DNS amplification attacks are one of the most pernicious vulnerabilities in the Internet’s infrastructure and a favored tool of online criminals with an axe to grind or a need to create a distraction. They’re also a useful example of how infrastructure that grows organically over many years can cause problems because of features created in a different time. Even more striking is the fact that if companies and others running DNS servers put their mind to it, DNS amplification attacks could be rendered impossible. DNS amplification attacks are a form of Distributed Denial of Service attack in which multiple machines are dragooned into the service of online criminals to bombard their targets with such an enormous quantity of bandwidth that their network connections become saturated, making them unavailable to legitimate users and effectively knocking them off the Internet. They gained some degree of media notoriety last year, when a series of huge DNS amplification attacks created a deluge of data larger than any seen before. The media presented this as a risk to the Internet at large, which is an exaggeration, but it is true the DDoS attacks of this sort cause significant inconvenience and expense.
What Is An Amplification Attack?
The average online criminal doesn’t have access to the huge amounts of bandwidth necessary to send adequate data to saturate hosting companies and other bandwidth providers. Even with large botnets, flooding connections is a difficult proposition. They need some way to multiply the bandwidth they have available and the amount of data they can send. Unfortunately, there are several vulnerabilities in common online services — including the Domain Name System and the Network Time Protocol — that make doing so fairly easy.
DNS Amplification Attacks
DNS servers accept requests from client machines, translating human readable web addresses into the IP numbers that servers, routers, and switches use to direct packets to their destination. The client machine — frequently a web browser — sends a packet that contains a DNS request, the DNS server sends a packet back with the IP address, if it’s known. If the DNS server doesn’t have the answer, it asks another DNS server, which will answer, or tell it where to find an answer. That process can go several levels deep, which is why these servers are referred to as recursive DNS servers. They recurse the DNS hierarchy until they find the answer they need. On open recursive DNS server is one that will accept requests from anyone and send the response to the IP address contained within the request. Open DNS servers are dangerous because they will accept DNS requests from any machine, rather than verifying that the requester is a reasonable source. When attackers want to direct a flood of DNS data, they send a request to many different open recursive DNS servers, which send a response to the server indicated within the requests. The attackers can spoof the IP address of the target machine, replacing the address from which the request originates with the target’s address. All of the DNS servers direct responses to the target, rather than the servers who are actually making the request — usually hundreds or thousands of servers in a botnet. What makes this sort of attack particularly bad is that, by sending a specific request to the DNS servers, they can be prompted to send a response that is many times larger than the original request. The initial request containing the spoofed IP of the target can as small as 60 bytes, and the response which is sent to the target may be 4000 bytes. That’s a huge amplification factor and explains how attackers can generate massive floods of data with relatively small levels of bandwidth. And, of course, DNS servers tend to be situated in data centers with access to lots of bandwidth. The solution is quite obvious. Remove open recursive DNS servers, but that’s easier said than done. Some estimate that 20% of the DNS servers on the Internet will accept DNS requests from anyone. Hunting them down and removing them would be expensive, and until they become the target of an attacks themselves, most companies have no real incentive to remove their open DNS servers. Image Flickr/altemark