Sunday, March 2, 2014

DNS Amplification Attack

Before we understand the DNS Amplification Attack, lets learn about DDoS first. Distributed denial-of-service Attack (DDoS), is a cyber threat looming large on Organizations. It adversely affects the online productivity of individuals too. Anyone who relies on their Internet presence to generate revenue can be a target.
The Security tangent comes in question here. First, let us understand what DoS attack is. A denial of service (DoS) attack is a malicious attempt to make a server or a network resource unavailable to users. This is usually performed by interrupting or suspending the services of a host connected to the Internet.
Distributed DoS (DDoS) attacks are DoS attacks launched from multiple hosts simultaneously. The flood of incoming messages to the target system forces it to shut down or choke bandwidth. Hence, denying service to the legitimate users.
The domain name system (DNS) is one of the most critical service that keep the Internet working. However, it’s also been the most popular target for attackers. A DNS amplification attack is a form of distributed denial of service (DDos) attack that takes benefit from a much larger response generated by a small DNS query. When combined with source address spoofing, an attacker can direct a large volume of network traffic to the target system by initiating relatively small DNS queries.
DNS Amplification Attack, as the name suggests, is a way for an attacker to magnify the bandwidth for targeting a potential victim. By leveraging a botnet to produce a large number of spoofed DNS queries, an attacker can create an immense amount of traffic with little effort. Additionally, because the responses are legitimate data coming from valid servers, it is extremely difficult to prevent these types of attacks. While the attacks are difficult to stop, network operators can apply several possible mitigation strategies.

DNS Amplification Attack: The Scenario

An attacker builds up his army of attack sources (the botnet). He writes large amplification records (e.g., a 4000 byte DNS TXT resource record) in the zone file of the name server he has compromised. Then, the attacker attacks the targeted name server via open recursive servers.
In the image below, the attacker targets a name server at the IP address At the attacker’s signal, all the zombies, the botnets, issue DNS request messages asking for the amplification of records through open recursive servers. The botnet hosts the spoof to the targeted name server by writing in the source IP address field of the IP packets containing their DNS request messages.
In reality, the targeted name server at never issues any DNS request messages. But, it now receives a flurry of responses. The responses contain a 4000 byte DNS TXT record. A message of this size exceeds the maximum (Ethernet) transmission unit. Hence, it is broken into multiple IP packets. This forces reassembly at the destination and increases the processing load at the target and enhances the deception.
The response spans several IP fragments and only the first fragment contains UDP header. The target may not immediately recognize that the attack is DNS-based.
Image Source

Important Terminologies

  • System Compromise – An attacker doesn’t want to use his own system for performing attacks on other systems. Hence, he launches the attack from systems on which he has gained unauthorized administrative control. The attacker can remotely control and direct the compromised system to initiate a DoS attack.
  • Amplification – Amplification, as the name suggests, increases the traffic volume in an attack. In the DNS attack, the attacker uses an extension to the DNS protocol (EDNS0) that enables large DNS messages. The attacker composes a DNS request message of approximately 60 bytes to trigger delivery of a response message of approximately 4000 bytes to the target.
  • Impersonation – The IP addresses are impersonated or copied to launch attacks. In the DNS attack, each attacking host uses the targeted name server’s IP address as its source IP address rather than its own. The effect of spoofing /impersonating IP addresses is that the responses to DNS requests is returned to the target rather than the spoofing hosts.
  • Recursion- It is a method of processing a DNS request in which a name server performs the request for a client by asking the authoritative name server for the name record.

DNS Amplification Attack Techniques

DNS amplification works on the concept of amplifying the response data to a target server via impersonating the IP address by an attacker. Some of the techniques which can be used for mitigating such attacks are:-
  • Source IP Verification: In this process, the Internet Service Provider target filtering on the basis of spoofed IP addresses. The filters are placed on the basis of the routers determining whether the victim’s IP address is reachable via the interface from where the packet is originated. If not, then the packet is rejected. This is termed as Network Ingress Filtering.
  • Recursion disabling and restriction on Authoritative name servers: Recursion disabling should be employed on the basis of the domain that the name server caters to. For requests on other domains, the authoritative name server should not perform recursion. As for restrictions, it should be employed for DNS servers present inside an organization’s network so that they perform recursion for authorized clients only.
  • Removal of unsecured recursive resolvers: This is deemed as the best way to mitigate such threats. But, due to abundance of open DNS resolvers on the internet, this process is practically infeasible. 
  • Response Rate Limiting: There is currently an experimental feature available as a set of patches for BIND9 that allows an administrator to limit the maximum number of responses per second being sent to one client from the name server. This functionality is intended to be used on authoritative domain name servers only as it will affect performance on recursive resolvers.

Case Study

A massive 300Gbps was thrown against Internet blacklist maintainer Spamhaus’ website but the anti-spam organisation , CloudFlare was able to recover from the attack and get its core services back up and running.
Spamhaus, a group based in both London and Geneva, is a non-profit organisation that aims to help email providers filter out spam and other unwanted content. Spamhaus is pretty resilient, as its own network is distributed across many countries, but the attack was still enough to knock its site offline.
The high attack bandwidth was made possible because attackers used misconfigured domain-name service (DNS) servers known as open recursive resolvers or open recursors to amplify a much smaller attack into a larger data flood. Known as DNS reflection, the technique used requests for a relatively large zone file that appeared to be sent from the intended victim’s network.
According to CloudFlare, it initially recorded over 30,000 DNS resolvers that were tricked into participating in the attack. There are as many as 25 million of these open recursive resolvers at the disposal of attackers. The attack was devised by a Dutch hosting company called CyberBunker.

Original Link: