Anatomy of an attack – DNS amplification

Anatomy of an attack – DNS amplification

December 14, 2015 | NSFOCUS

Track:  Technical

Author: Vann Abernethy, Field CTO, NSFOCUS

binary-823342_1920DNS amplification attacks ramp up the power of a botnet when targeting a victim.  The basic technique of a DNS amplification attack is to spoof the IP of the intended target and send a request for a large DNS zone file to any number of open recursive DNS servers.  The DNS servers blindly respond to the request, sending the large DNS zone response to the attack target. As an example, a recent Spamhouse attack saw request data of roughly 36 bytes in length, while the response data was around 3000 bytes, meaning the attackers effectively amplified the bandwidth used by a factor of 100.  Additionally, because the responses exceeded the MTU, the packets were fragmented and the required reassembly further exasperated the problem.

At its core, this style of attack is an IP spoofing attack.  A good first step to protect yourself is to implement BCP38 (Best Common Practices) which helps cut down on IP spoofing.  Additionally, recursive servers should be restricted to your enterprise (or at most, B2B customers), and authoritative servers should be configured to use DNS Response Rate Limiting.  A final good step is to either to obtain a mitigation service or purchase equipment that provides purpose-built DDoS defense.  Most commercial anti-DDoS services and equipment providers have advanced anti-spoofing technologies built in that act as a good catch-all for even the most sophisticated attacks.

 

VannVann Abernethy is the Field CTO for NSFOCUS.  He brings more than 20 years of Security and IT management experience working for a wide range of companies, from start-ups to the Fortune 500. Throughout his career, Abernethy has developed and deployed security, network and infrastructure management products and solutions; ranging from SMBs to government to some of the largest, industry-leading enterprises worldwide.