Home / Blogs

DNS Reflection/Amplification Attack: Proved

Chris Buijs

Last year there was a "threat" by anonymous group to black out Internet by using DNS Reflection/Amplification attack against the Internet DNS Root servers. I even wrote a little article about it: "End of the world/Internet

In the article I was questioning if this was even possible and what was needed as general interest and curiosity.

Well, looking at the "stophaus" attack last week, we are getting some answers.

I would say it is a real threat now and is a valid attack vector. Seems you only need a couple of ingredients:

Open recursive DNS servers

Many of these are already available, and numbers increase. This not only includes dedicated DNS Server systems, but also any equipment attached to the internet capable of handling DNS requests it seems (like cable-modems, routers, etc). So the risk this will be utilized again, will be greater every day now.

A party that is capable/willing do set it off

Seems that there are more and more parties on the Internet that open to "attack" certain entities on the Internet to defend their believes. In above case, stressing even the Internet and influence the usage of everyone on it.

Infrastructure

Lets call it the "Internet", "Logistics" and "Bandwidth". Looking at the numbers, it is apparent that you need little (in context) and it is possible to do so if you want. Technology, services or other wise it is not really challenging. And it can be done not from a shady area/country either.

I suspect we will see more of this happening now the "proof-of-concept" is done. It still worries me when the real guns are pulled out and focus would shift from particular entities to the root infrastructure of the Internet.

I had a couple of talks with my expertise peers on this how to mitigate this, it is very difficult as it is sheer load coming from every corner of the Internet. We really did not come up with a single solution. Mitigation would probably mean "breaking" some parts of the Internet as collateral damage, which in size would probably be disruptive enough as well.

Main concern in this, again, is the "open resolvers" out there that we cannot control without education and regulation on how DNS is deployed (you know, the thing we are allergic/apathetic about on/about Internet).

The more thoughts I give this, the more I think the solution is not only technical but mostly an organisational/educational/regulation one… Before that is in place, we probably will experience some outages…

By Chris Buijs, Head of Delivery. More blog posts from Chris Buijs can also be read here.

Related topics: Cyberattack, DDoS, DNS, DNSSEC

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:

Comments

Filtering Todd Knarr  –  Mar 29, 2013 12:10 PM PST

I think it's not so much the open resolvers, although anything that's open unintentionally should be closed. Most resolvers should only be handling queries from the local network or downstream, not from the outside world.

The real problem is the address spoofing that allows these attacks in the first place. The attack depends on being able to forge the source address and have the packets routed. But unless your network's carrying a lot of transit traffic from a variety of address space, you shouldn't be allowing that. Upstream interfaces should only be allowing traffic out if it's from addresses your network should be carrying. Downstream interfaces should only be allowing traffic in that's from addresses that should be downstream of that interface. And the upstream interfaces shouldn't be allowing traffic in that's not to an address on or downstream of your network. That kind of filtering should be standard on every network it's feasible to do on, and it'd shut down this attack (and many others) at the source.

I know it won't work for all networks. But there's a lot of networks near the edge where you find only a reasonable chunk of address space that ought to be sending traffic up through that interface, where you're connecting end-user networks that shouldn't be carrying other people's traffic. Why are those connections still allowing spoofed/forged traffic through them?

I agree that the open resolvers are Chris Buijs  –  Apr 01, 2013 11:54 PM PST

I agree that the open resolvers are not "only" the problem. But they are accessible without much limitations. Spoofing is just not helping here, and makes the amplification attack possible. All other attacks (mostly poisoning) are still possible.

Cable modems with recursive DNS server? Frank Bulk  –  Mar 29, 2013 12:28 PM PST

… also any equipment attached to the internet capable of handling DNS requests it seems (like cable-modems, routers, etc)

I'm not aware of cable modems that have recursive DNS server support, though RGs (residential gateways) surely support them.  But in those devices, of all CPE deployed, would be manageable by the service provider such that they could change that setting universally.

Do you have evidence that cable modems are a big part of the recursive DNS problem?  If I had to guess where the problems were, I would first list customer-owned routers, then DSL modems, then non-firewalled hosts, and then firewalls/routers NATing to an internal DNS server.

Cable modems were mentioned in a couple Chris Buijs  –  Apr 01, 2013 11:58 PM PST

Cable modems were mentioned in a couple of articles concerning the stophaus attack, seems to be mostly in the UK. I must admit I was wondering as well how this work. Didn't give it much thoughts and just jolted it down in the article.

