Anatomy of An Attack – DNS Amplification

Anatomy of An Attack – DNS Amplification

February 9, 2017 | Adeline Zhang

Author: Vann Abernethy, Field CTO

Overview

DNS amplification attacks ramp up the power of a botnet when targeting a victim.  The basic technique of a DNS amplification attack is to spoof the IP of the intended target and send a request for a large DNS zone file to any number of open recursive DNS servers.  The DNS servers blindly respond to the request, sending the large DNS zone response to the attack target.

Victim of Attack Vector

As an example, a recent Spamhouse attack saw request data of roughly 36 bytes in length, while the response data was around 3000 bytes, meaning the attackers effectively amplified the bandwidth used by a factor of 100.  Additionally, because the responses exceeded the MTU, the packets were fragmented and the required reassembly further exasperated the problem.

Remediation Recommendations

At its core, this style of attack is an IP spoofing attack.  A good first step to protect yourself is to implement BCP38 (Best Common Practices) which helps cut down on IP spoofing.  Additionally, recursive servers should be restricted to your enterprise (or at most, B2B customers), and authoritative servers should be configured to use DNS Response Rate Limiting.  A final good step is to either to obtain a mitigation service or purchase equipment that provides purpose-built DDoS defense.  Most commercial anti-DDoS services and equipment providers have advanced anti-spoofing technologies built in that act as a good catch-all for even the most sophisticated attacks.