile umanistice și posibilitățile de inserție profesională —» Centrul Comunitar Instruire, Acces Informaţie Călăraşi
10:27:43Vizita de lucru a secretarului de stat Gheorghe Cârciu în Franța —» Elena Robu
08:00:39Cum a ajuns profesia de cercetător una din cele mai instabile în RM —» Gheorghe Cuciureanu
05:48:09Serviciul „Eco responsabil”, ediția a II-a —» BiblioCity
02:31:03©️ Tu poți —» Licurici de suflet
09:57:45Despre „Demonii. Spovedania lui Stavroghin” de la Teatrul din Cluj —» Andrei Albu - omul alb cu gînduri negre
08:19:54Moldova a găsit soluția pentru eroarea 404. În vin! —» Fine Wine
13:09:41Guvernul vrea să închidă robinetul în capitală și lansează site-ul apă.md —» Nicolae Federiuc
10:00:17Poezie „Oameni ai credinței” —» Moldova Creștină
05:24:1710 principii de evanghelizare și ucenicie din Ioan 4-11 —» Moldova Creștină
18:59:39Bugetul IP Gimnaziul "Victor Coțofană " pe anul 2023 —» Blogul elevilor din satul Chetrosu
18:54:44Informație cu privire la formarea bugetului pentru anul 2023, în IP Gimnaziul "Victor Coțofană" —» Blogul elevilor din satul Chetrosu
18:48:13Raport referitor la executarea bugetului pentru anul bugetar 2022 —» Blogul elevilor din satul Chetrosu
14:36:50POEME PRIN ANI / ANTOLOGIE DE ETAPĂ #12 (30 de texte) —» Leo Butnaru