DNS Attacks - Amplification

TLDR: DNS Amplification Attacks exploit open DNS resolvers to flood a target with large DNS responses, overwhelming the target system. This example demonstrates how an attacker can use small queries to generate amplified traffic, resulting in a Distributed Denial of Service (DDoS) attack that disrupts the victim's network services.

In Layerman"s terms
Protagonists
Bob: A visitor to a small shop.
Alice: The shop owner.
Jack: A prankster.

Jack looks for large groups of people who will respond to any sales announcement. He crafts a message about a huge sale at Alice's shop, designed to attract a large number of people. Jack then sends this fake sale announcement to multiple groups, directing them to Alice's shop. These groups flood into Alice's shop at the same time, overwhelming her ability to serve anyone. As a result, Alice's shop becomes so crowded that real customers like Bob can't enter or make a purchase.

Scenario: Overwhelming a Target System with Amplified DNS Traffic

Step 1: Identifying Open DNS Resolvers

Setup:

The attacker scans the internet for open DNS resolvers that respond to queries from any IP address. Tools like masscan or zmap can be used to identify such servers. Purpose: To find DNS servers that can be exploited to amplify traffic.

Step 2: Crafting the Amplification Queries

Creation:

The attacker crafts small DNS queries that result in large responses. Typically, these queries are for DNS records that return large amounts of data, such as ANY or TXT records. The queries are designed to use the victim's IP address as the source IP address, making it appear as though the victim requested the information.

Example Query:

A small query requesting ANY records for a domain known to have a large DNS response. Purpose: To generate a much larger response than the size of the original query.

Step 3: Sending the Queries

Execution:

The attacker sends a large number of these small queries to multiple open DNS resolvers, using the victim's IP address as the source IP. Each DNS server responds to the query with a large response, directing the traffic to the victim's IP address. Purpose: To flood the victim with a high volume of amplified DNS traffic.

Step 4: Amplification and Flooding

Amplification:

The DNS servers respond to the victim's IP address with amplified DNS responses. The amplification factor can be significant, often 30 to 70 times the size of the original query.

Example: A 60-byte query might generate a 4,000-byte response.

Flooding:

The victim's network is overwhelmed by the high volume of traffic, resulting in network congestion, degraded service, or complete denial of service. Purpose: To disrupt the target's services and cause a denial of service.

Step 5: Impact on the Victim

Overload:

The victim's network infrastructure struggles to handle the influx of DNS response traffic, leading to potential crashes or severe service degradation.

Service Disruption:

Legitimate users cannot access the victim's services due to the overwhelming traffic, leading to loss of service availability and potential financial or reputational damage.

Mitigation Challenges:

  • The attack traffic appears to come from legitimate DNS servers, making it difficult to filter without affecting legitimate DNS traffic.
  • The sheer volume of traffic can saturate network links and overwhelm defenses.