As one of the world’s largest open DNS resolvers we are constantly on the lookout for abuse of our service, especially when it means we would be taking part in an attack against other networks.  DNS amplification attacks are one popular method attackers use to increase their arsenal by abusing larger services such as OpenDNS. Even though this type of attack has been happening for a long time we are still seeing a large number of attacks using this method.

In this post I will briefly describe how these attacks work and shed some light on how often they occur. I will then give you some ideas in how you can protect yourself from these attacks as a website operator and advise how you can avoid taking part in such attacks as a DNS server administrator or network administrator.

Amplification attacks are a form of denial of service attack.  Attackers use open internet services such as DNS resolvers and NTP servers to increase the amount of bandwidth sent to the victim and overwhelming their capacity. With no bandwidth remaining to service real customer requests, the victim’s website is unable to service requests for real users. The reason it’s called an amplification attack is because the attacker only needs a small Internet connection, while still being able to deluge the victim with traffic.

The diagram below gives a high level overview of how a DNS amplification attack works:

image01

As you can see, an attacker can use relatively few machines with little bandwidth to launch fairly substantial attacks. This is done by spoofing (or faking) the source IP of the DNS request such that the response is not sent back to the computer that issued the request, but instead to the victim.

This is easy since the protocol that DNS relies on is UDP and as such there is no verification that the source IP address is in fact the sender. Using very simple tools the attacker can send many thousands of spoofed requests to open resolvers and the responses, which are much larger than the request, amplify the amount of bandwidth sent to the victim.

The chart below shows the number of attacks we see over a 24 hour period.

image00

Digging into these attacks, we see that attackers often issue a special type of DNS request called an ANY request. ANY requests ask the DNS resolver for ALL information that it currently knows about the domain which may include where the mail servers are (MX records), what the IP addresses are (A records) and so on. Attackers use this type of query to maximize the size of the response sent to the victim.

Using our analytics platform, we can outline the exact domains used in these attacks, how long the attack lasted, who the intended victims were and the intended size of the attack. We can also estimate the approximate source location of the attacks even though the packets are spoofed. This is possible because we use Anycast which is a networking technology used to route customer requests to the nearest OpenDNS resolver in one of our datacenters around the globe. We can use this metric to estimate how distributed the attack is.

The table below shows a small sample of the domains used over the same 24 hour period: 

Screen Shot 2014-03-17 at 1.37.33 PM

Attackers use both legitimate domains as well as domains used to increase the impact of the attack. For example, fkfkfkfc(.)biz is one such domain that was setup specifically to take part in these attacks.  They do this so they can fill up the DNS response to be as large as possible. Below is the dig output for this domain:

$ dig fkfkfkfc(.)biz @109.235.51.184

;; Truncated, retrying in TCP mode.

; <<>> DiG 9.8.3-P1 <<>> fkfkfkfc(.)biz @109.235.51.184
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24993
;; flags: qr aa rd; QUERY: 1, ANSWER: 236, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fkfkfkfc(.)biz. IN A

;; ANSWER SECTION:
fkfkfkfc(.)biz. 86400 IN A 204.46.43.157
fkfkfkfc(.)biz. 86400 IN A 204.46.43.158
fkfkfkfc(.)biz. 86400 IN A 204.46.43.159
fkfkfkfc(.)biz. 86400 IN A 204.46.43.160
… Repeated hundreds of times …
fkfkfkfc(.)biz. 86400 IN A 204.46.43.154
fkfkfkfc(.)biz. 86400 IN A 204.46.43.155
fkfkfkfc(.)biz. 86400 IN A 204.46.43.156

;; AUTHORITY SECTION:
fkfkfkfc(.)biz. 86400 IN NS ns21.fkfkfkfc.biz.
fkfkfkfc(.)biz. 86400 IN NS ns22.fkfkfkfc.biz.

;; ADDITIONAL SECTION:
ns21.fkfkfkfc(.)biz. 86400 IN A 109.235.51.184
ns22.fkfkfkfc(.)biz. 86400 IN A 109.235.51.184

 ;; Query time: 190 msec
;; SERVER: 109.235.51.184#53(109.235.51.184)
;; WHEN: Sat Mar  1 20:17:45 2014
;; MSG SIZE  rcvd: 3876

As you can see a request that is only 64 bytes becomes 3876 bytes sent to the victim. A recent attack measured by Cloudflare weighed in at 400Gbps, one of the largest attacks seen to date. That would require an attacker issuing over 200,000 of the above requests per second to open resolvers around the globe.

While some attacks are very short lived, we have seen several sustained attacks lasting many weeks. We also notice that while the custom crafted domains used in these attacks do change, it’s not very often, sometimes lasting many weeks.

So what can you do to protect yourself from such attacks?

As a website operator you may want to use a DDOS protection service such as those offered by Cloudflare, Verisign, and Arbor Networks.

As a DNS or NTP server administrator you should make sure your resolver is not open to the internet. If you use Bind you can disable recursive resolving like so:

options {    recursion no; };

You should also restrict Bind to answering questions from your internal network:

options {    allow-query {192.168.1.0/24;};};

If you use an external DNS resolver, check if it is open and suggest to the ISP or operator to restrict access to only their networks.

What can I do to protect my network from participating in such attacks?

Ensure that you are performing egress filtering on your edge devices. This type of filtering prevents spoofed packets from leaving your network, thereby preventing malicious devices in your network participating in attacks relying on the ability to send spoofed packets to the internet.

Trouble ahead?

In this blog I have explained one form of amplification attack that has been abused for a long time. NTP Server amplification attacks are becoming much more common as the amplification factor can be much higher. SNMP servers are now also being used to amplify traffic and have the potential for much larger impact since the responses can be much larger than DNS and NTP. As protocol writers, service developers, network administrators, and end users we have our work cut out for us.  

At OpenDNS we take this abuse of our service very seriously and continue to fine tune our defenses. In a future post, we’ll describe some of the cool techniques we use to mitigate our involvement in these attacks.

Additional Resources:

Security Researcher Matteo Cantoni tracks these attacks in detail

Open Resolver Project

DNS Amplification Attacks Observer

Cloudflare blog

 

 

This post is categorized in: