DNS amplification attacks are one popular method attackers use to increase their arsenal by abusing larger services. Even though this type of attack has been happening for a long time, we are still seeing a large number of attacks using this method.
In this post I will briefly describe how these amplification attacks work and shed some light on how often they occur. I will then give you some ideas in how you can protect yourself from these attacks as a website operator and advise how you can avoid taking part in such attacks as a DNS server administrator or network administrator.
What is a DNS amplification attack?
Amplification attacks are a form of denial of service attack. Attackers use open internet services such as DNS resolvers and NTP servers to increase the amount of bandwidth sent to the victim and overwhelming their capacity. With no bandwidth remaining to service real customer requests, the victim’s website is unable to service requests for real users. The reason it’s called an amplification attack is because the attacker only needs a small Internet connection, while still being able to deluge the victim with traffic.
How do DNS amplification attacks work?
The diagram below gives a high level overview of how a DNS amplification attack works:
As you can see, an attacker can use relatively few machines with little bandwidth to launch fairly substantial attacks. This is done by spoofing (or faking) the source IP of the DNS request such that the response is not sent back to the computer that issued the request, but instead to the victim.
This is easy since the protocol that DNS relies on is UDP and as such there is no verification that the source IP address is in fact the sender. Using very simple tools the attacker can send many thousands of spoofed requests to open resolvers and the responses, which are much larger than the request, amplify the amount of bandwidth sent to the victim.
The chart below shows the number of attacks we see over a 24 hour period.
Digging into these attacks, we see that attackers often issue a special type of DNS request called an ANY request. ANY requests ask the DNS resolver for ALL information that it currently knows about the domain which may include where the mail servers are (MX records), what the IP addresses are (A records) and so on. Attackers use this type of query to maximize the size of the response sent to the victim.
Using threat analysis from Umbrella and Cisco Talos, we can outline the exact domains used in these attacks, how long the attack lasted, who the intended victims were and the intended size of the attack. We can also estimate the approximate source location of the attacks even though the packets are spoofed. This is possible because we use Anycast which is a networking technology used to route customer requests to the nearest Cisco Umbrella resolver in one of our datacenters around the globe. We can use this metric to estimate how distributed the attack is.
The table below shows a small sample of the domains used over the same 24 hour period:
Attackers use both legitimate domains as well as domains used to increase the impact of the attack. For example, fkfkfkfc(.)biz is one such domain that was setup specifically to take part in these attacks. They do this so they can fill up the DNS response to be as large as possible. Below is the dig output for this domain:
$ dig fkfkfkfc(.)biz @109.235.51.184
;; Truncated, retrying in TCP mode.
; <<>> DiG 9.8.3-P1 <<>> fkfkfkfc(.)biz @109.235.51.184
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24993
;; flags: qr aa rd; QUERY: 1, ANSWER: 236, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;fkfkfkfc(.)biz. IN A
;; ANSWER SECTION:
fkfkfkfc(.)biz. 86400 IN A 204.46.43.157
fkfkfkfc(.)biz. 86400 IN A 204.46.43.158
fkfkfkfc(.)biz. 86400 IN A 204.46.43.159
fkfkfkfc(.)biz. 86400 IN A 204.46.43.160
… Repeated hundreds of times …
fkfkfkfc(.)biz. 86400 IN A 204.46.43.154
fkfkfkfc(.)biz. 86400 IN A 204.46.43.155
fkfkfkfc(.)biz. 86400 IN A 204.46.43.156
;; AUTHORITY SECTION:
fkfkfkfc(.)biz. 86400 IN NS ns21.fkfkfkfc.biz.
fkfkfkfc(.)biz. 86400 IN NS ns22.fkfkfkfc.biz.
;; ADDITIONAL SECTION:
ns21.fkfkfkfc(.)biz. 86400 IN A 109.235.51.184
ns22.fkfkfkfc(.)biz. 86400 IN A 109.235.51.184
;; Query time: 190 msec
;; SERVER: 109.235.51.184#53(109.235.51.184)
;; WHEN: Sat Mar 1 20:17:45 2014
;; MSG SIZE rcvd: 3876
As you can see a request that is only 64 bytes becomes 3876 bytes sent to the victim. A recent attack measured by Cloudflare weighed in at 400Gbps, one of the largest attacks seen to date. That would require an attacker issuing over 200,000 of the above requests per second to open resolvers around the globe.
While some attacks are very short lived, we have seen several sustained attacks lasting many weeks. We also notice that while the custom crafted domains used in these attacks do change, it’s not very often, sometimes lasting many weeks.
How do you protect yourself from a DNS amplification attack?
As a website operator you may want to use a DDOS protection service such as those offered by Cloudflare, Verisign, and Arbor Networks.
As a DNS or NTP server administrator you should make sure your resolver is not open to the internet. If you use Bind you can disable recursive resolving like so:
options { recursion no; };
You should also restrict Bind to answering questions from your internal network:
options { allow-query {192.168.1.0/24;};};
If you use an external DNS resolver, check if it is open and suggest to the ISP or operator to restrict access to only their networks.
What can I do to protect my network from participating in such attacks?
Ensure that you are performing egress filtering on your edge devices. This type of filtering prevents spoofed packets from leaving your network, thereby preventing malicious devices in your network participating in attacks relying on the ability to send spoofed packets to the internet.
Trouble ahead?
In this blog I have explained one form of amplification attack that has been abused for a long time. NTP Server amplification attacks are becoming much more common as the amplification factor can be much higher. SNMP servers are now also being used to amplify traffic and have the potential for much larger impact since the responses can be much larger than DNS and NTP. As protocol writers, service developers, network administrators, and end users we have our work cut out for us.
At Cisco Umbrella we take this abuse of service very seriously and continue to fine tune our defenses.
Click to learn about Cisco DNS security.