The Domain Name System (DNS) is a vital protocol for all internet traffic translating human-readable domain names into IP addresses that is used to route all traffic over the internet. Unfortunately like most things, malicious actors have turned a helpful protocol into what could be a devastating cyber-attack. One type of Distributed Denial-of-Service (DDoS) attack using DNS is called DNS Amplification DDoS, which sends a large amount of network traffic and seeks to consume as much network and routing resources as possible to interfere with legitimate internet traffic.
The answer to an “ANY” query can be very large as the following example illustrates:
How DNS Amplification attacks work.
Since the DNS protocol mainly uses the User Datagram Protocol (UDP) over Port 53, rather than the Transmission Control Protocol (TCP) which conducts a 3-way handshake, it provides malicious actors with the ability to change or spoof the source IP address of the query. A malicious actor initiates their DNS Amplification DDoS attack by crafting DNS queries with a spoofed source IP address of the target and then sends them to several open DNS resolvers. To generate DDoS levels of DNS queries, most of the time malicious actors employ a botnet that sends DNS queries to the DNS resolvers. Within the DNS query, the malicious actor makes query types to return large query answers to maximize the DNS Amplification effects. The most common approach is to request the “ANY” type of query which will return a large sample of resource records in the zone. By using spoofed source information, the DNS resolver thinks the requests originated from the victim’s IP address. This sends the DNS query answer to the victim’s IP address which in turn exhausts the victim’s network resources, resulting in not being able to respond to legitimate internet requests—and a Denial of Service occurs.
The answer to an “ANY” query can be very large as the following example illustrates:
$ dig -t any vercara.com <<>> DiG 9.10.6 <<>> -t any vercara.com global options: +cmd Got answer: >>HEADER<<- opcode: QUERY, status: NOERROR, id: 15390 flags: qr rd ra ad; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 13 OPT PSEUDOSECTION: EDNS: version: 0, flags:; udp: 512 QUESTION SECTION: vercara.com. IN ANY ANSWER SECTION: vercara.com. 86400 IN DNSKEY 256 3 13 dE6s1HOxkeQZLbSuet+kCGN15Rk3szwW0u9/biJ88DRnsTx8CVMdbJQf w/tpydW9rEdXKIoLfXKNy5UxsEeWuw== vercara.com. 86400 IN DNSKEY 257 3 13 pE1bE4bVxZJBtjqT27OQlmnaxgEIGv5RYKidyjosVKjCZRrcrwzSMide F1ChS7IhLSigUu5FmdZ0dFUBYEw4sA== vercara.com. 86400 IN RRSIG DNSKEY 13 2 86400 20240817002242 20240219002242 42145 vercara.com. PskXijNvHQQHbw2rdS0FMd8W3YpYYiFYy43ZZV6fvI54BlyeW6l/8Y0Q JDSmvR44wCW9fVn8zSYAKc3+WC5r/A== vercara.com. 86400 IN NS pdns196.ultradns.co.uk. vercara.com. 86400 IN NS pdns196.ultradns.net. vercara.com. 86400 IN NS pdns196.ultradns.org. vercara.com. 86400 IN NS pdns196.ultradns.com. vercara.com. 86400 IN NS pdns196.ultradns.info. vercara.com. 86400 IN NS pdns196.ultradns.biz. vercara.com. 86400 IN RRSIG NS 13 2 86400 20240817002242 20240219002242 4208 vercara.com. hgqL1VLboWW4rDrQxloPhNIwxeTIZWayydAQWrK0Qn+GYGT83R5EQXe2 q6KdEAuwHu8DqJ8BfgK0+jnEa3IklA== ADDITIONAL SECTION: pdns196.ultradns.info. 498 IN A 156.154.68.196 pdns196.ultradns.info. 85744 IN AAAA 2610:a1:1016::e8 pdns196.ultradns.biz. 2928 IN A 156.154.66.196 pdns196.ultradns.biz. 84863 IN AAAA 2610:a1:1015::e8 pdns196.ultradns.co.uk. 1969 IN A 156.154.69.196 pdns196.ultradns.co.uk. 84811 IN AAAA 2610:a1:1017::e8 pdns196.ultradns.net. 1015 IN A 156.154.65.196 pdns196.ultradns.net. 82122 IN AAAA 2610:a1:1014::e8 pdns196.ultradns.org. 1588 IN A 156.154.67.196 pdns196.ultradns.org. 74792 IN AAAA 2001:502:4612::e8 pdns196.ultradns.com. 1637 IN A 156.154.64.196 pdns196.ultradns.com. 85547 IN AAAA 2001:502:f3ff::e8A query on a ten-character hostname yielded many responses. With this type of amplification, it doesn’t take a lot of queries to generate a very large response.
