DNS Amplification Attack

Dns-AmplificationRecently a new type of DNS attack have been discovered. Attackers are exploiting the recursive name servers to amplify the DDoS attacks by utilizing IP spoofing. If you want to know the very details of how this attack works then you must read DNS Amplification Attacks (pdf) by Randal Vaughn and Gadi Evron where they analyze 3 real attacks. Also this Cnet news article have some details about the attack.

At the heart of this attack is the recursive function of DNS servers. This is a very serious threat because The Measurement Factory in recent survey found that:

There are an estimated 7.5 million external DNS servers on the public Internet. Over 75% of domain name servers (of roughly 1.3 million sampled) allow recursive name service to arbitrary queriers. This opens a name server to both cache poisoning and attacks.

Here I’ve drawn the diagrams to explain what is Recursive DNS Query and how DNS Amplification Attacks work.

Normal DNS query (Recursive)

Step 1: The User’s PC with ip address "My IP Address" makes a DNS query to the Primary DNS Server configured in it’s TCP/IP properties, asking to resolve the ip address for some-webserver.com.

Step 2 to Step 7 (Recursive Query): User’s Primary DNS Server is not authoritative for the domain some-webserver.com. So, it asks the Root Servers which then points it to .com Namespace from where it learns about the Primary DNS Server of some-webserver.com, which replies with the IP Address of some-webserver.com.

Step 8: The IP Address of some-webserver.com is cached in the User’s Primary DNS Server and it replies to the User’s PC with the IP Address for some-webserver.com.

DNS Amplification Attack

Step 1: The attacker sends a signal to the compromised PCs to start DNS queries.

Step 2: All compromised PCs with spoofed ip address "Victim IP Address" make a DNS query to the Primary DNS Servers configured in their TCP/IP properties, asking to resolve the ip address for some-webserver.com.

Step 3 to Step 8 (Recursive Query): User’s Primary DNS Servers are not authoritative for the domain some-webserver.com. So, they ask the Root Servers which then points them to .com Namespace from where they learn about the Primary DNS Server of some-webserver.com, which replies with the IP Address of some-webserver.com.

Step 9: The IP Address of some-webserver.com is cached in the User’s Primary DNS Servers and they reply to the Victim’s Server (Victim IP Address) with the IP Address for some-webserver.com. The reply goes to Victim’s Server because the attacker has used this Spoofed Source IP address. The matter is made worse because this reply can be amplified up to factor of 73.

This is how the DNS amplification occurs according to DNS Amplification Attacks:

DNS amplification occurs due to the response packet being significantly larger than that of the query. If an Open Resolver receives an EDNS (RFC 2671) query containing a large buffer advertisement, its reply to the possibly-spoofed requesting IP address can be quite large. A DNS query consisting of a 60 byte request can be answered with responses of over 4000 bytes amplifying the response packet by a factor of 60.

If, for example, the response consists of a 122 byte A type response, a 4000 byte TXT response, and a 222 byte SOA response, the total response consists of 4320 bytes. This yields an amplification factor of 73

Solution:

1. Disable the Recursive functionality of DNS Servers or limit it to the clients in your network.

2. Separate the DNS Servers that are authoritative to some domains and the ones used by internal users to resolve the names.

3. Implement some sort of spoofing counter-measures such as those suggested in BCP 38

This article originally appeared in Nirlog.com

Posted by Niranjan on February 7th, 2007 in Tips |
1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 5.00 out of 5)
Loading ... Loading ...
You might be interested in these as well:

14 Responses to 'DNS Amplification Attack'

Subscribe to comments with RSS or TrackBack to 'DNS Amplification Attack'.

  1. Rajya Deep said,

    on October 13th, 2008 at 3:37 am

    Wow really a good explanation of the DNS amplification attack with the picture of the process…

  2. Usługa DNS said,

    on April 30th, 2010 at 1:47 pm

    [...] Rys 2 przedstawiony został schemat standardowego zapytania dns. Rys 2  Zapytania DNS Źródło: http://securitytnt.com/dns-amplification-attack/ – informacje z dnia 1 październik [...]


  3. on November 10th, 2011 at 3:19 pm

    [...] Also see: http://securitytnt.com/dns-amplification-attack/ [...]

  4. Holley said,

    on July 1st, 2013 at 2:44 am

    I’m not sure exactly why but this weblog is loading extremely slow for me. Is anyone else having this problem or is it a issue on my end? I’ll check back later and see if the
    problem still exists.


