DNS amplification is a Distributed Denial of Service (DDoS) attack in which the attacker exploits vulnerabilities in domain name system (DNS) servers to turn initially small queries into much larger payloads, which are used to bring down the victim’s servers. The attacker hides the source of exploit and provides the target. The small DNS query is changed to larger payload. It attacks servers supporting open recursive relay. It may feature a botnet’s help to use less bandwidth use for large attacks. The advantage of this attack is that it shows the path as coming from valid servers with valid traffic.
DNS amplification is, therefore, a type of reflection attack which manipulates publically-accessible domain name systems, making them flood a target with large quantities of UDP packets. Using various amplification techniques, perpetrators can “inflate” the size of these UDP packets, making the attack so potent as to bring down even the most robust Internet infrastructure.
How it works?
DNS amplification, like other amplification attacks, is a type of reflection attack. In this case, the reflection is achieved by eliciting a response from a DNS resolvers to a spoofed IP address.
During a DNS amplification attack, the perpetrator sends out a DNS query with a forged IP address (the victim’s) to an open DNS resolver, prompting it to reply back to that address with a DNS response. With numerous fake queries being sent out, and with several DNS resolvers replying back simultaneously, the victim’s network can easily be overwhelmed by the sheer number of DNS responses.
RReflection attacks are even more dangerous when
amplified. “Amplification” refers to eliciting a server response that is
disproportionate to the original packet request sent.
To amplify a
DNS attack, each DNS request can be sent using the EDNS0 DNS protocol
extension, which allows for large DNS messages, or using the
cryptographic feature of the DNS security extension (DNSSEC) to increase
message size. Spoofed queries of the type “ANY,” which returns all
known information about a DNS zone in a single request, can also be
used.Solution:
Common ways to prevent or mitigate the impact of DNS amplification attacks include tightening DNS server security, blocking specific DNS servers or all open recursive relay servers, and rate limiting.
However, these methods do not eliminate attack sources, nor do they reduce the load on networks and switches between name servers and open recursive servers. Also, blocking all traffic from open recursive servers can interfere with legitimate DNS communication attempts. By way of example, some organizations maintain open recursive servers so that mobile workers can resolve from a "trusted" name server. Blocking traffic from these servers can hinder their access.
Reference:
- https://www.incapsula.com/ddos/attack-glossary/dns-amplification.html
- http://resources.infosecinstitute.com/attacks-over-dns/
No comments:
Post a Comment