Impacts of DNS Amplification attacks.
Organizations that are the victims of a DNS Amplification DDoS attack could experience several impacts on their business operations.- Service Disruption: The main objective of a DNS Amplification attack is to overwhelm a targeted system with unsolicited traffic so that the resources are no longer available for legitimate internet traffic. These attacks can affect websites, online services, or critical infrastructure.
- Financial Losses: Businesses that are reliant on employing e-commerce and online services may experience a decline in online transactions which would result in a decrease in revenue.
- Potential Data Breaches: Malicious actors could use a DNS Amplification DDoS attack to deliberately overwork Security Operations Center (SOC) or Community Emergency Response Team (CERT) personnel or as an attempt to get organizations to reduce their detection and alerting. When organizations dedicate their resources to mitigate against a DDoS attack a malicious actor could inject malware/ransomware into the network and steal sensitive data. Business Reputation: Organizations that experience service outages, prolonged downtime, or compromised security could erode customer’s trust and confidence.
Mitigating DNS Amplification attacks.
There are several things that organizations could implement to help mitigate against a DNS Amplification DDoS attack.- Utilizing a DDoS mitigation service: These specialized services offer comprehensive protection against DDoS attacks, such as DNS amplification, and can handle these large attacks. They employ advanced filtering techniques and can absorb large traffic spikes.
- Deploy DDoS mitigation equipment on premises: Some organizations that operate DNS servers may choose to deploy dedicated DDoS scrubbing equipment in their data centers to protect the DNS infrastructure. This can be effective if the organization has sufficient bandwidth to withstand the size of the attacks.
- Proper DNS server configuration: Ensuring that Recursive/Resolver DNS servers are configured properly and securely will help to minimize the risk of them being exploited and used in a DNS Amplification DDoS attack.
- Disable open recursion: Restrict DNS servers from providing recursive services to external sources and limiting DNS queries to authorized clients only.
- Implement proper access controls: By configuring proper access controls that only allow DNS queries from trusted IP addresses helps prevent unauthorized entities from using the DNS server in a malicious manner.
- Rate limiting: By deploying rate limiting tools on DNS servers that restrict the number of responses sent to a specific IP address within a pre-defined timeframe. By implementing rate limiting this could help mitigate the impact of amplification by limiting the rate at which responses are generated and sent.
- IP spoofing prevention: Implementing measures that prevent IP address spoofing such as Source Address Validation (SAV) such as detailed in Best Common Practice (BCP) 38 that ensure that incoming internet packets have a legitimate source IP address.
- Traffic filtering: Firewalls as well as Intrusion Prevents Systems/Intrusion Detection System (IPS/IDS) that could be used to identify and block DNS Amplification traffic by detecting patterns that are indicative of amplification-style attacks. Monitoring and anomaly detection: Implementing rigorous network monitoring systems could identify unusual network patterns that could be indications of a DDoS attack. Early detection allows organizations to respond to cyber-attacks in a timely manner.
- Incident response planning: Organizations must have detailed procedures in place that outline how to respond to cyber-attacks, who in the organization needs to be contacted, and within what timeframe as well as what steps need to be taken to recover affected systems. The procedures should be periodically rehearsed and drilled to validate they are still current and accurate for the current business operations.
