![]() ![]() The first step would be to assess if any of our DNS resolvers are connected to the Internet or are reachable from the Internet. We first need to figure out if we are vulnerable to such type of attack. These types of attacks and how to protect against them are well documented in IETF RFC 5358, Preventing Use of Recursive Nameservers in Reflector Attacks. In fact, the largest DNS DDoS attack targeting Spamhaus in March of 2013 generated a whopping 300Gbps. An army of attackers leveraging a set of open DNS resolvers could generate gigabits of DoS traffic. The attack continues as long as the attacker sends the fake queries.Ī crafty attacker could achieve up to an 80:1 amplification potential by taking advantage of EDNS0’s (RFC 2671) larger response packet size. The open DNS resolver fails to check the query IP address and sends the large DNS cached record to the victim’s IP address. Those queries have a source address of the victim’s IP address. Step 4) The attacker continues to send small spoofed queries to the open DNS resolver for that cached record. At this point, the attacker can remove the DNS record from the authoritative DNS server. Step 3) The open DNS resolver fetches the large DNS record and caches that entry for the very long TTL duration. The open DNS resolver is not checking the source IP address of the query so it accepts the query and performs the DNS recursive lookup on the behalf of the client. Step 2) The attacker sends a spoofed DNS query for this DNS record to the open DNS resolver. The attacker could also send a query for a well-known large response such as a query for ANY from isc.org. This record also has a very long Time-To-Live (TTL) value. Step 1) The attacker places a very large DNS record on an authoritative DNS server that is accessible from the Internet. ![]() Following is a picture of how an attack on an open DNS resolver could take place and result in a DNS traffic amplification attack. DNS resolvers that allow queries from all IP addresses and are exposed to the Internet can be attacked and used to conduct Denial of Service (DoS) attacks on behalf of the hacker. However, DNS resolvers are typically internal to an organization and allow queries only from the internal clients they serve. Authoritative DNS servers are exposed to the Internet and generally allow queries from all IP addresses. The Domain Name System (DNS) has been the target of many types of attacks in recent years. DoS Attacks Leveraging Open DNS Resolvers ![]()
0 Comments
Leave a Reply. |