DDoS attacks can reach an amplification factor of 8

Feb 16, 2016 22:40 GMT  ·  By

Akamai, one of the Internet's biggest content delivery networks (CDN) is reporting on a new trend of reflection DDoS attacks that are abusing the DNSSEC protocol.

DNSSEC stands for Domain Name System Security Extension and is an extension of the DNS protocol which includes various security features to protect DNS authentication and data integrity. In simpler terms, it's DNS+security.

Reflection DDoS attacks are also known in the industry as R-DDoS, DRDoS, or Distributed Reflective Denial of Service attacks. We explained them in depth last August when one such attack was leveraging various BitTorrent-related protocols to propagate, but the principles behind them are simple.

An attacker sends a corrupted network packet to a server, which then sends it back to another user (the attack's victim) instead. The network package can abuse a specific protocol, and due to various flaws in the protocol, can amplify the number of reflected network packets, sometimes by 2, sometimes by 10, but there have been instances that increased attacks by a factor of 200.

Over 400 DNSSEC reflection DDoS attacks recorded in the past months

As Akamai reports, since November 2015, the company has seen and mitigated over 400 reflection DDoS attacks. Attackers have used mainly .gov domains, which due to US regulations have to support DNSSEC.

While DNSSEC can offer protection against domain hijacking, it can't prevent reflection DDoS attacks, and the protocol has apparently a weak point which attackers are leveraging.

This weak point is the larger size of the standard DNSSEC response, which besides domain name data, also includes lots of authentication-related information.

Attackers are using the same DDoS booters/stressers

Akamai SIRT (Security Intelligence Response Team) says that attackers aren't doing anything special, still using the same DDoS toolkits as before and still aiming it at open DNS resolvers.

The trick is that they're querying for DNSSEC-capable domains (usually a .gov domain), but altering the DNS query to hold the victim's IP instead of their own.

The open DNS resolver translates the DNSSEC-capable domain to an IP, bloats up the response with extra DNSSEC required data, and then sends it back to the victim's IP.

Amplification factor may sometimes reach 8

Standard DNS response size is 512 bytes. For DNSSEC, in various configurations this may even approach 4096 bytes, meaning that DNSSEC reflection DDoS attacks may sometimes have an amplification factor of 8.

Since there are over 32 million open DNS resolvers available online, of which 28 million are considered vulnerable, attackers are finding it very easy to launch these types of reflection DDoS attacks.

Akamai reports that the peak recorded bandwidth of a DNSSEC reflection DDoS attacks is 123.5 Gbps. Over half of these attacks are aimed at the gaming industry, followed by the financial sector.

The good news is that open DNS resolvers can prevent their service from being abused in reflection DDoS attacks by a few tweaks to their ACLs, which are explained in Akamai's most recent report.

In the past, Akamai has also discovered novel methods of carrying out reflection DDoS attacks that were leveraging NetBIOS name servers, Sentinel licensing servers, and RPC portmaps.  

DNSSEC reflection DDoS attacks distribution
DNSSEC reflection DDoS attacks distribution

Photo Gallery (2 Images)

New DDoS technique leverages the DNSSEC protocol
DNSSEC reflection DDoS attacks distribution
Open gallery