What Is a DNS Amplification Attack? | F5 Labs

2024 Cybersecurity Predictions


One wrinkle in the wide-load trucks-on-the-freeway analogy is that at a certain size, UDP packets are too large to transmit without being broken up. So, while the attacker is successful in significantly amplifying the DNS responses, when the packets reach a certain size, they will get fragmented into smaller ones. Either way, the net result of the attack is still the same—the victim’s system will still be overloaded because it must handle all of those fragmented packets and reassemble them. The other equally significant point is that the attack still requires relatively few resources on the attacker’s part.

While DNS amplification attacks are relatively easy to detect (because the victim is suddenly flooded with traffic from a single spoofed IP address), the identity of the attacker is nearly impossible to discern for the same reason—because the source IP address is spoofed. These attacks are easy for attackers to carry out because there are so many publicly accessible DNS resolvers on the Internet (some estimate millions at any given time), and the attacker’s true identity remains hidden. Because of this, these attacks are growing in popularity and unfortunately, any website or Internet-accessible service could be a potential target.

How to Defend Against DNS Amplification Attacks

Although DNS amplification attacks result in denial of service, they cannot be defended against in the same way as traditional DDoS attacks—for instance, by blocking specific source IP addresses—because the source traffic appears to be legitimate, coming from valid, publicly accessible DNS resolvers. (Blocking all traffic from open resolvers could potentially block some legitimate requests.) Organizations can, however, take steps to help defend against such attacks.

Outbound Security

First, organizations should ensure that all clients—from servers to IoT devices—use local internal DNS servers that are configured to only handle DNS requests from within the organization. Ultimately, no DNS traffic should ever leave the organization’s network that hasn’t originated from these internal servers.

Many attacks, such as DDoS, are possible because enterprise firewalls allow traffic destined for the Internet to use spoofed source IP addresses. Normally, when sending traffic to another system, an internal (networked) device (laptop, printer, server, etc.) would have an internal source IP address, that is, one that matches that of the internal network. In the case of compromised devices, however, an attacker might send traffic using a public IP address as the spoofed source. Poorly configured perimeter firewalls can allow this traffic to pass to the Internet unchecked. Organizations should ensure that all traffic that originates from their network, bound for the Internet, has a source IP address that actually belongs to the internal network.

Inbound Security

Any DNS responses that come into an organization’s networks should be destined for the DNS servers that handle outbound requests, and never to any other endpoints. That way, the organization can block any DNS responses that aren’t destined for those DNS servers. Using a DNS-aware firewall can help, too, by allowing only return traffic back into the network from requests that were actually sent to the organization’s own local DNS servers. In other words, there must be a matching DNS request for every response received, otherwise the traffic will be blocked.

Organizations can also use DNS Anycast, which distributes the volume of DNS traffic across servers in many locations, effectively load balancing DNS traffic so that no single server is ever overloaded.

In addition to the above, if the amount of incoming traffic is saturating the network connection, organizations should work closely with their ISPs to block traffic upstream. While ISP solutions are often the cheapest, they are typically the least flexible. For that reason, many organizations choose to use a third-party DDoS protection (scrubbing) service, which increases the chances of an attack being stopped before it hits the organization’s network.

For an overview of other types of DDoS attacks and how to protect against them, see What is a DDoS Attack?

Mitigating DNS Amplification Attacks

The following technical/preventative security controls are recommended to protect against DNS amplification attacks.



Source link
lol

One wrinkle in the wide-load trucks-on-the-freeway analogy is that at a certain size, UDP packets are too large to transmit without being broken up. So, while the attacker is successful in significantly amplifying the DNS responses, when the packets reach a certain size, they will get fragmented into smaller ones. Either way, the net result…

Leave a Reply

Your email address will not be published. Required fields are marked *