DNS Amplification DoS Basics

Amplification based DoS attacks are not a new concept they were abused heavily in the 90s with ip directed broadcast attacks also known as smurf attacks.

DNS amplification attacks rely on the fact UDP DNS requests are small and can be easily spoofed with the returned data being much larger then the original request ending up hitting the victims network.

Below is a sample DIG request for Amazon.com

Amazon

dig request amazon.com

Lets look at the packet size in wireshark

AmazonQUery81bytes

DNS request 81 bytes

And the response

Amazon879Bytes

If you look at the request and response the request was 81 bytes and the response was 879 bytes with some quick research it wouldn’t be hard to find other domains with a better rate of return however this is still a significant return on a small request.

Spoofing a DNS ALL request for ebay.com from 173.255.232.242 and capturing it in tshark.

DNSspoof

This covers the basic theory of the attack.

Attackers spoof DNS requests from the victims IP -> DNS servers respond with huge responses filling the connection of the victim.

In the wild DNS servers are often compromised and extremely large TXT records are configured resulting in replies up to 4000 bytes enhancing amplification.

Combine this entire attack with a botnet and it’s very easy to generate Gbps with relatively low traffic being sent from botnet nodes.

For more details on these attacks in the wild check out the defcon 14 talk by Randal Vaughn – http://www.youtube.com/watch?v=-mBzpMeiqec

Prevention

There are a number of methods to prevent your DNS servers from being abused in this way the easiest is filtering recursive requests and rate limiting DNS traffic.

You can check for known open resolvers on your network here – http://openresolverproject.org/

Advertisements
Tagged with: , , , ,
Posted in InfoSec
One comment on “DNS Amplification DoS Basics
  1. faihaa says:

    Omg can we say this the method of anonymous attacking !?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: