With the number of denial of service (DOS) attacks growing overall, a
variety of techniques are being used to take advantage of the Domain
Name System’s openness to direct attacks against DNS servers and even
against targets that do not maintain a DNS server. The asymmetrical nature of DNS queries — the response often is much greater than the query — can turn the system against itself by amplifying attack traffic. With the number of attacks on the rise, security experts have recommended that organizations change their approach to defending against DOS attacks.
Radware’s Global Application & Network Security Report for 2012 cited a 170 percent increase in DNS denial of service attacks from 2011 to 2012 and described four types of attacks targeting or using DNS.
Basic DNS flood
This is much like a brute-force DOS attack against any server, using high volumes of traffic to overpower a DNS server. This can use UDP (User Datagram Protocol) packets, which are accepted by DNS servers and do not require a connection, making it easy to spoof the IP address and hide the identity of the attacking computers.
Even though this is a brute force attack, the attack resources needed are relatively small, since just 10 PCs generating 1,000 DNS requests per second could swamp the capacity of a typical DNS server. Additional computers could be used to further distribute and hide the source of the attack.
This technique actually manipulates DNS servers into directing attack traffic at a target through the use of spoofed IP addresses. Requests are sent to a third-party DNS server or servers using the address of the intended target. Replies are sent to the target server, which can be overwhelmed by the volume of DNS traffic.
The volume of attack traffic is increased because a DNS reply typically is three to 10 times larger than the request. This amplification can be increased another tenfold by using specific DNS requests that require longer answers. The attacker remains hidden behind the DNS servers that are sending replies to the target.
Recursive DNS attack
This leverages the hierarchical nature of DNS, which Radware calls the most sophisticated and asymmetric type of DNS attack. When a recursive DNS server receives a request to resolve a domain name that it does not have cached, it sends out queries to other DNS servers, hoping to get an answer that can be returned. By sending multiple recursive requests for domain names not cached by the target server, an attacker can force the target to send out many requests of its own and wait for responses, quickly using up processing power, memory and bandwidth.
Because of the low amount of traffic needed to generate a recursive attack, it often can fly under the radar of defenses that are tuned to high volumes of traffic.
Garbage DNS attack
This is a volume-based attack using large UDP packets to overwhelm network pipes, which takes advantage of the fact that DNS is a necessity. Because availability on the Internet requires the Domain Name System, organizations will not block the targeted DNS port at the router level, giving a clear shot at the target for a distributed DOS attack.
Posts
