DNS based DDOS attacks: what’s in a name
Renuka Nadkarni, director, Product Management, Security at Infoblox discusses DNS-based attacks and how ISPs and enterprises can protect their IT infrastructure.
Recent press has shown a marked increase in DDoS attacks on ISPs around the world. It seems DDoS attackers have switched their attention from banks to gaming hosts, ISPs and even enterprises. At Infoblox our customers have been telling us the same thing, as DDoS attacks have intensified among our ISP customers. Initially everything was lumped together under the DDoS heading. Then they became known as “NXDomain” attacks, but as we sifted through the PCAP files of the actual attacks across different customers in different regions, a number of unique patterns emerged.
ISPs are especially sensitive about DDoS attacks. Not only are these attacks extremely disruptive to the business, they consume time and effort to understand and mitigate, but they can also affect the ISP’s brand reputation if attacks continue and degrade the user experience.
Let’s take a look at six new attack types and how each one works:
Basic NXDomain attack
The attacker sends a flood of queries to a DNS server to resolve a non-existent domain (NXDomain). The recursive server tries to locate this non-existent domain by carrying out multiple domain name queries but does not find it. In the process, its cache is filled up with NXDomain results.
When the DNS caching server’s cache is full, users experience slower DNS server response time for legitimate DNS requests. The DNS server also spends valuable resources as it keeps trying to repeat the recursive query to get a resolution result.
Random Sub-domain attacks
The attacker tries to exhaust the number of outstanding concurrent DNS queries by flooding the DNS server with requests for multiple non-existent domains, that he or she creates using randomly generated domain strings. For example: xy4433.yahoo.com or aj323bc.yahoo.com etc.
The responses never come back from these non-existing domains and the DNS server, as before, spends compute resources waiting for the responses. The attacker thinks he is attacking the domain usda.gov but he is in fact impacting the infrastructure of his ISP.
Phantom domain attacks
In these attacks, the DNS resolver is forced to resolve multiple domains that are “Phantom” domains that have been setup as part of the attack. These domains do not send responses, causing the server to consume resources while waiting for responses, eventually leading to degraded performance or failure.
Lock-up domain attacks
Resolvers and domains are setup by attackers to establish TCP-based connections with DNS resolvers that request a response. These domains don’t send the correct response expected by the DNS resolver but instead keep them engaged with random packets. Advanced attacks also involve adaptive techniques to keep the DNS resolver “coming back” to check for responses. These domains might send a SERVFAIL at the end.
CPE-driven DDoS attacks
A significant proportion of the open DNS recursors utilised for DNS reflection or amplification attacks are customer premise equipment (CPE)devices. Some devices ship with a local, caching-only DNS server or DNS proxies open to the world. Users enable port-forwarding to open DNS recursors on their home networks.
DDoS attacks using Malware
Akamai’s Prolexic Security Engineering and Research Team is tracking the spread of “Spike”, a new malware toolkit that poses a threat to embedded devices, as well as Linux and Windows systems.
The malware-infected CPE devices effectively form a new botnet, enabling the botnet controller to generate DDoS traffic on demand against selected targets.
While no single mitigation approach is bullet proof and the vendor community is working hard to help customers as much as possible, it is clear that the latest spate of DDoS attacks is targeting DNS as a key vulnerability. We are working with our ISP customers and their enterprise customers to help them protect their DNS infrastructure.