DNS Amplification DDoS Attack

Distributed-Denial-of-Service (DDoS) attacks cause headaches for countless entities, whether they are world governments, corporations, or private citizens. The idea of a DDoS attack is to take the already effective Denial-of-Service (DoS) attack and multiply its power. Instead of simply one machine being used, like in a DoS attack, a DDoS attack employs a large number of machines to perform the attack. This is accomplished by a botnet, which is a collection of infected devices called “zombies” that are instructed by the attackers’ Command-and-Control (C2) server. Using sheer power in numbers, the botnet is able to cause a DDoS attack that overloads a target and renders it inoperable.

There are many types of DDoS attacks, but the Domain Name Server (DNS) has given birth to a fair share of them. DNS is responsible for ensuring devices can connect to a specific domain. On the internet, addresses are not the words in the Hypertext Transfer Protocol (HTTP) bar. Instead, they are Internet Protocol (IP) addresses in either IPv4 or IPv6 format. Remembering all of the numbers in IP addresses can be a colossal pain, so DNS servers resolve domain IP addresses automatically for visitors to a domain.

Because it is such an important part of the internet, DNS comes under attack frequently. One of the most well-known DDoS attacks for DNS servers is the DNS amplification attack. It is vital for security professionals, IT workers, and common citizens to understand this attack as it affects all of them. Once you have completed this article, you will be able to recognize DNS amplification attacks and also be able to defend against them.

What is a DNS Amplification DDoS Attack?

The DNS amplification attack uses a DNS server against its network. The attack forces public-facing DNS servers to flood a target with traffic. This is different from a DNS cache poisoning attack as, instead of forcing the DNS server to resolve to a malicious address, the amplification attack overloads the actual domain the DNS server belongs to. In technical terms, this is called a “reflection-based volumetric Distributed-Denial-of-Service attack.” In layman’s terms, this just means that a target is tricked into destroying itself.

The DNS amplification attack hinges on exploiting the User Datagram Protocol (UDP) to work. UDP is far more exploitable than its counterpart Transmission Control Protocol (often shortened to TCP/IP). The TCP/IP protocol requires a “three-way handshake” (SYN-SYN/ACK-ACK) before a connection can be completed. UDP, on the other hand, allows packets just to keep getting sent without any follow-up verification. It is this fact that makes UDP far more susceptible to DDoS attacks. The basic mechanics of a DNS amplification attack are an attacker sending packets that are spoofed as the target domain’s address. The DNS server then, merely doing its job, resolves that packet to the domain. The botnet set up by the attacker keeps sending these malicious requests until the DNS resolvers inadvertently knock their own network offline. The amplification aspect of this attack is how the packets are configured. Using the EDNS0 extension mechanism, spoofed queries create a response that is far greater than the initial packet. A typical packet can be no greater than 512 bytes, but with this amplification method, the DNS server responds with a multiplication of thousands of bytes (which is highly abnormal). Through this amplification, and using a botnet, the DDoS attack occurs with vicious speed and efficacy.

Steps of a DNS Amplification DDoS Attack

Attacker discovers the target domain and begins creating a plan of attack.
A botnet is formed either by the threat actor via various exploits and malware, or alternatively, purchasing access to one via the dark web.
From their Command-and-Control server, the attacker crafts packets using the EDNS0 extension mechanism.
The botnet is then instructed to send the spoofed packets to the targeted domain.
The domain’s DNS server begins resolving the packets to the domain (remember, the spoofed packets are addressed to the target, so instead of “redirecting” they are “reflected” back to the domain network).
Because the packets contain the EDNS0 command, the DNS resolution also increases the packet size by exponential rates.
The domain’s internal network cannot handle the recursive loop and shuts down all communication lines with the public.

How to Mitigate DNS Amplification Attacks

According to the Cybersecurity and Infrastructure Security Agency (CISA), which is the cyber-security wing of the US Department of Homeland Security, the total prevention of DNS amplification is impossible. However, this does not mean that nothing can be done to stall attackers or reduce the damage done.

