Distributed Denial of Service (DDoS) attacks can take multiple forms that disrupt the regular operation of a site or online service. Last week, the largest DDoS on record hit the Internet leveraging what is known as a DNS Amplification attack.
The U.S. Government's US-CERT is now warning about the risks associated with DNS Amplification attacks and providing some guidance on how they can be mitigated.
DNS servers provide the core infrastructure for the Internet that help to direct traffic to the correct IP address location. In a DNS Amplification attack, the attacker takes advantage of misconfiguration in a DNS server in order to flood a server with DNS response traffic, creating a DDoS condition.
The weak link in the DNS chain that enables the amplification attack is a misconfigured open recursive DNS server. The root cause of the misconfiguration is that the recursive DNS server is not set to only respond to local queries and instead is open to queries from any system.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"The basic attack technique consists of an attacker sending a DNS name lookup request to an open recursive DNS server with the source address spoofed to be the victim's address," US-CERT explains. "When the DNS server sends the DNS record response, it is sent instead to the victim. Because the size of the response is typically considerably larger than the request, the attacker is able to amplify the volume of traffic directed at the victim. "
Attackers can enhance the DNS Amplification attack further if they have a botnet which is then able to make even more DNS requests, increasing the size of the DDoS attack.
Incorrectly configured recursive DNS servers are not a new phenomena on the Internet. Back in 2007, DNS services vendor Infoblox found that over half of the DNS servers it surveyed at the time, were wide open to recursive queries from anywhere.
Matthew Prince, co-founder and CEO of CloudFlare, the Content Delivery Network at the center of the massive DDoS attack last week is among those that has been highlighting the risks of open recursive DNS resolvers.
"Unlike traditional botnets which could only generate limited traffic because of the modest Internet connections and home PCs they typically run on, these open resolvers are typically running on big servers with fat pipes," Prince wrote. "They are like bazookas and the events of the last week have shown the damage they can cause."
The Open Resolver Project (openresolverproject.org) has collected a list of 27 million open DNS resolvers that respond to queries. In their estimation, 25 million of those resolvers represent a risk to the Internet.
IT administrators can use the OpenResolver site to search their IP space to see if they have an open recursive resolver that the project has already publicly indexed. A similar tool is available from The Measurement Factory with its Open Resolver Test (http://dns.measurement-factory.com/cgi-bin/openresolvercheck.pl/). DNSInspect (http://www.dnsinspect.com/) also provides an online tool for administrators to check for misconfigured DNS servers.
The first step in preventing and mitigating against the risks of DNS Amplification attacks is to properly configure recursive DNS servers.
US-CERT advises that many DNS servers are intended to only be used for a single domain and should not enable recursion at all.
"For DNS servers that are deployed within an organization or ISP to support name queries on behalf of a client, the resolver should be configured to only allow queries on behalf of authorized clients," US-CERT advises. "These requests should typically only come from clients within the organization’s network address range."
Going a step further, DNS Amplification attacks use spoofed IP addresses. US-CERT suggests that Internet Service Providers deny any DNS traffic with spoofed addresses. The suggestion that ISPs deny spoofed IP addresses is not a new idea. The IETF issued a 'Best Current Practice' document in 2000, advising ISPs to filter traffic for forged IP addresses.