Knowledge is power: understanding the mechanics of a DDoS attack, by Chris Marrison, EMEA Technical Director, Infoblox.
It was revealed in a recent report on infrastructure security that Distributed Denial of Service Attacks (DDoS) on enterprise Domain Name Systems (DNS) have risen by 25 per cent in the last year, with over a third of companies falling victim to an attack. Despite the warning signs, however, the stats also show that over a quarter of businesses take no formal responsibility for DNS security.
DNS security cannot be ignored. Cisco’s threat intelligence experts found evidence of corporate networks being misused or compromised by malware in every single case they examined during a recent project on DNS lookups, according to the company’s 2014 Annual Security Report.
How does a DNS attack work?
Using a spoofed IP address of their target, attackers simply send queries to name servers across the Internet and the name servers, in turn, send back responses.
If responses were the same size as the queries themselves, this wouldn’t be enough to hamper the target. Consequently, cybercriminals amplify these queries to generate a huge response, which has become significantly simpler since the adoption of DNS security extensions (DNSSEC) and their inherent cryptographic keys and digital signatures.
To put it into numbers, a query of just 44 bytes, for example, sent from a spoofed IP address to a domain that contains DNSSEC records, could return a response of over 4,000 bytes. By using a 1Mbps Internet connection, an attacker could easily send in the region of 2,840 44-byte queries per second, resulting in 93Mbps worth of replies. By taking this up a scale and using a botnet of thousands of computers and 10 accomplices, the attacker could deliver 1Gbps of replies, rendering the target incapacitated.
It is estimated that there are approximately 33 million open recursive servers and these will repeatedly accept the same query from the same spoofed IP address, each time sending back responses as described above – wreaking havoc on the target.
Taking precautions
DNS traffic tends to be filtered less vigorously than other types of traffic such as web or email, and the domain name registry can be largely forgotten by network administrators, who only deal with it during infrequent renewals. As a result, very few businesses think to keep a regular check on DNS traffic or maintain detailed audit trails for DNS lookups.
If organisations don’t know what their overload is, they may not even be able to recognise when they are under attack. Using statistics support allows administrators to analyse their data for query rates, socket errors and other attack indicators. While organisations may not be able to tell what an attack looks like, monitoring DNS statistics enables organisations to identify anomalies quickly.
Switch and router interactions, firewalls, and connections to the Internet, as well as internet-facing infrastructure should be analysed for single points of failure. Once identified, the business should then consider whether these vulnerabilities can be effectively eliminated.
It is also a good idea to broadly distribute external authoritative name servers. This helps to avoid single points of failure, while also improving response time performance for customers in the region.
Over-provisioning can also be a successful way to counteract the huge number of responses resulting from a DDoS attack. A relatively inexpensive process, this can also be trialled easily in advance of an incident.
Finally, cloud-based DNS providers run their own name servers in data centres around the world. These can be configured as secondaries for an organisation’s own, with data loaded from a master name server designated and managed in-house. However, as most of these providers bill for the number of queries received, it is worth checking if they make exceptions during DNS attacks, as this will of course cause queries to rocket.
Unwitting accomplices
As the backbone of the Internet, DNS can easily become forgotten within an organisation, until a targeted attack serves as a reminder of its importance. By taking time to understand how DNS attacks work, businesses can take the correct precautionary measures to ensure that the DNS remains quiet, without being ignored.
