Distributed-Denial-of-Service (DDoS) attacks cause headaches for countless entities, whether they are world governments, corporations, or private citizens. The idea of a DDoS attack is to take the already effective Denial-of-Service (DoS) attack and multiply its power. Instead of simply one machine being used, like in a DoS attack, a DDoS attack employs a large number of machines to perform the attack. This is accomplished by a botnet, which is a collection of infected devices called “zombies” that are instructed by the attackers’ Command-and-Control (C2) server. Using sheer power in numbers, the botnet is able to cause a DDoS attack that overloads a target and renders it inoperable.
There are many types of DDoS attacks, but the Domain Name Server (DNS) has given birth to a fair share of them. DNS is responsible for ensuring devices can connect to a specific domain. On the internet, addresses are not the words in the Hypertext Transfer Protocol (HTTP) bar. Instead, they are Internet Protocol (IP) addresses in either IPv4 or IPv6 format. Remembering all of the numbers in IP addresses can be a colossal pain, so DNS servers resolve domain IP addresses automatically for visitors to a domain.
Because it is such an important part of the internet, DNS comes under attack frequently. One of the most well-known DDoS attacks for DNS servers is the DNS amplification attack. It is vital for security professionals, IT workers, and common citizens to understand this attack as it affects all of them.
Once you have completed this article, you will be able to recognize DNS amplification attacks and also be able to defend against them.
The DNS amplification attack uses a DNS server against its network. The attack forces public-facing DNS servers to flood a target with traffic. This is different from a DNS cache poisoning attack as, instead of forcing the DNS server to resolve to a malicious address, the amplification attack overloads the actual domain the DNS server belongs to. In technical terms, this is called a “reflection-based volumetric Distributed-Denial-of-Service attack.” In layman’s terms, this just means that a target is tricked into destroying itself.
The DNS amplification attack hinges on exploiting the User Datagram Protocol (UDP) to work. UDP is far more exploitable than its counterpart Transmission Control Protocol (often shortened to TCP/IP). The TCP/IP protocol requires a “three-way handshake” (SYN-SYN/ACK-ACK) before a connection can be completed. UDP, on the other hand, allows packets just to keep getting sent without any follow-up verification. It is this fact that makes UDP far more susceptible to DDoS attacks.
The basic mechanics of a DNS amplification attack are an attacker sending packets that are spoofed as the target domain’s address. The DNS server then, merely doing its job, resolves that packet to the domain. The botnet set up by the attacker keeps sending these malicious requests until the DNS resolvers inadvertently knock their own network offline.
The amplification aspect of this attack is how the packets are configured. Using the EDNS0 extension mechanism, spoofed queries create a response that is far greater than the initial packet. A typical packet can be no greater than 512 bytes, but with this amplification method, the DNS server responds with a multiplication of thousands of bytes (which is highly abnormal). Through this amplification, and using a botnet, the DDoS attack occurs with vicious speed and efficacy.
According to the Cybersecurity and Infrastructure Security Agency (CISA), which is the cyber-security wing of the US Department of Homeland Security, the total prevention of DNS amplification is impossible. However, this does not mean that nothing can be done to stall attackers or reduce the damage done.
A key element to mitigating DNS amplification attacks is reducing the number of servers that an attacker can access. There are specific ways to configure DNS so that it makes public-facing servers unavailable to malicious entities. One way is performing network ingress filtering, or in plain English, forcing IP source verification. If a DNS server allows for this configuration, it will recognize a spoofed packet and reject it outright.
Another method is disabling recursion on DNS servers, should a server have the option of doing so. If this cannot be done, at the very least server admins should seek to recursion to authorize and vetted clients. This makes it so that an organization’s specific address range is all that gets resolved by the DNS servers. Of course, there exists the chance that an attacker knows these addresses, but usually, this would require the attacker to have inside knowledge. Good cybersecurity hygiene should prevent such occurrences.
There is another more experimental option for BIND9 servers that allows for Response Rate Limiting (RRL). This will reduce the overall traffic flow from one specific source. As previously stated, however, only BIND9 servers have this capability. For any other server, use the previously mentioned mitigation methods.
The DNS amplification DDoS attack is a severe threat to any public-facing web domain. It is not a losing situation, though, if you have the proper attack plan. Understand your enemy, and you will be able to mount a strong defense.