Denial of service attacks all have one goal in common – to use network traffic to overload a target system causing it to fail or become unresponsive. For the criminals behind these attacks, there is another consideration – how to achieve that goal at minimal cost to themselves. Which is where DNS amplification comes into play.
What is a DNS amplification attack?
DNS servers are an essential part of the internet, allowing us to route traffic to the correct server from anywhere in the world. And the usual query/response between systems and DNS servers is quick and lightweight. But it can also be weaponised.
DNS relies on UDP transport to accelerate query/response times, so it does not perform any verifications on the packets received. For hackers this means that they can forge (‘spoof’) the originating address, ensuring the DNS response is directed to their victim’s server. Like any denial of service (DoS) attack method, generating enough traffic will overwhelm local resources, causing the server to crash.
To increase the effectiveness of their attack, criminals ‘amplify’ traffic. A typical DNS request is just a few bytes – as is a typical response from the server. But by passing the ‘ANY’ argument in the request, hackers can increase the size of the response by as much as 150x because the packet now contains all of the associated details of the DNS address, not just the target IP address. Small amount of data in, large amount of data out.
Give me an example
Here’s a scenario that helps to visualise the DNS amplification attack.
One of your closest competitors decides that the best way to poach customers is to prevent them from being able to contact your sales team. They have their sales team take it in turns to contact various Amazon warehouses, requesting an agent return their call to read their entire stock inventory (the DNS type ANY command). However, they ask Amazon to call back on your sales line phone number (spoofed return address). A series of Amazon agents then call your sales line and begin reading their product inventory which contains millions of items (amplifying the size of the request). Now all of your phone lines are tied up with junk calls, preventing ‘real’ customers from calling to place orders (the DoS).
Too much traffic overwhelms your sales team and they are unable to function. And because you don’t know where the original request came from, you can’t tell who requested the calls from Amazon.
Just like a DDoS attack, the outage could be extremely costly in terms of financial loss and damage to corporate reputation.
How can I protect infrastructure against DNS amplification attacks?
There are a few things you can do to mitigate this kind of DDoS attack:
An obvious starting point is to implement rate limiting. If inbound traffic reaches a pre-defined threshold, you can reduce throughput to prevent resources being overloaded. Rate limiting can help buy time for your infrastructure team to identify and block an attack.
DNS amplification attacks use open DNS servers to do their dirty work. One way to reduce risk of attack is to block traffic from known open DNS servers. Just bear in mind that this may cause occasional problems with misconfigured devices that rely on those services.
Distributing incoming traffic between multiple DNS points of presence (PoP) can ensure that no single server is overloaded and that enough resources remain available to fulfil legitimate requests.
Cleaning inbound traffic before it arrives in your environment will help to prevent infrastructure overload. DDoS scrubbing providers use deep packet inspection (DPI) to assess each request, automatically diverting malicious traffic and preventing it affecting your network services.
Block internal spoofing
There is always a risk that your own DNS servers could be used as part of an amplification attack. Your infrastructure should be configured to automatically drop any internal traffic that appears to originate from an external address – it is almost certain such traffic has been spoofed and is malicious.
The key to ultimate success – rapid detection
All of these mitigation techniques will help you respond effectively to a DNS amplification attack – but first you need to know if such an attack is underway. Using a tool like FastNetMon to monitor network traffic is vital because it can automatically confirm an attack and implement the initial stages of your mitigation plan. And in the case of FastNetMon, it can respond to an attack in just two seconds – dramatically reducing the window of opportunity for cybercriminals to disrupt your operations.
To learn more about detecting DNS amplification attacks and to see how FastNetMon could work for you, sign up for a free one month trial.