  5. on July 11th, 2013 at 2:10 pm

    外側マグネットポケット1 素材キャンバス/レザー 特徴正規品コーチのメッセンジャーショルダーバッグ。スマートでシンプルなデザインに、外部toryburch ビバスイート、.
    まれに粗い縫製や細かなキズ、他のフレーバーを隠すために、そんなに優遇を得ってとても嬉しいですこの商品の詳しく述べることについては、 GAGA 時計 http://www.gagayume.com/ ガガミラノ マヌアーレ 5011.1 112〜122cm(調節可/取外し可)仕様 開閉方法:!
    縦17cm横2431cmまち11cm 持ち手 32cm ストラップ 60cm(取外し可能) 自然の石エリア。1年ぶりのスケートだといい「久々でしたが、?
    縦18(中央部)横31(最大)まち12cm 持ち手34cm(金具含む)ショルダーストラップ 62.5cmランク備考ランク一覧B全体に汚れフロントのロゴ金具がアクセントになっています?

  6. Jalirrism said,

    on July 22nd, 2013 at 6:11 pm

    Miu Miu Carriers are elegant objects for females which can be perceived as exquisite along with attractive also. ミュウミュウ 財布,ヴィヴィアンウエストウッド バッグ,マークバイマークジェイコブス アウトレット,ケイトスペード バッグ 新作,These are definitely appropriate for any catwalk throughout the runway or whilst choosing a move using couple of good friends throughout morning. These kind of totes are very made up of aid from changing whitening strips of pinkish soft in addition to dark-colored python buckskin. These totes fit to transport your own suggestions including top stick, smartphone products, secrets getting back together. That Miu Miu tote is created via dark-colored leather. These kinds of are only decorated together with wonderfully slice a variety of crystals including lemurian crystals together with sophisticated crystal clear sequence in addition to a change lock closure.

    Elegant and common Miu Miu carriers are unable to meet a person? It doesn’t matter, knocked some sort of handsome Miu Miu Youngster Carrier! テンデンス 腕時計,ケイトスペード バッグ,オロビアンコ 財布,tumi アウトレット,This Girl & supermodel Alice Dellar presentation, artist Karl Lagerfeld Miu Miu Child carriers 2013 springtime as well as summer months series of huge advertising and marketing publicity: donning any pit in tights, giving the woman her a flag partial independently Alice Dellar, outrageous a-hole character, and contains a built-in luxury common painting-like landscape in stark comparison.

    Basic white or black colour, Lingge imprinted Miu Miu logo and gold string style and design remains the principle elements of the plastic bags inside Miu Miu 2013 springtime trip set. Miu Miu not long ago introduced Boy Carrier Series bags in 2013 early spring getaway series looks subdued in addition to low-class white and black design, often the vision with the the basic cold personality associated with the folks can not value. Other is from the Miu Miu wall socket produced Common piece with the is usually Miu Miu logo cycle ring interspersed by means of natural leather and also steel changed to a chain regarding platinum magic cycle, versus the coloring dark bistre every single day, the rest of the colour is additionally seasons preserve. http://www.viviennewestwoodbestjp.com/,Both have buckskin sheepskin textile, pick what fabrics vary.


  7. on August 6th, 2013 at 12:51 pm

    Wow that was unusual. I just wrote an incredibly long comment but after I clicked submit my comment didn’t appear. Grrrr… well I’m not writing all that over again. Anyway, just wanted to say fantastic blog!


  8. on October 18th, 2013 at 7:52 am

    However it will be good to put a figurine of Squidward to it to give it better
    authenticity. They don’t actually contain any human growth hormone
    as this is not a viable method of introducing it into the body.
    The action of your feet against the treadmill moves the belt.

  9. domain name said,

    on January 3rd, 2014 at 12:21 am

    Want to host your own website? Or maybe even setup your very own web community? Whatever your dream Unlimitedhostingfree will help turn your ambitions into reality we won’t charge you a any money. You can really rely on us to offer you a stable platform to build your site on and get help from the experienced web developers in we have.


  10. on January 29th, 2014 at 7:45 am

    I will right away grasp your rss feed as I can’t to find your email subscription link or newsletter service. Do you’ve any? Kindly allow me recognize so that I may just subscribe. Thanks.
    Cheap oakley wind jacket http://www.capcjc.org/capc/oakley.asp?p=Cheap-oakley-wind-jacket.html


  11. on February 11th, 2014 at 11:43 pm

    Your way of describing the whole thing in this article is actually pleasant, every one can effortlessly be aware of it, Thanks a lot.
    cheap 49ers fitted hats http://www.vmmlegal.com/Scripts/hats.cfm?p=cheap-49ers-fitted-hats-.html


  12. on February 16th, 2014 at 10:58 pm

    Excellent way of describing, and nice post to get data about my presentation subject
    matter, which i am going to present in academy.


  13. on February 19th, 2014 at 9:50 am

    Undeniably believe that which you said. Your
    favorite reason appeared to be on the web the simplest thikng
    to be aware of. I say too you, I definitely get annoyed while people think about worries that they plainly don’t
    know about. You managed to hit the nail upon the top and also defined
    out the whole thing without having side-effects , people can take a signal.
    Will probably be back to get more.Thanks

  14. beauty essex said,

    on March 24th, 2014 at 9:19 am

    beauty essex…

    Security Tools News & Tips » Blog Archive » DNS Amplification Attack…

Post a comment