A key element to mitigating DNS amplification attacks is reducing the number of servers that an attacker can access. There are specific ways to configure DNS so that it makes public-facing servers unavailable to malicious entities. One way is performing network ingress filtering, or in plain English, forcing IP source verification. If a DNS server allows for this configuration, it will recognize a spoofed packet and reject it outright. Another method is disabling recursion on DNS servers, should a server have the option of doing so. If this cannot be done, at the very least server admins should seek to recursion to authorize and vetted clients. This makes it so that an organization’s specific address range is all that gets resolved by the DNS servers. Of course, there exists the chance that an attacker knows these addresses, but usually, this would require the attacker to have inside knowledge. Good cybersecurity hygiene should prevent such occurrences. There is another more experimental option for BIND9 servers that allows for Response Rate Limiting (RRL). This will reduce the overall traffic flow from one specific source. As previously stated, however, only BIND9 servers have this capability. For any other server, use the previously mentioned mitigation methods. The DNS amplification DDoS attack is a severe threat to any public-facing web domain. It is not a losing situation, though, if you have the proper attack plan. Understand your enemy, and you will be able to mount a strong defense.

Cookie	Duration	Description
__stripe_mid	1 year	This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
__stripe_sid	30 minutes	This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
Affiliate ID	3 months	Affiliate ID cookie
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
Data 1	3 months
Data 2	3 months	Data 2
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
woocommerce_cart_hash	session	This cookie is set by WooCommerce. The cookie helps WooCommerce determine when cart contents/data changes.
XSRF-TOKEN	session	The cookie is set by Wix website building platform on Wix website. The cookie is used for security purposes.

Cookie	Duration	Description
__lc_cid	2 years	This is an essential cookie for the website live chat box to function properly.
__lc_cst	2 years	This cookie is used for the website live chat box to function properly.
__lc2_cid	2 years	This cookie is used to enable the website live chat-box function. It is used to reconnect the customer with the last agent with whom the customer had chatted.
__lc2_cst	2 years	This cookie is necessary to enable the website live chat-box function. It is used to distinguish different users using live chat at different times that is to reconnect the last agent with whom the customer had chatted.
__oauth_redirect_detector		This cookie is used to recognize the visitors using live chat at different times inorder to optimize the chat-box functionality.
Affiliate ID	3 months	Affiliate ID cookie
Data 1	3 months
Data 2	3 months	Data 2
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga_J2RWQBT0P2	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_12584548_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gat_UA-12584548-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjAbsoluteSessionInProgress	30 minutes	No description available.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	No description available.
_hjIncludedInSessionSample	2 minutes	No description available.
_hjTLDTest	session	No description available.
PAPVisitorId	1 year	This cookie is set by the Post Affiliate Pro.This cookie is used to store the visitor ID which helps in tracking the affiliate.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	6 months	This cookie is used to a profile based on user's interest and display personalized ads to the users.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
_app_session	1 month	No description available.
_dc_gtm_UA-12584548-1	1 minute	No description
_gfpc	session	No description available.
71cfb2288d832330cf35a9f9060f8d69	session	No description
cli_bypass	3 months	No description
CONSENT	16 years 6 months 13 days 18 hours	No description
gtm-session-start	2 hours	No description available.
isoCode	1 month	No description available.
L-k26wU	1 day	No description
L-KVHA4	1 day	No description
m	2 years	No description available.
newVisitorId	3 months	No description
owner_token	1 day	No description available.
PP-k26wU	1 hour	No description
PP-KVHA4	1 hour	No description
RL-k26wU	1 day	No description
RL-KVHA4	1 day	No description
wisepops	2 years	No description available.
wisepops_session	session	No description available.
wisepops_visits	2 years	No description available.
woocommerce_items_in_cart	session	No description available.
wp_woocommerce_session_1b44ba63fbc929b5c862fc58a81dbb22	2 days	No description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.

DNS Amplification DDoS Attack

What is a DNS Amplification DDoS Attack?

Steps of a DNS Amplification DDoS Attack

How to Mitigate DNS Amplification Attacks

Learn more about DDoS

What is the Golden Ticket

How it works: