Back to Basics – DNS-based DDoS attacks
DNS (Domain Name System) is a host distributed database that converts domain names to IP addresses. Most clients rely on DNS for communicating services such as Telnet, file transfer, and HTTP web browsing. It goes through a chain of events, usually only taking milliseconds for the client to receive a reply. Clients send a DNS query to a local DNS server (LDNS), known as a Resolver. The LDNS relays the request to a Root server that has the required information to service the request. Root servers are a critical part of Internet architecture. They are authoritative name servers that serve the DNS root zone, either by directly answering requests or returning a list of the authoritative nameservers for the appropriate top-level domain (TLD).
DNS uses User Datagram Protocol (UDP) as the transport protocol. UDP is a lot faster than TCP due to its stateless operation. Stateless means no connection state is maintained between UDP peers. It has no connection information, just a query / response process. One of the problems with using UDP as the transport protocol is the size of unfragmented UDP packets has limited the number to 13 root server addresses. To alleviate this problem, root server IP addressing is based on Anycast, permitting the actual number of root servers to be larger than 500. Anycast is a technique permitting the same IP address to be advertised from multiple locations.
Exploiting DNS – DNS-based DDoS attacks
Mainly by using denial of service (DoS) mechanisms, aiming to disrupt activity and prevent upper-layer communication between hosts. Attacking UDP is often harder to detect than general DoS resources saturation attacks. Attacking UDP is not as complex as attacking TCP because UDP has no authentication and is connectionless. This makes it easier to attack than some application protocols as these usually require their own authentication and integrity checks before accepting data. The potential threat against DNS is that it relies on UDP and is subject to UDP control plane threats. Launching an attack on a UDP session can be achieved without application awareness.
One method of DoS attack is to carry out a DNS query attack. The attacker uses a tap client and sends a query to remote DNS server with an objective to overload it with numerous clients all sending queries to the same DNS server. The capacity of a normal DNS server is about 150,000 queries. If the remote server does not have the capacity, it will drop and ignore the legitimate request, unable to send responses. The DNS server cannot tell which query is good or bad. A query attack is a relatively simple attack.
A more advanced technique is called a DNS reflection attack. The attackers take advantage of the underlying vulnerability in the protocol used for DNS. The return address (source IP address in the query) is tricked to be someone else. This is known as DNS Spoofing or DNS cache poisoning. The attackers send out a DNS request and for the source IP they put the IP address as their target. The real source gets overwhelmed with return traffic. The source IP address is known to be spoofed. The main reasons for carrying out reflection attacks is for amplification (discussed below). The advertisement of spoofed DNS name records enables the attacker to carry out many other attacks. As discussed, they can redirect flows to a destination of choice, which opens up other sophisticated attacks that facilitate eavesdropping, MiTM attacks, the injection of false data, and the distribution of Malware, and Trojans.
The nature of the DNS system has unequal sizes. The query messages is very small and the response is typically double the query size. There are certain record types that you can ask for that are much larger. An attacker may concentrate their attack by using DNS security extension (DNSSEC) cryptographic or EDNS0 extensions. If you add DNSsec, it combines a lot of keys and makes the packet much larger. These types of request can increase packet size from around 40 bytes to above the maximum Ethernet packet size of 4000 bytes. Potentially, requiring fragmentation, further targeting network resources. This is the essence of any type of IPv4 and IPv6 attack amplification; a small query with a large response. Many Load Balancing products have built-in DoS protection, enabling you to set limits to packets per second on certain DNS query’s.
The attack can be amplified even more with DNS Open Resolvers, enabling the least number of Bots with maximum damage. A Bot is a type of malware that allows the attacker to take control over it. Generally, there should be security mechanism in place so resolvers only answer requests from a list of clients. It should not answer a query from the side of an attacker. These are called locked or secured DNS resolver. However, there are many resolvers without best practice security mechanisms. Unfortunately, Open Resolvers amplify the amplification attack surface even further. DNS amplification is a variation of an old school attack called a SMURF attack.
At a very basic level, make sure you have an automatic list to accept only known clients. Set up ingress filtering to make sure you don’t have illegal address leaving your network. Ingress filtering prevents any spoofing style attacks. This will weed it down and thin it out a bit. Test your network and make sure you don’t have any Open Resolvers. NMAP (Network Mapper) is a tool, that has a script to test recursion. This will test and see if your local DNS servers are open for recursion attacks.
At a more expensive level, F5 have a product called DNS Express. It gives you the ability to withstand DoS attacks, by adding an F5 GTM in front of your DNS servers. DNS express handles the request on behalf of the DNS server. It works from high-speed RAM and can handle on average about 2 million requests per second. This is about 12 times more than a normal DNS server, which should be more than enough to withstand a sophisticated DNS DoS attack. Later posts will deal with mitigation techniques including stateful firewalls and other devices.