Protecting against DDoS attacks and their exploitation of DNS

By Chris Marrison, EMEA Technical Director, Infoblox.

  • Monday, 24th March 2014 Posted 10 years ago in by Phil Alsop

A recent report on IT infrastructure security found that just over one-third of companies experienced a Distributed Denial of Service (DDoS) attack on their Domain Name System (DNS) servers in 2013, up from one-quarter in 2012. Despite this rise, the report goes on to reveal that many businesses aren’t doing enough to protect this critical component of their IT infrastructure, with more than a quarter of them reporting that no formal responsibility was being taken for DNS security within their company.


Cisco’s threat intelligence experts found in their 2014 Annual Security Report that every single corporate network that they examined showed evidence of having been compromised or misused. All of the networks, for example, had DNS lookups relating to websites that hosted malware, 96 per cent showed traffic to hijacked servers, and 92 per cent showed traffic to sites with no content whatsoever, typically a sign of malware hosting.
Such findings demonstrate not only how real a threat DDoS attacks are, but also suggest DNS servers may be considered as soft targets that are currently neglected by businesses when they should, in fact, be considered a priority.


In order, therefore, to consider what steps businesses should take to protect themselves against DDoS attacks, we begin by looking at how exactly these attacks work.


Understanding DDoS attacks
Generating a DDoS attack by using an organisation’s DNS infrastructure can be surprisingly simple. Queries are sent by attackers to name servers across the Internet which, in turn, send back responses. However, rather than using their own IP addresses to send these queries, the attackers will spoof the address of their target, whether it be another name server, a web server, router, or another node on the internet.


As DNS queries tend to be carried over the connection-free User Datagram Protocol (UDP), they’re especially easy to spoof. By way of illustration, sending a DNS query from a spoofed IP address is as simple and effective as writing someone else’s return address on a postcard.


However, if each response is no larger than the original query, then simply spoofing a DNS query won’t, in itself, be enough to incapacitate a target. To inflict maximum damage, each query needs to be amplified so that it returns the largest response possible; an action that has become significantly simpler since the adoption of DNS security extensions (DNSSEC).


Following its introduction in 1999, the set of extensions known as EDNS0 has meant that UDP-based DNS messages have been able to carry large amounts of data and, while most queries are typically fewer than 100 bytes in length, responses can be considerably larger, at up to 4,096 bytes. Responses of this size in the internet’s namespace were once rare, but the cryptographic keys and digital signatures in records stored by DNSSEC in the namespace are now commonplace and huge.


To see how these responses can be used in an effective DDoS attack, take the example of a query of just 44 bytes. Sent from a spoofed IP address to a domain containing DNSSEC records, this single query could generate a response of 4,077 bytes; an amplification factor of almost 93.


By using a relatively modest 1Mbps internet connection, an attacker could send around 2,840 of these 44-byte queries every second, resulting in around 93Mbps of replies being returned to the spoofed target server. To ensure the target is incapacitated, the attacker could quickly recruit further accomplices by employing a botnet of thousands of computers. With just 10 additional attackers, the initial attack could deliver 1Gbps of replies to begin crippling the target. Consider, then, the devastation caused by recent DDoS attacks that peaked between 300Gbps and 400Gbps.


It’s fortunate that most name servers can be modified to ensure they recognise when they’re being repeatedly queried for the same information from the same IP address.


Recursive name servers are a different story however, processing recursive queries from any IP address. While they are generally used in closed environments such as in enterprise IT networks, there are an estimated 33 million open recursive servers worldwide.


By accepting the same query from the same IP address – spoofed or not – over and over again, open recursive servers are ideal for use in reflective DDoS attacks.


For each repeat query they receive, they will send back responses similar in size to the DNSSEC examples.


Best defence
Fortunately, there are steps that companies can take to protect themselves from such attacks, the first and possibly most important of which is learning to recognise just when a DDoS attack is taking place.


A number of companies are unaware of what their query load is, although it can be easily determined by using the statistics support built into the BIND software for managing DNS, which allows administrators to analyse their data. Initially, it shouldn’t matter too much if it’s not clear exactly what an attack looks like because, by monitoring DNS statistics, a baseline can be established allowing the identification of trends and anomalies in query rates, socket errors and other attack indicators.


Organisations should also scrutinise their internet-facing infrastructure to identify single points of failure in external authoritative name servers, as well as switch and router interactions, firewalls and connections to the internet. Once identified, consideration should be given as to whether these can be easily and cost-effectively eliminated.


Broad geographical distribution of an enterprise’s authoritative name servers should also be considered where possible to help minimise possible single points of failure, as well as offering the additional bonus of improving response time performance for those servers’ closest customers.
Businesses should also think about overprovisioning their existing infrastructure as a means of coping with the huge number of responses that result from a DDoS attack. With capable name servers able to handle tens or hundreds of thousands of queries per second, overprovisioning is a relatively inexpensive process and one that can be trialled prior to an actual attack.


Anycast, which allows multiple servers to share one single IP address, is a technique that works well with DNS and can be used as a means of resisting DDoS attacks. By using a dynamic routing protocol such as OSPF or BGP, the hosts supporting an organisation’s name servers will advertise a route to a new, virtual IP address listened to by the name server.


If a company has six external name servers, say, in two Anycast groups (i.e. three sharing one Anycast IP address, and three sharing another), then an attacker using DDoS can only send traffic to one member of either group from any point at any given time, thus allowing the others to carry the required load.


Finally, cloud-based DNS providers allow businesses to combine the benefits of broad geographical distribution with those of the Anycast technique, without the need for significant spend. Running Anycast name servers in data centres around the world, cloud-based DNS providers allow these servers to be configured as secondaries for an organisation’s own, with data loaded from a master name server designated and managed in-house by the client. However, most of these providers do, to some extent, charge according to the number of queries for data received which can increase dramatically during a DDoS attack. Before employing such a provider, businesses are recommended to check whether they have a provision for DDoS attacks that doesn’t involve them passing on the costs.


Avoiding exploitation
In addition to shoring up their defences against DDoS attacks, businesses should also take steps to make sure that they avoid becoming unwilling - and unwitting - accomplices in attacks against others.


Unless they’re one of the few organisations running an open recursive name server then businesses should ensure that DNS queries are limited only to those IP addresses on their internal networks, thereby allowing only authorised users access to their recursive name servers.


Response Rate Limiting, or RRL, makes it difficult for attackers to use authoritative name servers to amplify queries, ensuring that responses are no longer sent to a single IP address once the number of queries reaches a pre-programmed threshold. RRL is incorporated into recent implementations of BIND and other name servers meaning that, as businesses upgrade their name servers to newer versions, it will become increasingly difficult for attackers to use their DNS infrastructure for amplification purposes.


If organisations are able to understand the mechanics of DDoS, and recognise when an attack is taking place, they will soon be able to take the steps necessary not only to defeat it but also to avoid their infrastructure being used to amplify or reflect DDoS attacks on others.