ESDS Knowledge Base

11
Mar

A Threat to DNS – Once Bitten, Twice Shy

DNSSEC

Security researchers highlighted DNSSEC “Amplification DDOS Vulnerability”, which opens the door to DDOS Attacks.

Is it a wrong time for Internet? No, it isn’t, though it is basically the conjuring trick unveiled by the researchers. Highlights the flaws in the Domain Name System Security Extension (DNSSEC) configured domain. Since past couple of months, the Internet experienced a massive number of DNS reflection and amplification DDOS attacks – abusing DNS Security Extension i.e. DNSSEC configured domain. Mainly, the financial services have been targeted by DNS amplification attack operations.

DNSSEC is the protocol that provides authentication of DNS data (the system of correspondence between URLs and IP addresses. By using the very short lifetime DNSSEC certificates, an attacker can also use:

  1. NTP amp
  2. DNS amp 1.x
  3. The Dominate TCP attack script

And can drop all connections to trusted domains with DNSSEC. The first two (NTP amp & DNS amp 1.x) are common DDoS reflections and amplification vectors. The third (Dominate TCP attack script) is a modified type of improved SYN (ESSYN) attack. These attack scenarios, combining manipulation of the clock and life certificates can also be used against cloud services.

The third attack type mentioned above i.e. Dominant TCP Attack Script is the only that spoofs source IPs. This attack mainly consists three sets of flags, 1) SYN 2) CWR 3) ECN (Explicit Congestion Notification).

So what exactly it is?

DNS Amplification Attack is a DDoS attack variant that allows an attacker to increase the effect through the exploitation of DNS servers that use recursion for queries and an extension of the DNS protocol, the EDNS9. The purpose of attacking is to send a small number of requests with the expectation of invoking a much bigger response. First of all, the attacker consist a DNS query for a resource record that knows how to imply a much larger demand response.

The attacker may obtain this effect by attacking a DNS server that previously allowed successful intrusion, editing the areas of the same server to insert an amplification resource record. Next, the attacker retrieves a list of open recursive servers that contact recursively and return them the amplification record, it created with the destination IP what the victim will be flooded by a large volume of traffic until the collapse. For all this, the attacker needs a large number of sources for the attack. Those who use this type of DDoS intrusion typically use botnets for the greatest number of possible queries.

How does it work?

DNS Amplification Attack

The DNS Amplification Attack (aka. DNS Reflection Attack) is a popular form of attack of DDoS (distributed denial of service types) attack based on the use of Open DNS servers, and, therefore, accessible to all. Basically, an improper configuration of DNS is at the heart of this type DDoS. So let’s see how to solve this problem.

The distributed denial of service (DDoS) can take many forms that disturb the normal functioning of a website or online service. The DNS servers provide the basic infrastructure for the Internet and help to direct traffic to the location of the correct IP address. In a DNS amplification attack, the attacker takes advantage of a bad configuration in a DNS server to flood the server with DNS response traffic, creating a comparable flow of DDoS.

The weak link in the chain allows DNS amplification attacks to create recursive DNS configuration problems. The root cause of the wrong configuration is that the recursive DNS server, which is configured to only respond to local issues and is open to requests from any system.

The technical base of this attack consists of sending a query to a recursive DNS server with open source address spoofed to be the address of the victim. When the DNS server sends the response to the DNS record, it is sent instead to the victim. Because the size of the response is usually much greater than the demand, the attacker is able to increase the volume of traffic directed to the victim.

Attackers can further enhance the magnitude of the DNS amplification attack if they have a botnet that is then able to make even more of DNS queries, increasing the size of the final DDoS attack.

Misconfigured DNS servers are not a new phenomenon on the Internet. In 2007, the DNS service provider Infoblox found that more than half of DNS servers surveyed at the time were wide open to recursive queries from anywhere.

The risk of recursive DNS resolvers is still open. Unlike the traditional botnets that could only generate limited volume traffic because of the Internet connections and modest victims’ computers, these resolvers are usually open running on large servers with huge bandwidth. They are like bazookas and in the event of attack they can cause the massive damage.

Detection & Mitigation

DNS Recursion

IT system administrators can use the site openresolverproject.org to scan their own IP address space to see if they have an open recursive resolver that the project already publicly indexed. A similar tool is available from the measurement space and test resolver dnsinspect.com, which also provides an online tool for system admins to control misconfigured DNS servers.

The first step in preventing and mitigating the risk of DNS amplification attacks is to properly configure the recursive DNS servers. It has been noticed that many DNS servers are to be used for a single domain and then have to be enabled recursion.

For DNS servers that are deployed within an organization or ISP to support name queries on behalf of a client, the resolver must be configured to only accept requests on behalf of allowed clients. These requests should normally come from customers within the network addressing.

To go further, the DNS amplification attacks use spoofed IP addresses. So to counteract this attack, ESDS has configured snort rule in our ids to detect and mitigate this threat:

alert udp $EXTERNAL_NET any -¬?> $HOME_NET 53 (msg:"DNS flooder 1.1 abuse";
sid:20130115; rev:1;\content:"|00 ff 00 01 00 00 29 23 28|"; offset:12;)

Leave a Reply