Last week I described some early and simple DDoS or Distributed Denial of Service attacks, Smurf and Fraggle, and how basic best practices would help all of us. Let’s bring this DDoS discussion into the modern era. It’s still based on reflection and amplification, but the attacks achieve far more amplification through clever abuse of protocols and multi-level attacks. Learning Tree’s System and Network Security Introduction course provides some of the background needed to really understand what’s going on here.
The Domain Name System or DNS provides a powerful means of amplification. Try this command, replacing
x.x.x.x with the IP address of one of your internal name servers:
$ dig @x.x.x.x ANY isc.org
Wow! ISC supports IPv6 (those AAAA records) and DNSSEC (RSSIG, DNSKEY, DS, NSEC, NSEC3, and NSEC3PARAM records). That leads to a very large answer to a short question. This is an amplification factor of 60×.
The attacker first finds a number of open resolvers, DNS servers reachable from the Internet and willing to answer questions for any remote client. Current measurements show there are many known open resolvers.
A simple DNS amplification attack would send custom packets with a forged source IP address (of the intended target) to a set of these open resolvers, causing them to send bulky unsolicited responses to the target. The attack has been amplified and reflected, but the attacker will be more ambitious yet.
The attacker’s machine will control a large botnet, thousands of compromised machines distributed around the world. On each of those the attacker will be controlling software sending a rapid stream of forged DNS queries to each of a large number of open DNS resolvers. Each of those streams will cause an amplified stream of DNS responses toward the target.
The total amplification factor is the number of compromised hosts in the botnet (easily in the tens of thousands or more), multiplied by number of open resolvers (easily in the thousands to tens of thousands, see the current list), multiplied by that 60× factor of extended DNS response size versus minimum query size.
Now we’re looking at multi-gigabits-per-second rates of data flood.
CloudFlare wrote an early and introductory article on DDoS based on DNS amplification. They later wrote one with more detail, clearly showing the large scale amplification. In that second one, already a year and a half old, they report on a flood of 20 Gbps coming from a set of 68,459 open resolvers.
They followed that up a year ago with an article on an attack flooding 85 to 300 Gbps toward one of their clients and how they worked to mitigate the attack.
Come back next week and I’ll tell you how things have gotten worse in the past year.