Distributed Denial of Service (DDoS) attacks are nothing new. This type of attack, and the tools to perform it, have been around for years, and some famous malware variants, like Mirai, have even been developed specifically to perform these attacks.
However, DDoS attacks are undergoing a constant evolution as attackers develop new tools and techniques to keep ahead of cyber defenders. Recently, DNS amplification attacks have been in vogue due to their massive potential amplification factors and the easy accessibility of DNS servers. Protecting against these attacks makes it more important than ever for organizations to deploy a strong DDoS mitigation solution.
What is DDoS Amplification?
A DDoS attack accomplishes its goal by overwhelming a target service’s ability to function. In many cases, this is accomplished by sending more data than the target network can carry or the target application can process. When trying to overwhelm a target with data over the network, there are two main options. The same amount of data can be carried by a large number of smaller packets or a much smaller number of larger packets.
DDoS amplification is designed to help an attacker achieve the second option by creating an asymmetrical relationship between the attacker and the target. If the attacker has to send the same amount of traffic that the target receives, it may be difficult to scale to attack large targets. With DDoS amplification, the attacker sends smaller packets and the target is hit with much larger packets.
This is accomplished by taking advantage of DDoS amplifiers. These are services where a small request can result in a significantly larger response. The attacker sends a request to this service with their IP address spoofed to that of the target. After processing the request, the amplifier service sends a much larger response to the target.
The Threat of DNS Amplification
While several different types of DDoS amplifiers exist, they have varying levels of effectiveness. The best DDoS amplifier has a high amplification factor (ratio of response length to request length) and is a service that is easily accessible from the public Internet. The Domain Name System (DNS) meets both of these requirements. As a result, it is an increasingly popular choice for DDoS attackers. In fact, DNS amplification accounts for 45% of recent DDoS attacks.
- DNS Accessibility Aids DDoS
When using DDoS amplification, a major challenge can be identifying potential amplifiers that are easily accessible from the Internet. While some individuals or businesses may leave vulnerable protocols open to the public Internet, others know better and block those protocols at the network boundary with firewalls.
DNS is different because it cannot be blocked at the network boundary and still have the Internet function as designed. Since computers cannot cache the extensive and continually changing list of mappings between domains and IP addresses, they need to be able to send DNS requests and receive responses in order to be able to visit new and unknown domains on the Internet.
In a DNS amplified DDoS attack, all that occurs on the target’s side is a response to a non-existent DNS request. Since receiving DNS responses is necessary for computers within the network, it can be difficult to detect and filter these malicious responses, making them an ideal vector for DDoS attacks.
- Achieving Massive Amplification with DNS
When performing a DDoS amplification attack, the amplification factor is also an important consideration. The greater the amplification factor, the larger the attack that can be performed with a finite amount of attacker resources. DNS attacks are becoming increasingly popular since they can have extremely large amplification factors and because the attacker has some level of control over the amplification factor of an attack.
This attacker control is due to the fact that DNS data for a particular domain is set by the owner of the domain, not the DNS server owner. The purpose of DNS is to provide a way for computers to map a particular domain name to the IP address(es) that can serve content for that domain.
The records associated with a domain can include multiple IP addresses, multiple record types, and other features, all of which make the data sent in response to a DNS request larger. Some DDoS attackers will deliberately register DNS domains with large amounts of associated data simply to increase this response size, driving up the amplification factor of a DDoS attack.
To make things worse, even features designed to improve DNS can make the protocol more useful for DDoS amplification. DNSSEC is designed to improve the security of DNS by providing authentication of DNS responses. However, DNSSEC also makes DNS responses longer, enabling attackers to achieve up to 54x amplification factor when using DNS in a DDoS attack.
Protecting Against DDoS Attacks
DNS amplification is an increasingly popular tool in the DDoS attacker’s toolbox due to the reachability of DNS servers and potential amplification factors provided by DNS responses. Detecting and blocking the malicious use of DNS is challenging since legitimate DNS requests and responses are essential to the proper functioning of the Internet.
Protecting against DNS amplification – and other DDoS attacks – requires the use of a DDoS mitigation solution. By using behavioral analytics and anomaly detection, these systems can differentiate between legitimate and malicious DNS traffic, protecting against this attack vector without negatively impacting productivity and Internet accessibility for legitimate users.