• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-free-trial_102820
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • Navigation-dropdown-promo-threat-report_020521
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Research

DNS Amplification Attacks

By David Cornell
Posted on March 17, 2014
Updated on April 1, 2021

Share

Facebook0Tweet0LinkedIn0

As one of the world’s largest open DNS resolvers we are constantly on the lookout for abuse of our service, especially when it means we would be taking part in an attack against other networks.  DNS amplification attacks are one popular method attackers use to increase their arsenal by abusing larger services such as OpenDNS. Even though this type of attack has been happening for a long time we are still seeing a large number of attacks using this method.

In this post I will briefly describe how these attacks work and shed some light on how often they occur. I will then give you some ideas in how you can protect yourself from these attacks as a website operator and advise how you can avoid taking part in such attacks as a DNS server administrator or network administrator.

Amplification attacks are a form of denial of service attack.  Attackers use open internet services such as DNS resolvers and NTP servers to increase the amount of bandwidth sent to the victim and overwhelming their capacity. With no bandwidth remaining to service real customer requests, the victim’s website is unable to service requests for real users. The reason it’s called an amplification attack is because the attacker only needs a small Internet connection, while still being able to deluge the victim with traffic.

The diagram below gives a high level overview of how a DNS amplification attack works:

As you can see, an attacker can use relatively few machines with little bandwidth to launch fairly substantial attacks. This is done by spoofing (or faking) the source IP of the DNS request such that the response is not sent back to the computer that issued the request, but instead to the victim.

This is easy since the protocol that DNS relies on is UDP and as such there is no verification that the source IP address is in fact the sender. Using very simple tools the attacker can send many thousands of spoofed requests to open resolvers and the responses, which are much larger than the request, amplify the amount of bandwidth sent to the victim.

The chart below shows the number of attacks we see over a 24 hour period.

Digging into these attacks, we see that attackers often issue a special type of DNS request called an ANY request. ANY requests ask the DNS resolver for ALL information that it currently knows about the domain which may include where the mail servers are (MX records), what the IP addresses are (A records) and so on. Attackers use this type of query to maximize the size of the response sent to the victim.

Using our analytics platform, we can outline the exact domains used in these attacks, how long the attack lasted, who the intended victims were and the intended size of the attack. We can also estimate the approximate source location of the attacks even though the packets are spoofed. This is possible because we use Anycast which is a networking technology used to route customer requests to the nearest OpenDNS resolver in one of our datacenters around the globe. We can use this metric to estimate how distributed the attack is.

The table below shows a small sample of the domains used over the same 24 hour period:

Attackers use both legitimate domains as well as domains used to increase the impact of the attack. For example, fkfkfkfc(.)biz is one such domain that was setup specifically to take part in these attacks.  They do this so they can fill up the DNS response to be as large as possible. Below is the dig output for this domain:

$ dig fkfkfkfc(.)biz @109.235.51.184

;; Truncated, retrying in TCP mode.

; <<>> DiG 9.8.3-P1 <<>> fkfkfkfc(.)biz @109.235.51.184
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24993
;; flags: qr aa rd; QUERY: 1, ANSWER: 236, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;fkfkfkfc(.)biz. IN A

;; ANSWER SECTION:
fkfkfkfc(.)biz. 86400 IN A 204.46.43.157
fkfkfkfc(.)biz. 86400 IN A 204.46.43.158
fkfkfkfc(.)biz. 86400 IN A 204.46.43.159
fkfkfkfc(.)biz. 86400 IN A 204.46.43.160
… Repeated hundreds of times …
fkfkfkfc(.)biz. 86400 IN A 204.46.43.154
fkfkfkfc(.)biz. 86400 IN A 204.46.43.155
fkfkfkfc(.)biz. 86400 IN A 204.46.43.156

;; AUTHORITY SECTION:
fkfkfkfc(.)biz. 86400 IN NS ns21.fkfkfkfc.biz.
fkfkfkfc(.)biz. 86400 IN NS ns22.fkfkfkfc.biz.

;; ADDITIONAL SECTION:
ns21.fkfkfkfc(.)biz. 86400 IN A 109.235.51.184
ns22.fkfkfkfc(.)biz. 86400 IN A 109.235.51.184

 ;; Query time: 190 msec
;; SERVER: 109.235.51.184#53(109.235.51.184)
;; WHEN: Sat Mar  1 20:17:45 2014
;; MSG SIZE  rcvd: 3876

As you can see a request that is only 64 bytes becomes 3876 bytes sent to the victim. A recent attack measured by Cloudflare weighed in at 400Gbps, one of the largest attacks seen to date. That would require an attacker issuing over 200,000 of the above requests per second to open resolvers around the globe.

While some attacks are very short lived, we have seen several sustained attacks lasting many weeks. We also notice that while the custom crafted domains used in these attacks do change, it’s not very often, sometimes lasting many weeks.

So what can you do to protect yourself from such attacks?

As a website operator you may want to use a DDOS protection service such as those offered by Cloudflare, Verisign, and Arbor Networks.

As a DNS or NTP server administrator you should make sure your resolver is not open to the internet. If you use Bind you can disable recursive resolving like so:

options {    recursion no; };

You should also restrict Bind to answering questions from your internal network:

options {    allow-query {192.168.1.0/24;};};

If you use an external DNS resolver, check if it is open and suggest to the ISP or operator to restrict access to only their networks.

What can I do to protect my network from participating in such attacks?

Ensure that you are performing egress filtering on your edge devices. This type of filtering prevents spoofed packets from leaving your network, thereby preventing malicious devices in your network participating in attacks relying on the ability to send spoofed packets to the internet.

Trouble ahead?

In this blog I have explained one form of amplification attack that has been abused for a long time. NTP Server amplification attacks are becoming much more common as the amplification factor can be much higher. SNMP servers are now also being used to amplify traffic and have the potential for much larger impact since the responses can be much larger than DNS and NTP. As protocol writers, service developers, network administrators, and end users we have our work cut out for us.

At OpenDNS we take this abuse of our service very seriously and continue to fine tune our defenses. In a future post, we’ll describe some of the cool techniques we use to mitigate our involvement in these attacks.

Additional Resources:

DNS Amplification Attacks Observer

Cloudflare blog

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella