DNS Reflection Attack

DNS Reflection Attack

 

 

DNS Reflection Attack

In today’s interconnected world, cyber threats continue to evolve, posing significant risks to individuals, organizations, and even nations. One such threat, the DNS Reflection Attack, has gained notoriety for its potential to disrupt online services and cause significant damage. In this blog post, we will delve into the intricacies of this attack, exploring its mechanics, impact, and how organizations can protect themselves from its devastating consequences.

A DNS Reflection Attack, or a DNS amplification attack, is a type of Distributed Denial of Service (DDoS) attack. It exploits the inherent design of the Domain Name System (DNS) to overwhelm a target’s network infrastructure. The attacker spoofs the victim’s IP address and sends multiple DNS queries to open DNS resolvers, requesting significant DNS responses. The amplification factor of these responses can be several times larger than the original request, leading to a massive influx of traffic directed at the victim’s network.

 

Highlights: DNS Reflection Attack

  • The Role of DNS

Firstly, the basics. DNS (Domain Name System) is a host-distributed database that converts domain names to IP addresses. Most clients rely on DNS for communicating services such as Telnet, file transfer, and HTTP web browsing. It goes through a chain of events, usually only taking milliseconds for the client to receive a reply. Quick does not often mean secure. First, let us examine the DNS structure and DNS operations.

  • The DNS Process

The clients send a DNS query to a local DNS server (LDNS), a Resolver. Then, the LDNS relays the request to a Root server with the required information to service the request. Root servers are a critical part of Internet architecture. They are authoritative name servers that serve the DNS root zone by directly answering requests or returning a list of authoritative nameservers for the appropriate top-level domain (TLD). Unfortunately, this chain of events is the base of DNS-based DDoS attacks such as the DNS Recursion attack.

 

Before you proceed, you may find the following posts useful for pre-information:

  1. DNS Security Solutions
  2. DNS Security Designs
  3. Cisco Umbrella CASB
  4. OpenShift SDN
  5. DDoS Attacks
  6. UDP Scan
  7. IPv6 Attacks

 



DNS Recursion Attack.

Key DNS Reflection Attack Discussion Points:


  • Introduction to DNS Reflection attack and what is involved.

  • Highlighting DNS-based DoS attacks.

  • Discussion on DNS Query attack and DNS Recursion attack.

  • Example: The issue of Open Resolvers.

  • The role of GTM Load Balancer.

 

  • A key point: Video on Secure Web Gateways with DNS Filtering.

The increase in zero-day attacks, automatic botnet spreading, and malicious threats hiding in SSL traffic has resulted in a broken web security model. One precaution you can take is implementing a Secure Web Gateway (SWG) as a cloud-based or on-premise device.

Secure Web Gateway is a security solution that filters unwanted traffic, enforcing various security policies. Depending on the vendor, SWG offers a range of features such as URL and DNS Filtering, DNS Security, Cloud Sandboxing, Data Loss Prevention, and file type controls, to name a few.

 

Technology Brief : Cloud Security - Introducing Secure Web Gateways
Prev 1 of 1 Next
Prev 1 of 1 Next

 

Back to Basics With DNS Reflection Attack

The Domain Namespace

So, we have domain names that index DNS’s distributed database. Each domain name is a path in a large inverted tree called the domain namespace. So, when you think about the tree’s hierarchical structure, it is similar to the design of the Unix filesystem.

The tree has a single root at the top. So, the Unix filesystem represents the root directory by a slash (/). So we have DNS that calls and refers to it as “the root.” But it’s a similar structure that, too, has limits. The DNS’s tree can branch any number of ways at each intersection point or node. However, the depth of the tree is limited to 127 levels which you are not likely to reach.

 

DNS and its use of UDP

DNS uses User Datagram Protocol (UDP) as the transport protocol. UDP is a lot faster than TCP due to its stateless operation. Stateless means no connection state is maintained between UDP peers. It has no connection information, just a query/response process.

One of the problems with using UDP as the transport protocol is the size of unfragmented UDP packets has limited the number to 13 root server addresses. To alleviate this problem, root server IP addressing is based on Anycast, permitting the number of root servers to be larger than 500. Anycast permits the same IP address to be advertised from multiple locations.

 

  • A key point: Lab Guide on the DNS Process.

The DNS resolution process begins when a user enters a domain name in their browser. It involves several steps to translate the domain name into an IP address. In the example below, I have a CSR1000v configured as a DNS server and several name servers. I also have an external connector configured with NAT for external connectivity outside of Cisco Modelling Labs.

    • Notice the DNS Query and the DNS Response from the Packet Capture. Keep in mind this is UDP and, by default, insecure.
DNS process
Diagram: DNS Process

 

Highlights DNS Reflection Attack

The attacker identifies vulnerable DNS resolvers that can be abused to amplify the attack. These resolvers respond to DNS queries from any source without proper source IP address validation. By sending a small DNS request with the victim’s IP address as the source, the attacker tricks the resolver into sending a much larger response to the victim’s network. This amplification effect allows attackers to generate a significant traffic volume, overwhelming the victim’s infrastructure and rendering it inaccessible.

  • Impact and Consequences:

DNS Reflection Attacks can have severe consequences, both for individuals and organizations. Some of the critical impacts include:

    • Disruption of Online Services:

The attack can bring down websites, online services, and other critical infrastructure by flooding the victim’s network with massive amplified traffic. This can result in financial losses, reputational damage, and significant user inconvenience.

    • Collateral Damage:

In many cases, DNS Reflection Attacks can have collateral damage, affecting the intended target and other systems sharing the same network infrastructure. This can lead to a ripple effect, causing cascading failures and disrupting multiple online services simultaneously.

    • Loss of Confidentiality:

During a DNS Reflection Attack, attackers exploit chaos and confusion to gain unauthorized access to sensitive data. This can include stealing user credentials, financial information, or other valuable data, further exacerbating the damage caused by the attack.

  • Mitigation and Prevention:

To mitigate the risk of DNS Reflection Attacks, organizations should consider implementing the following measures:

    • Source IP Address Validation:

DNS resolvers should be configured to only respond to queries from authorized sources, preventing the use of open resolvers for amplification attacks.

    • Rate Limiting:

By implementing rate-limiting mechanisms, organizations can restrict the number of DNS responses sent to a particular IP address within a given time frame. This can help mitigate the impact of DNS Reflection Attacks.

    • Network Monitoring and Traffic Analysis:

Organizations should regularly monitor their network traffic to identify suspicious patterns or abnormal spikes in DNS traffic. Advanced traffic analysis tools can help detect and mitigate DNS Reflection Attacks in real time.

    • DDoS Mitigation Services:

Engaging with reputable DDoS mitigation service providers can offer additional protection against DNS Reflection Attacks. These services employ sophisticated techniques to identify and filter malicious traffic, ensuring the availability and integrity of online services.

 

Exploiting DNS-Based DDoS Attacks

Mainly, denial of service (DoS) mechanisms disrupt activity and prevent upper-layer communication between hosts. Attacking UDP is often harder to detect than general DoS resource saturation attacks. Attacking UDP is not as complex as attacking TCP because UDP has no authentication and is connectionless.

This makes it easier to attack than some application protocols, which usually require authentication and integrity checks before accepting data. The potential threat against DNS is that it relies on UDP and is subject to UDP control plane threats. Launching an attack on a UDP session can be achieved without application awareness. 

 

DNS query attack

One DNS-based DDoS attack method is carrying out a DNS query attack. The attacker uses a tap client and sends a query to a remote DNS server to overload it with numerous clients, sending queries to the same DNS server. The capacity of a standard DNS server is about 150,000 queries. If the remote server does not have the capacity, it will drop and ignore the legitimate request, unable to send responses. The DNS server cannot tell which query is good or bad. A query attack is a relatively simple attack. 

