The domain name system (DNS) is what translates memorable websites names, like flowtraq.com, into IP addresses. When someone types a website address into a browser, the ISP “looks up” that address to find the corresponding IP address and directs the user to that site. A DNS server can also query other DNS servers on behalf of the requesting client and then send an answer back to the client – this is known as recursion.
DNS amplification attacks combine amplification (using techniques to increase the size of packets being sent to the victim network) with reflection (using a third party as an intermediary in the attack).
DNS amplification attacks are similar to Smurf and Fraggle attacks in that they send a query from a spoofed IP via a protocol (such as ICMP or UDP) that doesn’t require a three-way handshake and that the response to the query is larger than the query itself.
DNS amplification attacks (also sometimes called DNS reflection attacks) take advantage of publically accessible open DNS servers to overwhelm a victim’s system with DNS response traffic. The attacker sends a large number of look-up requests via a botnet to a vulnerable DNS server using the spoofed IP address of the target victim. The victim’s network is then bombarded with unrequested DNS query responses, which consumes network resources and CPU time on the target machines.
DNS relies on the UDP protocol, which means there’s no verification that the source IP address is, in fact, the sender/requestor.
Attackers use a variety of amplification techniques to inflate the size of the UDP packets to make the attack big enough to bring down even the most robust infrastructures.
EDNS0 – Per the original DNS protocol, a 64-byte DNS query would return a UDP response no larger than 512 bytes, a potential increase of 8X. EDNS0 is a protocol extension that permits the transfer of packets larger than 512 bytes, up to 4096 bytes, increasing the potential potency of an attack by enabling perpetrators to achieve a 50X to 60X increase in traffic volume without requiring a proportional increase in bandwidth or requesting systems on their end.
ANY query – Additionally, perpetrators can use the ANY query which returns all known information about a DNS zone within a single request, thus maximizing the size of the responses sent to the victim.
Many organizations running DNS servers leave them open and willing to respond to any IP address that queries them, and DNS amplification attacks take advantage of DNS servers that support open recursive relay. There are plenty of tools available that help hackers identify DNS servers with open resolvers, and there are millions of them on the internet at any given time. It’s important to note that these servers aren’t compromised; they are functioning as intended, but attackers are exploiting this functionality for malicious purposes.
The DDoS amplification technique has been linked to DDoS-for-hire services, which means that perpetrators don’t need the requisite knowledge or resources to be able to attack a victim.
Despite the fact that this approach has been around for a long time, the number of DNS amplification attacks is increasing. It has been reported that there was a 200% increase in DNS amplification attacks between 2012 and early 2015.
DNS amplification attacks can be very large (measured in Gigabits per second or Gbps) and can be big enough to cripple even a large hosting organization.
According to Akamai’s Security Bulletin: DNSSEC Amplification DDoS, there are a number of industries that are particularly vulnerable to DNS amplification attacks. Gaming is the biggest, accounting for over half (52%) of attacks. Financial services, media, high tech/consulting, and SaaS enablement companies also feel the heat. In fact, one of the larger DNS amplification attacks that Akamai mitigated was a financial services organization that was pummeled at peak with 45 Gbps bandwidth and 5.2 million packets per second.
It’s hard to protect against this kind of attack as it comes from valid-looking servers with valid-looking traffic. For reflectors, there’s no way of knowing that the request is spoofed, and for victims, the traffic they are receiving is “legitimate” – it’s the original requests that initiated that traffic that were malicious.
Organizations that operate DNS servers have a responsibility to be good corporate citizens and prevent the use of those servers as intermediaries in an attack.
Victims of DNS amplification attacks will be overwhelmed by traffic from legitimate DNS servers. You need to be able to identify when a large number of DNS responses that you didn’t ask for are coming into the network. Keeping track of requests and responses can be difficult, but network flow analysis tools can help here as well to quickly – within seconds – detect a high volume of incoming DNS responses and immediately trigger mitigation.
FlowTraq monitors network flow traffic in real time and immediately detects deviations that indicate DDoS attacks, network reconnaissance, and other unwanted behavior on the network so you can act fast. FlowTraq detects a large range of DDoS attacks, including DNS amplification attacks, within seconds and can automatically trigger mitigations to leading DDoS scrubbers (including A10 TPS, Verisign and others) or black hole routes. In addition to helping you defend against DDoS attacks, FlowTraq can detect a wide range of other undesirable behavior in the network, including scanning, data exfiltration, insider threats, and more.