Author: Vann Abernethy, Field CTO, NSFOCUS
DNS amplification attacks ramp up the power of a botnet when targeting a victim. The basic technique of a DNS amplification attack is to spoof the IP of the intended target and send a request for a large DNS zone file to any number of open recursive DNS servers. The DNS servers blindly respond to the request, sending the large DNS zone response to the attack target. As an example, a recent Spamhouse attack saw request data of roughly 36 bytes in length, while the response data was around 3000 bytes, meaning the attackers effectively amplified the bandwidth used by a factor of 100. Additionally, because the responses exceeded the MTU, the packets were fragmented and the required reassembly further exasperated the problem.
At its core, this style of attack is an IP spoofing attack. A good first step to protect yourself is to implement BCP38 (Best Common Practices) which helps cut down on IP spoofing. Additionally, recursive servers should be restricted to your enterprise (or at most, B2B customers), and authoritative servers should be configured to use DNS Response Rate Limiting. A final good step is to either to obtain a mitigation service or purchase equipment that provides purpose-built DDoS defense. Most commercial anti-DDoS services and equipment providers have advanced anti-spoofing technologies built in that act as a good catch-all for even the most sophisticated attacks.
Vann Abernethy is the Field CTO for NSFOCUS. He brings more than 20 years of Security and IT management experience working for a wide range of companies, from start-ups to the Fortune 500. Throughout his career, Abernethy has developed and deployed security, network and infrastructure management products and solutions; ranging from SMBs to government to some of the largest, industry-leading enterprises worldwide.