 

DNS Recursion attack

The recursive nature of DNS servers enables them to query one another to locate a DNS server with the correct IP address or to find an authoritative DNS server that holds the canonical mapping of the domain name to its IP address. The very nature of this operation opens up DNS to a DNS Recursion Attack. 

A DNS Recursion Attack is also known as a DNS cache poisoning attack. DNS attacks occur when a recursive DNS server requests an IP address from another; an attacker intercepts the request and gives a fake response, often the IP address for a malicious website.

 

DNS reflection attack

A more advanced form of DNS-based DDoS attacks is a technique called a DNS reflection attack. The attackers take advantage of the underlying vulnerability in the protocol used for DNS. The return address (source IP address in the query) is tricked into being someone else. This is known as DNS Spoofing or DNS cache poisoning.

The attackers send out a DNS request and put the IP address as their target for the source IP. The natural source gets overwhelmed with return traffic. The source IP address is known to be spoofed.

The main reason for carrying out reflection attacks is an amplification (discussed below). The advertisement of spoofed DNS name records enables the attacker to carry out many other attacks. As discussed, they can redirect flows to a destination of choice, which opens up other sophisticated attacks that facilitate eavesdropping, MiTM attacks, the injection of false data, and the distribution of Malware and Trojans.

DNS Reflection Attack
Diagram: DNS Reflection Attack.

 

DNS and unequal sizes

The nature of the DNS system has unequal sizes. The query messages are tiny, and the response is typically double the query size. However, there are certain record types that you can ask for that are much more significant. Attackers may concentrate their attack using DNS security extension (DNSSEC) cryptographic or EDNS0 extensions. If you add DNSsec, it combines a lot of keys and makes the packet much larger.

These requests can increase packet size from around 40 bytes to above the maximum Ethernet packet size of 4000 bytes. They potentially require fragmentation, further targeting network resources. This is the essence of any IPv4 and IPv6 attack amplification, a small query with a significant response. Many Load Balancing products have built-in DoS protection, enabling you to set limits to packets per second on specific DNS queries.

 

  • A key point: Video on Port Scanning: TCP and UDP

In this whiteboard session, we will address port scanning. Now. Port scanning can be performed against TCP and UDP ports. Identifying open ports on a target system is the stage that a bad actor has to carry out when understanding and defining the attack surface of a target. These open ports correspond to the networked services running on a system.

And it’s something you want to protect your network against. To test what is open on your network, we use the process of port scanning. And this can be done with a tool called Scapy.

 

Port Scanning: UDP and TCP
Prev 1 of 1 Next
Prev 1 of 1 Next

 

DNS Open Resolvers

The attack can be amplified even more with DNS Open Resolvers, enabling the least number of Bots with maximum damage. A Bot is a type of Malware that allows the attacker to control it. Generally, a security mechanism should be in place so resolvers only answer requests from a list of clients. These are called locked or secured DNS resolvers.

Unfortunately, however, there are many resolvers without best-practice security mechanisms. Unfortunately, Open Resolvers amplify the amplification attack surface even further. DNS amplification is a variation of an old-school attack called a SMURF attack.

At a fundamental level, ensure you have an automated list to accept only known clients. Set up ingress filtering to ensure you don’t have an illegal address leaving your network. Ingress filtering prevents any spoofing-style attacks. This will weed it down and thin it out a bit.

Next, test your network and make sure you don’t have any Open Resolvers. NMAP (Network Mapper) is a tool that has a script to test recursion. This will test whether your local DNS servers are open for recursion attacks.

 

DNS reflection attack: GTM Load Balancer

At a more expensive level, F5 has a product called DNS Express. It allows you to withstand DoS attacks by adding an F5 GTM Load Balancer in front of your DNS servers. DNS Express handles the request on behalf of the DNS server. It works from high-speed RAM and an, on average, handles about 2 million requests per second.

This is about 12 times more than a regular DNS server, which should be enough to withstand a sophisticated DNS DoS attack. Later posts deal with mitigation techniques, including stateful firewalls and other devices.