But I think the context is probably more "broadband" related and that more and more residentials have mail and dns servers running local nowadays (in proportion that is), and most of them seem to be "open" or not as tightly secured/configured as wished for.

I read a reference to "cable boxes" Frank Bulk  –  Apr 02, 2013 6:30 AM PST

I read a reference to "cable boxes" in another article yesterday, and I believe that is also misleading.  Open recursors can be found on all types of network gear.

PoC? Frank Bulk  –  Mar 29, 2013 12:32 PM PST

I suspect we will see more of this happening now the "proof-of-concept" is done. It still worries me when the real guns are pulled out and focus would shift from particular entities to the root infrastructure of the Internet.

I had a couple of talks with my expertise peers on this how to mitigate this, it is very difficult as it is sheer load coming from every corner of the Internet. We really did not come up with a single solution. Mitigation would probably mean "breaking" some parts of the Internet as collateral damage, which in size would probably be disruptive enough as well.

Main concern in this, again, is the "open resolvers" out there that we cannot control without education and regulation on how DNS is deployed (you know, the thing we are allergic/apathetic about on/about Internet).

Why are you calling this a proof-of-concept?  This is attack on CloudFlare appears to be the real thing.

Why would we need to come up with a single solution?  The immediate mitigation approach was traffic scrubbing, and the long-term approach is closing open DNS resolvers and minimizing the amount of spoofable hosts by using features such as uRPF.  As it was, CloudFlare "mitigated" the issue significantly by having used anycast across many sites.

Just fancy wording :-)Actually it proofs the Chris Buijs  –  Apr 02, 2013 12:03 AM PST

Just fancy wording :-)

Actually it proofs the scale, magnitude and possibility of the attack for real and it was made visible by all the media attention, which I think was a first on this scale. Cloudfare mitigated the attack indeed, which took some effort (interesting read how they did it and what was happening BTW). They did not solve the cause though. As you said, the open resolvers are still there and spoofing is still possible, so the attack is ready to use again but we are on our toes now.

It is getting quite an attention... Chris Buijs  –  Apr 02, 2013 10:39 PM PST

Wow… Lots of articles and news items on this. Guess we are worrying (for a good reason), but also get out of proportion.

Nice articles:

http://www.circleid.com/posts/20130402_open_dns_resolvers_coming_to_an_ip_address_near_you/

http://www.techrepublic.com/blog/security/ddos-strike-on-spamhaus-highlights-need-to-close-dns-open-resolvers/9296

Gizmodo Article: It's a lie ... Chris Buijs  –  Apr 02, 2013 10:41 PM PST

Another nice one, whatever is going on, it's getting attention on all fronts :-).

http://gizmodo.com/5992652

To post comments, please login or create an account.

Related Blogs

Related News

Topics

Industry Updates – Sponsored Posts

Join Paul Vixie & Robert Edmonds at the Upcoming Distinguished Speaker Series

Q3 2014 DDoS Trends: Attacks Exceeding 10 Gbps on the Rise

LogicBoxes Announces Automation Solutions for ccTLD

3 Questions to Ask Your DNS Host About DDoS

Introducing Our Special Edition Managed DNS Service for Top-Level Domain Operators

Afilias Partners With Internet Society to Sponsor Deploy360 ION Conference Series Through 2016

Neustar to Build Multiple Tbps DDoS Mitigation Platform

The Latest Internet Plague: Random Subdomain Attacks

Digging Deep Into DNS Data Discloses Damaging Domains

Nominum Announces Future Ready DNS

Video Interviews from ICANN 50 in London

DotConnectAfrica Delegates Attend the Kenya Internet Governance Forum

3 Questions to Ask Your DNS Host about Lowering DDoS Risks

4 Minutes Vs. 4 Hours: A Responder Explains Emergency DDoS Mitigation

Dyn Acquires Internet Intelligence Company, Renesys

Tips to Address New FFIEC DDoS Requirements

Smokescreening: Data Theft Makes DDoS More Dangerous

Introducing getdns: a Modern, Extensible, Open Source API for the DNS

Why We Decided to Stop Offering Free Accounts

dotStrategy Selects Neustar's Registry Threat Mitigation Services for .BUZZ Registry

Sponsored Topics

Minds + Machines

Top-Level Domains

Sponsored by
Minds + Machines
Afilias

DNSSEC

Sponsored by
Afilias
Verisign

Security

Sponsored by
Verisign
dotMobi

Mobile

Sponsored by
dotMobi