Home / Blogs

Report on DNS Amplification Attacks

In this newly released paper Randal Vaughn and Gadi Evron discuss the threat of Distributed Denial of Service (DDoS) attacks using recursive DNS name servers open to the world. The study is based on case studies of several attacked ISPs reported to have on a volume of 2.8Gbps. One reported event indicated attacks reaching as high as 10Gbps and used as many as 140,000 exploited name servers.

According to the paper, the general threat has been known for several years, the massive attacks seen recently and the abuse of extended DNS functionality is what makes these new attacks so dangerous.

The paper begins with an overall description of the attacks, utilizing UDP spoofing and IP packet fragmentation. Then it continues to a very detailed and technical description of how it all works.

In the conclusions the paper also discusses some possible solution suggestions.

Based on the knowledge we have received, the paper is a pre-release made in response to recent threats and lack of information available to the operational community — the paper was originally planned as an academic paper.

To obtain a full PDF copy of this paper click here.

Follow CircleID on
Related topics: Cyberattack, Cybercrime, DDoS Attack, DNS
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Re: Report on DNS Amplification Attacks John Palmer  –  Mar 23, 2006 11:27 AM PDT

We need to be careful in proposing a suggested solution.

Inclusive Namespace roots provide public resolvers for users whose ISPs are too stubborn or dumb to provide their users with choice. Customers of such ISPs can simply decide to use the public resolvers provided by the INS roots, like Public Root or ORSC.

Shutting off user choice by suggesting that ISPs block outbound 53/TCP, 53/UDP will take away that choice.

I'm sure that some ICANN synchophants will be happy about this and if I were the suspicious type, I'd say that this sudden "awareness" of a "severe security problem" that has been around for a long time may be planned by those who are becoming uncomfortable with the ever increasing number of people who are abandoning the ICANN root in favor of DNS Service Providers (DSPs) who provide a view of the entire internet and don't impose non-related policies (UDRP) on domain registrants.

What better way to kill the INS than by putting up a security straw man and scaring people, especially ISPs, into taking away DNS choices from internet citizens. I am especially suspicious about this after seeing who was quoted in the recent MSNBC piece about the so-called "new" security risk that has "just been discovered". His jihad against allowing internet citizens to have freedom to chose their DSP from among global choices is well known to all.

Watch out here - there may be more to this story than meets the eye…

Re: Report on DNS Amplification Attacks The Famous Brett Watson  –  Mar 23, 2006 5:52 PM PDT

I think the conspiracy theorising is a little over the top in the face of an actual multi-gigabit DDoS attack. TCP SYN flooding was a purely theoretical attack for a while there too before anyone actually exploited it maliciously. Such is the nature of the beast.

In any case, the suggested solution is not to block outbound DNS queries from rank-and-file hosts, but for DNS servers to offer recursive service only to those hosts considered "local". Where this can't be achieved by a configuration change to the DNS server, it could be achieved by firewalling the server.

Re: Report on DNS Amplification Attacks John Palmer  –  Mar 24, 2006 9:02 AM PDT

That's another aspect of the problem, and perhaps the more dangerous to internet freedom and that is demonizing all ORNs.

There is a legitimate reason for ORNs to exist. The reason is to allow users whose ISPs don't support the INS to use it if they want.

Whats the difference between an ISP intercepting all 53/UDP and 53/TCP requests and forwarding them to its own resolver whose hints file contains the list of corrupt and ancient ICANN root servers and blacklisting the addresses of INS resolvers?

From the end-user's point of view - nothing. They are still denied choice, one way or the other. Turning off all INS ORNs is closing off the only avenue some users have to access the inclusive namespace. 

To post comments, please login or create an account.

Related

Topics

IP Addressing

Sponsored byAvenue4 LLC

Whois

Sponsored byWhoisXML API

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

Cybercrime

Sponsored byThreat Intelligence Platform

New TLDs

Sponsored byAfilias