What a scary combination! Just by reading “attack”, you can feel goosebumps. Then, when “amplification” is added, you can visualize an attack whose power could be increased to damage even more.
What is a DNS amplification attack?
The DNS amplification attack is the type of DDoS attack where a hacker spoofs its IP address and changes it to the target’s IP address, then performs a DNS query access to open, public recursive DNS servers to saturate the target (system) with DNS response traffic. The amplification comes from the answer, which may be many times bigger than the original request.
During the attack, resources like bandwidth will be demanded to a point they get slow or disable. The objective is to obstacle the access to a system (network, online service, application, website).
How does a DNS amplification attack work?
In general terms, during a DNS amplification attack, the attacker sends a DNS lookup query to an open DNS server using a forged source address (target’s address). The DNS server will attend the query, and it will respond with the DNS record or records to the target (no matter it didn’t query a thing).
To amplify the attack, the attacker usually sends too many queries related to every detail of the zone information. Forged queries commonly use “any” to get all the available information related to a DNS zone with only one shot (query). This means the size of the response will be a lot bigger than the query. Both the big amount and the large size of the data packets are used on a DNS amplification attack.
The user datagram protocol (UDP) facilitates this attack. UDP is a protocol used for speeding up data packets transmissions on the Internet (DNS). It delivers messages fast but without validating data, like the legitimacy of an IP address attached to a query. Therefore, all the queries the attacker sends using forged IP addresses will be properly sent to their destination, a target that didn’t query a single thing.
A DNS amplification attack operates through public DNS recursive servers. They will follow their usual searching process and ask for the necessary DNS information to respond to queries.
How to mitigate and prevent DNS amplification attacks?
Both tasks are hard due to a couple of factors. First, to forge DNS queries demands not so much effort and resources, and they can produce massive traffic loads. Besides, it’s a fact that the DNS resolution process (and the DNS responses derived from it) will seem absolutely legit. Yes, valid data sent from legit servers.
What most network administrators recommend is to combine different strategies to be protected.
- Limit the amount of traffic through the use of response rate limiting on the authoritative servers.
- Set up local DNS servers for handling DNS queries only from inside the organization.
- Get a DNS firewall for your network to only permit DNS responses that match queries sent by local DNS servers.
- Get DNS Anycast to avoid overloading and distribute traffic.
Unfortunately, these attacks are getting common since they are quite simple to operate due to the easy resources they demand and a large amount of available public DNS servers. Strengthen the security shield of your business is a must!