DNS Amplification Attacks
DNS Amplification Attacks
There are many types of DNS (Domain Name Server) attacks out there but a recent one is the Amplification Attack. But first let’s go over what a DNS is before we go into why an Amplification Attack is more complicated and a bigger threat. Domain Name System servers, are servers which map domain names such as “google.com” to an IP address of the host server for the particular website.
When a user of a web-browser types “lintcenter.com” into a web-browser, the browser will ask a pool of DNS servers what the IP is for that server. Only then can it ask the server for the appropriate web page. Think of the DNS servers as dictionaries, where each word (domain name) has a server’s IP as its definition. But there can also be more information in that dictionary such as backup name servers, aliases, mail servers, etc.
An attacker can take advantage of how long it takes to compile a whole zone worth of definitions. In fact DNS servers can be just as vulnerable to DoS attacks as other servers with this. A Denial of Service (DoS) attack is a set of methods that can be used to make a server unreachable. By far the most popular are Distributed DoS attacks, where multiple parties (or a single party controlling multiple vectors) attack a single victim.
One such DDOS attack targeting DNS servers is called an Amplification attack. It starts when an attacker asks multiple DNS servers for a zone full of information masquerading as the target DNS server. The intermediary servers will chug and dump a bunch of information onto the target DNS server, hence the term Amplification attack.
Those that are impacted by an Amplification attack are those who have a misconfigured DNS server. But detection isn’t as easy to find.
“While it is not easy to identify authoritative name servers used in DNS reflection attacks as vulnerability is not caused by a misconfiguration, there are several freely available options for detecting open recursive resolvers. Several organizations offer free, web-based scanning tools that will search a network for vulnerable open DNS resolvers. These tools will scan entire network ranges and list the address of any identified open resolvers.”
It’s not impossible to repair a server when it’s found it’s been exploited, but it is time consuming. US-Cert has offered several open source and free options and instructions on how to prevent and fix this type of attack.
About the Author:
Kana Kennedy is a third year Information Security and Forensics major at Rochester Institute of Technology in Rochester, New York. Her specific interest is in Policy Writing and Procedure. She is also the Lint Center’s IT Security Associate.
Disclaimer: The opinions expressed by the Lint Center Bloggers and those providing comments are theirs alone, and do not reflect the opinions of the Lint Center for National Security Studies, Inc. or any employee thereof. The Lint Center for National Security Studies, Inc. is not responsible for the accuracy of any of the information supplied by the Lint Center Bloggers.