First paper in the DrDoS Attacks series: DNS Reflection

Published March 19, 2013

First paper in the DrDoS Attacks series: DNS Reflection

The Domain Name System (DNS) is a critical component of Internet functionality, but cyber criminals are forcing DNS servers to participate in distributed denial of service (DDoS) attacks targeting a vast array of industries. Learn about how the DNS process works, the methods of a DNS reflection and amplification attack and ways to lessen the risk of a DDoS attack.’’

What You Need to Know

  • DNS reflection attacks are made possible by artifacts in the original architecture and design of the RFC.
  • DNS was designed with a focus on providing ways to access domain names, not addressing potential security issues.
  • The implementation of RFC extensions has introduced additional vectors for the exploitation of victim DNS Servers.
  • The DDoS threat posed by DNS reflection attacks will remain until these security gaps are closed.

Background

The DNS Distributed Reflection Denial of Service (DrDoS) technique relies on the exploitation of the DNS Internet protocol:

  • Malicious actors, or hackers, will spoof, or pretend to be, the IP address of their primary target and then send application requests to a list of victim DNS servers.
  • When each DNS server receives the forged request, the server is tricked into responding to the spoofed IP address of the hacker’s primary target.
  • The victim DNS servers will thus unwittingly send a flood of unwanted responses to the primary target.

This method of DDoS attack is disruptive to both the victim DNS servers and the primary target, magnifying the efforts of the attacker.

  • The scale of the attack depends on the number of victim DNS servers on the attacker’s list.
  • An attacker can build a list of DNS server IP addresses simply by scanning IP ranges and checking for responses on port 53, which is used for DNS messages.
  • Because the DrDoS attack uses spoofed IP requests to a legitimate DNS server, attributing the attack to the original malicious actor becomes a difficult task.

Contact Us