DDoS DNS amplification attacks
by Brian Hershey on Feb.22, 2009, under General Info
There is a new(? or more frequently used?) method of DDoS attack being currently used against victim networks. This involves UDP queries from spoofed IP addresses, requesting the addresses for the DNS root servers. This turns misconfigured nameservers into a sort of DDoS “Reflector”, allowing attack amplification.
The reason for this is that it’s a really small UDP query (it’s a query for “. NS/IN”), resulting in a large amount of data “returned” to/at the victim’s network.
Here’s how it works:
The attacking server (let’s call them ns.attacker.net) spoofs the IP address of the victim (let’s call them victim.net), sending multiple UDP queries to many recursive, resolving DNS servers, pretending to be the victim host or network.
The attacker assumes the victim network’s IP
ns.victim.net:{high-order port} -> ns.resolvingDNSserver.net:53 . NS/IN
This query, when issued against any recursively resolving nameserver, will return the entire root nameserver list to the victim network, which is rather large in comparison with the query itself.
If your DNS server allows recursive queries to the general public, you may want to disable their ability to access your nameserver via UDP/53, or turn off their ability to make “. NS/IN” queries. (a query for the nameserver list of the “root” domain)
For BIND, you can add this line to the options section of your named.conf, stopping them from getting an answer to this query.
additional-from-cache no;
Alternatively, you can just disable the public’s ability to use UDP to query your nameservers, as a 3-way TCP handshake makes the IP spoofing almost impossible.
For further reading, check out this article by Don Jackson@SecureWorks:
http://www.secureworks.com/research/threats/dns-amplification
Thanks, Don… Great read!