8548 cazuri COVID-19 în Moldova
3503 – cazuri active
4738 – cazuri vindecate
307 – cazuri fatale
Actualizarea datelor: 2 iunie 2020 ora 19:33

DNS Amplification Attacks

In recent months several attackers massively exploited recursive name servers to amplify DDoS attacks against several networks utilizing IP spoofing. Analysis of three of these attacks makes up the bulk of our study. The addendum to this paper contains a detailed description of three of these attacks.
The DNS uses a tree-like system of delegations. Recursion is the process of following the chain of delegations, starting at the Root zone, and ending up at the domain name requested by a user. A recursive name server may need to contact multiple authoritative name servers to resolve given name on behalf of the requester. Recursive name servers are similar to SMTP relays and web proxies. They all accept messages (including requests and queries) from clients, which are then forwarded to other servers as necessary.

Ideally, a recursive name server should only accept queries from a local, or authorized clients. Unfortunately, many recursive name servers accept DNS queries from any source. Furthermore, many DNS implementations enable recursion by default, even when the name server is intended to only serve authoritative data. We say that a name server is an “open resolver” if it provides recursion to non-local users.

To establish a perspective, spoofed ICMP attacks are historically well known. On many of today s networks, ICMP Echo replies (message type 0) can be seen at the network perimeter. These replies are generated due to spoofed packets with forged source addresses in the local network space used in remote attacks.

Similarly, recursive name servers can be induced to participate in DDoS attacks in a number of ways. A network of computers distributed on the Internet in a construct such as a Botnet, can send spoofed-address
queries to an Open Resolver (or resolvers) causing it to send responses to the spoofed-address target. Thereby, the resolver unwittingly participates in an attack on spoofed addresses. For example, high volumes DNS SERVFAIL (RCode 2) responses to a spoofed IP address can equal the damages of spoofed ICMP Echo replies (type 0) without revealing the identity of the attacker. Relatively small DNS requests can be employed to cause significantly larger replies from a name server to the spoofed IP address.

DDoS attacks using recursive name servers can create an amplification effect similar to the now-aged Smurf attack. The Smurf attack works by sending an ICMP Echo request (type 8, a ping) to broadcast addresses on affected networks. These receiving hosts in turn relay the request and a reply to the spoofed location is initiated. In the Smurf effect, on a multi-access broadcast network, one can expect every single ping to result in attack amplification by triggering replies from all the active computers on the amplification subnet.

The amplification effect in a recursive DNS attack is based on the fact that small queries can generate larger UDP packets in response. In the initial DNS specification, UDP packets were limited to 512 bytes. At most, a 60 byte query could generate a 512 byte response for an amplification factor of 8.5. This amplification effect has been used in DNS based attacks for some time (CIAC 1999) (gnupg 2002).

New RFC specifications,- in support of IPv6, DNSSEC, NAPTR and other extensions to the DNS system, - require name servers to return much larger responses to queries. This increased UDP payload capability is now being used to launch attacks with higher UDP response amplifications. These attacks employ the RFC 2671 (Extension Mechanisms for DNS - EDNS) specification to implement a mechanism whereby the request initiator can advertise a larger UDP buffer size to responders by using an OPT pseudo-RR in the additional data section of the request.

Thus, where the amplification of a standard Smurf attack relies on sending a packet to a broadcast address which then causes multiple systems to respond to a victim, DNS amplification occurs due to the response packet being significantly larger than that of the query. If an Open Resolver receives an EDNS (RFC 2671) query containing a large buffer advertisement, its reply to the possibly-spoofed requesting IP address can be quite large. A DNS query consisting of a 60 byte request can be answered with responses of over 4000 bytes amplifying the response packet by a factor of 60.

Both the attacked party and the exploited servers participating in the attack - the recursive name server (or servers) - can potentially experience a serious DDoS attack. One report on NANOG (NANOG #1) describes a deluge of DNS requests to an exploited server with some addresses making more than 250,000 requests in a short time frame. The server in this report was participating in one of the attacks which we study in this paper. In our case study the DNS entries have a long TTL (minimum-ttl:86400s (24 hours)) to force the exploited servers to cache the real authoritative name server s resource records.
We assume this was an attempt to avoid a DDoS on the real authoritative name server.

By combining different response types, the amplification effect can reach up to a factor higher than 60. If, for example, the response consists of a 122 byte A type response, a 4000 byte TXT response, and a 222 byte SOA response, the total response consists of 4320 bytes. This yields an amplification factor
of 73.

Other amplifications are possible depending on the query size and the experienced packet distributions in an actual attack. Due to networking limits, traffic collisions and other factors, the effective rate of an attack will be significantly smaller than the amplification s theoretical upper limit.

The full paper can be found at : http://www.isotf.org/news/DNS-Amplification-Attacks.pdf

2009-02-13 15:23:11


Ultimele 25 posturi adăugate

11:38:33Dr. Eugenia Constantinou – “Mai periculos decât Covid-19” —» Liturgică şi Misiologie Ortodoxă
21:32:25Cum măsurăm satisfacția? (exemplu în bază de sex) —» apostu
19:48:00Intellij Idea can't resolve generated class —» Programming notes
19:47:59De Ziua Copilului Ilinca a fost ghidușă, iar Grivei cam mânios —» Andrei Albu - omul alb cu gînduri negre
18:07:30Despre starea jalnică a justiției românești —» Curaj.TV | Media alternativă
13:13:321 IUNIE —» cciobanu's blog
12:25:44Săptămâna în care Chicu a sărit să astupe „culiocul” —» Un PUNCT din .FR
10:44:05(VIDEO) Între adevăr și minciună: ”Kuliokul” lui Dodon, ajutorul românesc, tehnologia 5G și COVID-19 —» Elena Robu
10:03:42DIN POEZIA AVANGARDEI —» Leo Butnaru
08:36:04Copiii străzii despre ziua de 1 iunie 2020 (ru) —» Curaj.TV | Media alternativă
08:01:09Au apă caldă numai o zi pe săptămînă la internat —» Curaj.TV | Media alternativă
07:16:32A fi în relație —» Viata pe Tinder – Viata amoroasa pe Tinder
06:09:23Cel mai bun film educaţional al anului! —» Dindilina
06:02:10ION MADAN – Profesorul drag al multor generații de bibliotecari profesioniști și devotați —» BiblioCity
05:06:51Sectorul medical - un domeniu larg de aplicații pentru IT —» BiblioCity
21:05:26Pr. Prof. Alkiviadis Kalivas – Însemnare pe marginea linguriței comune pentru împărtăşire —» Liturgică şi Misiologie Ortodoxă
21:05:26Pr. Prof. Alkiviadis Calivas – Însemnare pe marginea linguriței comune pentru împărtăşire —» Liturgică şi Misiologie Ortodoxă
19:55:55Noua ideologie —» Badan Blog
17:59:46©️ Mă dezbrac de gânduri —» Licurici de suflet
14:44:38Trafic infernal la București pe timp de pandemie —» Curaj.TV | Media alternativă
13:59:37Altercații cu poliția la protestul veteranilor —» Curaj.TV | Media alternativă
08:50:54Ziua Românilor de Pretutindeni: Mesajul de felicitare al secretarului de stat al DRP, Ovidiu Burdușa —» Elena Robu
08:01:57DIN POEZIA LUMII - Osip MANDELȘTAM —» Leo Butnaru
07:57:50Evocări : ION MADAN, bibliolog, bibliograf și profesor, doctor în istorie (85 de ani de la naștere) —» Biblioteca de Arte 'Tudor Arghezi'
07:21:58PROPAGANDA RUSEASCĂ – O SPERIETOARE. Vulnerabilitatea în fața antitezelor naște mituri —» Nicolae Federiuc