Latley we have been seeing in the security news of a newer type of attack called ” DNS amplification attack” or what was know as a SMURF attack
How does it work ?
The attack works when a attacker finds a open dns server that accpets look ups from outside its network (aka misconfiguration) and spoofs the udp request to the DNS server to make it appear as it has originated from another IP for example
Attackers computer 1.1.1.1 send a DNS lookup to a misconfigured DNS server 2.2.2.2 but spoofs the source ip address to be of victims computer 3.3.3.3 the lookup data and traffic then get send to the victims computer which amplifies the amount of traffic as a lookup may bey about 30-60 bytes of data but a response to a dns lookup is larger
see in this example you run the following command
dig google.ca
gives you the following response
;; Query time: 52 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Aug 13 02:02:34 2013
;; MSG SIZE rcvd: 75
we see the received size of the request is 75 byte request so the original request traffic has now been amplified because the response traffic is greater than the source traffic
Mitigation …
Due to the nature of this attack there are only a few mitigation techniques and there is not a all in one solution
1.) One way that has been suggested is to filter DNS request from the untrusted network ( RED network ) to your internal LAN if you are not host a public DNS server you should be able to block and or filter DNS requests from entering your network you can do this either on your edge router or have your provider do this for you
2.) Black hole network
Another way you can mitigate this attack is having a separate segment on your network with a edgde router with a configure null interface you can through a routing protocol that can move the victims ip address to the non-production network
see example below
3.) Use webservices such as cloudfire which have networks that are built to protect webservers from DDOS attack now this only helps for attacks agains your webserver and not your LAN
4.) You can look over RFC 2827 with respect to ingress filtering
5.) Internet providers can employ source address verification using URF ( Unicast reverse path forwarding)
You can see this article which is great explanation on what can be done on the ISP side http://www.sanog.org/resources/sanog8/sanog8-ip-spoofing-akinori-maz.pdf
6.) Also another mitigation step would be to rate limit the amount of requests per ip to the dns server if the requests become more the allotted then the request should be dropped and or blocked
What can DNS server admins do ?
1.) Rate limit DNS responses to a single ip
2.) if you are not running a pubic dns server deny access from outside your network by using access-lists etc
3.) regularly tests your dns servers for security holes
4.) Use best practices for server management
In summary DNS amplification attacks can be a heavy hitter attack as the amount of eigress traffic that can be generated from only a small amount of ingress traffic is amazing
Until next time
Stay secure !