14 DAY TRIAL // Researchers from IT security firm SecureWorks have documented a new DNS amplification technique employed in recent DDoS attacks. The experts also provide possible solutions to mitigate such attacks.
DDoS (Distributed Denial of Service) attacks occur when a service is flooded with a large number of packets to the point where it cannot handle the load and crashes or stalls. For example, if the service is responsible with handling Internet traffic, the systems dependent upon it lose the ability to access the Internet.
Botnets, armies of infected computers, are commonly used to launch such attacks. On the underground market, botnets are lent for various purposes, including DDoS. The practice of paying for botnet usage rights or the attacks themselves is known as commercial DDoS. The purpose can range from crippling the infrastructure of a competitor to extorting money from companies.
However, in some situations, attackers might not have at their disposal a botnet large enough in order to launch effective attacks against certain big targets. In these cases, they make use of the so-called amplification techniques. "These use bot to send a relatively small amount of traffic to other computers that in turn send more traffic towards the actual target," Don Jackson, senior security researcher at Atlanta-based SecureWorks, shares.
Different DNS amplification variants have been discovered in the past, but have generally been successfully mitigated. The new technique described by the SecureWorks experts uses requests sent to the DNS server simply asking for the nameserver of the root domain, "which results in a response containing a very long list of entries." However, it would be of no use to the attacker if this large output was sent back to the real requester, therefore, it redirects this response to the victim by spoofing the IP address in the request.
As Mr. Jackson explains, this spoofing would be almost impossible to do over the TCP, because of the authentication mechanisms used by the protocol, known as a three-way handshake. However, the UDP protocol does not benefit from such increased security, and spoofing the request source IP is rather simple to achieve.
Even if recursion, another amplification tactic, is not accepted by the DNS server, this new technique is still viable, because a nameserver request for the root domain does not make use of it. "The NS type query isn't asking for an address, just the nameserver(s), so no recursion is implied and the list of root nameservers are typically served from a cache or hints file," the SecureWorks researcher notes.
The most simple answer and probably the first thing many users, less familiar with how DNS is used in practice, would suggest is blocking the ability to make requests over UDP. This is indeed one of the options, however, large DNS servers actually favor UDP over TCP, because TCP is a lot slower due to the additional handshake. Therefore, dropping UDP traffic would not be feasible in various setups.
Don Jackson takes another approach to mitigation and bases his solution on the fact that, if a larger input is required for a smaller output, amplification is no longer achieved – on the contrary this would actually mean attenuation. "If one can configure the nameserver so that the answers are smaller than (or the same size as) the queries, then it is by definition no longer able to be used in amplification. […] This is not of any use to the DDoS attacker" the researcher concludes, before going on and exemplifying how this can be achieved on BIND, a widely used DNS platform.
According to The Register, attacks employing this technique have been observed since the middle of January. One of them, directed at an Internet provider called ISPrime, amounted for a traffic of 5Gbps originating from around 750,000 DNS servers, which were maliciously queried by a botnet composed of only about 2,000 drones (infected computers).