Threat Intelligence Blog

Posted August 6, 2014

A Difficult New DNS DDoS Attack

– Chris Donovan

Learn what bots are doing and how they take down DNS

More and more DNS administrators know that attackers can use reflection or request open recursive DNS servers to amplify the effect of a DNS-based attack. The same administrators have contributed to the open resolver project and have disabled recursive queries originating from outside their own networks and either block or rate-limit queries often used in this kind of attack. And DNS operators that find themselves on the receiving end of a reflection attack now have more tools at their disposal to filter out unsolicited responses and malformed traffic.

Attackers find new ways to generate DNS floods

As expected, attackers rapidly find new ways to attack their intended targets. DNS administrators are now seeing attackers register a domain and designate the target server as the authoritative sever for the new domain. The attacker will then use a botnet spread across multiple ISPs’ customers to generate a flood attack via each ISP’s recursive DNS servers by querying for unique host names within the newly-created domain. At first the targeted authoritative server will refuse the queries. Eventually, it will be unable to keep up and become non-responsive. The attacker will also rotate through a large number of domains in order to prevent recursive servers from blocking the domain.

Targeting the authoritative server

Since authoritative DNS server complexes are typically much smaller than ISP recursive DNS server complexes, they are easier to overload. As a result, this new type of attack is directed more towards a targeted authoritative server. Still, there is often an impact on the ISP’s recursive servers as well.

4 reasons why this DDoS attack works

There are several reasons why this type of distributed denial of service (DDoS) attack works and defending against it is difficult:

  1. There is no validation performed when a name server is designated for a new domain. This inherent weakness in domain registration creates a basis for the attack.
  2. The DNS queries generated in this type of attack are syntactically valid.
  3. Because the requested host names are relatively unique, there is almost never a cache hit at an ISP’s recursive server, driving attack traffic directly to the targeted authoritative server.
  4. The traffic to the target authoritative server comes from legitimate sources: each ISP’s recursive servers.

Caught in the middle

While authoritative DNS server operators cannot in practice block access from a recursive server at a major ISP they have this defense: refuse connections coming directly from broadband clients. This can reduce the attack breadth.

Taking out the authoritative and recursive servers

Once the authoritative server fails under attack, collateral damage impacts the recursive servers. When the authoritative server stops responding, queries from each recursive server will timeout and be retried. Not only does this increase the load on the target server but it will consume resources on the recursive server. Eventually the recursive server will either hit a software limit on the number of outstanding queries or will exhaust underlying operating system resources. The result is client timeouts and errors for both malicious and non-malicious traffic

How can DNS flood attacks be stopped?

One solution to this attack methodology involves monitoring recursive DNS queries. When the monitoring shows that there are no responses, if capable, the monitor can generate a synthetic response on behalf of the authoritative server. In this way, when the authoritative server is available, traffic is allowed to pass through but when the authoritative server is unresponsive, the synthetic responses allow the recursive server to continue fulfilling client queries that don’t involve that authoritative server.

 

Additional Posts

Beyond Buzzwords (Part II): Concrete Steps to Deploying an Effective Threat Intelligence Capability

A few days ago, we told you about a recent webinar on Defining Threat Intelligence, hosted by our ...

Beyond Buzzwords: Defining Threat Intelligence and Why It Matters

Eric Olson, Cyveillance’s Vice President of Product Strategy, recently hosted an online webinar ...