DNS Amplification Attacks

In recent months several attackers massively exploited recursive name servers to amplify DDoS attacks against several networks utilizing IP spoofing. Analysis of three of these attacks makes up the bulk of our study. The addendum to this paper contains a detailed description of three of these attacks.
The DNS uses a tree-like system of delegations. Recursion is the process of following the chain of delegations, starting at the Root zone, and ending up at the domain name requested by a user. A recursive name server may need to contact multiple authoritative name servers to resolve given name on behalf of the requester. Recursive name servers are similar to SMTP relays and web proxies. They all accept messages (including requests and queries) from clients, which are then forwarded to other servers as necessary.

Ideally, a recursive name server should only accept queries from a local, or authorized clients. Unfortunately, many recursive name servers accept DNS queries from any source. Furthermore, many DNS implementations enable recursion by default, even when the name server is intended to only serve authoritative data. We say that a name server is an “open resolver” if it provides recursion to non-local users.

To establish a perspective, spoofed ICMP attacks are historically well known. On many of today s networks, ICMP Echo replies (message type 0) can be seen at the network perimeter. These replies are generated due to spoofed packets with forged source addresses in the local network space used in remote attacks.

Similarly, recursive name servers can be induced to participate in DDoS attacks in a number of ways. A network of computers distributed on the Internet in a construct such as a Botnet, can send spoofed-address
queries to an Open Resolver (or resolvers) causing it to send responses to the spoofed-address target. Thereby, the resolver unwittingly participates in an attack on spoofed addresses. For example, high volumes DNS SERVFAIL (RCode 2) responses to a spoofed IP address can equal the damages of spoofed ICMP Echo replies (type 0) without revealing the identity of the attacker. Relatively small DNS requests can be employed to cause significantly larger replies from a name server to the spoofed IP address.

DDoS attacks using recursive name servers can create an amplification effect similar to the now-aged Smurf attack. The Smurf attack works by sending an ICMP Echo request (type 8, a ping) to broadcast addresses on affected networks. These receiving hosts in turn relay the request and a reply to the spoofed location is initiated. In the Smurf effect, on a multi-access broadcast network, one can expect every single ping to result in attack amplification by triggering replies from all the active computers on the amplification subnet.

The amplification effect in a recursive DNS attack is based on the fact that small queries can generate larger UDP packets in response. In the initial DNS specification, UDP packets were limited to 512 bytes. At most, a 60 byte query could generate a 512 byte response for an amplification factor of 8.5. This amplification effect has been used in DNS based attacks for some time (CIAC 1999) (gnupg 2002).

New RFC specifications,- in support of IPv6, DNSSEC, NAPTR and other extensions to the DNS system, - require name servers to return much larger responses to queries. This increased UDP payload capability is now being used to launch attacks with higher UDP response amplifications. These attacks employ the RFC 2671 (Extension Mechanisms for DNS - EDNS) specification to implement a mechanism whereby the request initiator can advertise a larger UDP buffer size to responders by using an OPT pseudo-RR in the additional data section of the request.

Thus, where the amplification of a standard Smurf attack relies on sending a packet to a broadcast address which then causes multiple systems to respond to a victim, DNS amplification occurs due to the response packet being significantly larger than that of the query. If an Open Resolver receives an EDNS (RFC 2671) query containing a large buffer advertisement, its reply to the possibly-spoofed requesting IP address can be quite large. A DNS query consisting of a 60 byte request can be answered with responses of over 4000 bytes amplifying the response packet by a factor of 60.

Both the attacked party and the exploited servers participating in the attack - the recursive name server (or servers) - can potentially experience a serious DDoS attack. One report on NANOG (NANOG #1) describes a deluge of DNS requests to an exploited server with some addresses making more than 250,000 requests in a short time frame. The server in this report was participating in one of the attacks which we study in this paper. In our case study the DNS entries have a long TTL (minimum-ttl:86400s (24 hours)) to force the exploited servers to cache the real authoritative name server s resource records.
We assume this was an attempt to avoid a DDoS on the real authoritative name server.

By combining different response types, the amplification effect can reach up to a factor higher than 60. If, for example, the response consists of a 122 byte A type response, a 4000 byte TXT response, and a 222 byte SOA response, the total response consists of 4320 bytes. This yields an amplification factor
of 73.

Other amplifications are possible depending on the query size and the experienced packet distributions in an actual attack. Due to networking limits, traffic collisions and other factors, the effective rate of an attack will be significantly smaller than the amplification s theoretical upper limit.

The full paper can be found at : http://www.isotf.org/news/DNS-Amplification-Attacks.pdf

2009-02-13 15:23:11


Ultimele 25 posturi adăugate

09:53:58A pus la treabă poliția locală Sebeș —» Curaj.TV | Media alternativă
09:18:40Povestea ingenioșilor din clasa a IV-a —» BiblioCity
09:11:23O poveste despre alte povești —» BiblioCity
08:39:50Storage Shed Plans —» Andrei Fornea
02:52:49PROMO-"La scandal…cu Borodachi"- …Graeste Moldova…IN CURIND —» Curaj.TV | Media alternativă
02:01:07Ashley Furniture Leather Sofa —» Andrei Fornea
00:12:10East-West Center (EWC) U.S.-Philippines Alliance Fellowship 2020 (stipend of US$3,000) —» Informaţii pentru studenţi !
00:12:05Call for Arab-German Young Academy of Sciences and Humanities (AGYA) Membership Application 2020 —» Informaţii pentru studenţi !
21:29:44Presa internațională: Una din fiicele lui Kobe a murit alături de el în accidentul de elicopter —» Elena Robu
20:51:2010 ani de Curaj.TV #palavre —» Curaj.TV | Media alternativă
20:15:03Kobe Bryant, legenda NBA-ului, a decedat într-un accident aviatic —» Elena Robu
19:09:04Opinie: Moldova a rămas o țară săracă fără evrei —» Badan Blog
18:58:45East-West Center (EWC) U.S.-Philippines Alliance Fellowship 2020 (stipend of US$3,000) —» plop andrei
18:56:55De ce scriu despre cărți? —» Frinturi din suflet de femeie
18:42:25Call for Arab-German Young Academy of Sciences and Humanities (AGYA) Membership Application 2020 —» plop andrei
18:19:09Inspecție civică la Toboliu, Bihor —» Curaj.TV | Media alternativă
17:31:09Șase pui și-o biată mamă —» MЕ Blog | Miron Eugen | Agendă personală online | Aud,Vad,Scriu
15:38:59Khachapuri adjarian —» Bucataria Talinei - condimentat cu dragoste
15:25:31Casa cu farmece* —» Andrei LANGA. Blogul personal
11:40:51Wood Cutting Board Dishwasher —» Andrei Fornea
10:34:57Dining Room Curtain Ideas —» Andrei Fornea
07:55:13Desene colorate* —» Andrei LANGA. Blogul personal
03:43:39Black Framed Wall Mirror —» Andrei Fornea
23:51:07TWAS-CUI Postgraduate Fellowship Programme 2020/2021 for Researchers in Developing Countries —» Informaţii pentru studenţi !
23:51:04Visegrad Fund — Western Balkans Grant Program 2020 —» Informaţii pentru studenţi !