What is a DNS Amplification Attack?
Distributed Denial of Service (DDoS) attacks continue to evolve and amplify in scale and complexity. Many recent studies show that DDoS attacks are becoming more frequent, sophisticated, and powerful. In fact, the largest recorded DDoS attacks have reached over 1.4 Tbps in size and they continue to rise due to the proliferation of IoT devices. DNS amplification attack is one of the most dangerous types of DDoS threats. These attacks leverage vulnerabilities in network protocols to generate a large amount of traffic directed at a targeted website or service, overwhelming its servers and making the site unavailable to legitimate users.
What is a DNS Amplification Attack?
A Domain Name System (DNS) amplification attack is just one of many types of distributed denial-of-service (DDoS) attacks. As with all DDoS attacks, the goal of attackers is to keep users from accessing a networked system, service, website, application, or other resource by making it slow to respond or disabling it entirely.1 Most DDoS attacks are volumetric in that they bombard a victim’s network with more traffic than it can handle. Think of it like bumper-to-bumper, stand-still traffic on a six-lane freeway near a stadium when a concert or sporting event ends. Thousands of cars crowding the freeway all at once completely impair the normal flow of traffic.
A DNS amplification attack uses different techniques to accomplish the same end goal of denying service. Instead of thousands of cars flooding the freeway at one time, imagine six wide-load trucks traveling side by side along that same six-lane freeway. The flow of traffic is completely impaired – not by a sudden onslaught of thousands of cars but by several vehicles so large that normal traffic can’t flow through. So, while most DDoS attacks work by overwhelming a system with a huge quantity of average-sized packets, a DNS amplification attack uses larger packets to achieve the same result. No analogy is perfect, however, and there are a few more wrinkles to the DNS amplification story, so let’s look more closely at the details of this attack.
How does it work?
In a DNS amplification attack, the attacker sends the altered source IP of the intended victim to the DNS resolvers. Each query to the open DNS resolvers is legitimate and small in nature, however, they have altered the source IP address of the intended target victim. The queries to the open DNS resolvers are structured in a way to maximize the response size from the DNS resolvers. This results in DNS resolvers sending large responses to the intended target IP. Many such queries to as many open DNS resolvers can amplify responses to the target IP address. This can be amplified manyfold by using a distributed botnet.
The impact of DNS Amplification Attack
DNS amplification attacks are an example of a volumetric DDoS attack. The goal of these attacks is to flood the target with enough spam traffic to consume all of its network bandwidth or some other scarce resource (computational power, etc.).
By using DNS for amplification, an attacker can overwhelm a target while using a fraction of the resources consumed by their attack. Often, DDoS attacks are designed to knock a target service offline. If the attacker uses all of the available resources, then none are available for legitimate users, rendering the service unusable.
However, smaller-scale attacks can also have negative effects on their targets…
Even if a service isn’t knocked completely offline, degraded performance can have a negative effect on its customers. Additionally, all of the resources consumed by the attack cost the target money while bringing no profit to the business.
How is a DNS amplification attack mitigated?
For an individual or company running a website or service, mitigation options are limited. This comes from the fact that the individual’s server, while it might be the target, is not where the main effect of a volumetric attack is felt. Due to the high amount of traffic generated, the infrastructure surrounding the server feels the impact. The Internet Service Provider (ISP) or other upstream infrastructure providers may not be able to handle the incoming traffic without becoming overwhelmed. As a result, the ISP may blackhole all traffic to the targeted victim’s IP address, protecting itself and taking the target’s site offline. Mitigation strategies, aside from offsite protective services, are mostly preventative Internet infrastructure solutions.
Reduce the total number of open DNS resolvers
An essential component of DNS amplification attacks is access to open DNS resolvers. By having poorly configured DNS resolvers exposed to the Internet, all an attacker needs to do to utilize a DNS resolver is to discover it. Ideally, DNS resolvers should only provide their services to devices that originate within a trusted domain. In the case of reflection-based attacks, the open DNS resolvers will respond to queries from anywhere on the Internet, allowing the potential for exploitation. Restricting a DNS resolver so that it will only respond to queries from trusted sources makes the server a poor vehicle for any type of amplification attack.
Source IP verification – stop spoofed packets leaving a network
Because the UDP requests being sent by the attacker’s botnet must have a source IP address spoofed to the victim’s IP address, a key component in reducing the effectiveness of UDP-based amplification attacks is for Internet service providers (ISPs) to reject any internal traffic with spoofed IP addresses. If a packet is being sent from inside the network with a source address that makes it appear like it originated outside the network, it’s likely a spoofed packet and can be dropped.
Conclusion
DNS amplification attacks pose a significant threat to network security, causing service disruptions and potential financial losses for targeted organizations. By understanding the techniques employed by attackers and implementing effective mitigation strategies, organizations can fortify their defenses against DNS amplification attacks. Proper server hardening, traffic filtering, and DNS traffic monitoring are essential components of a comprehensive defense strategy to mitigate the impact of these damaging attacks.