What is a DNS amplification attack? – GreenCloud
Distributed Denial of Service (DDoS) attacks continue to evolve and expand in scale and sophistication. Many recent studies show that DDoS attacks are becoming more frequent, sophisticated and powerful. In fact, the largest DDoS attacks on record have reached over 1.4 Tbps in size and continue to grow due to the proliferation of IoT devices. A DNS amplification attack is one of the most dangerous types of DDoS threats. These attacks take advantage of loopholes in network protocols to generate large amounts of traffic directed at a targeted website or service, overwhelming its servers and making the site inaccessible to legitimate users.
What is a DNS amplification attack?
A Domain Name System (DNS) amplification attack is just one of many types of distributed denial of service (DDoS) attacks. As with all DDoS attacks, the attackers' goal is to prevent users from accessing a networked system, service, website, application, or other resource by slowing down response or disabling it altogether.1 Most DDoS attacks are massive because they are bombarded. victim network with more traffic than it can handle. Think of it as bumper-to-bumper traffic on a six-lane highway near a stadium when a concert or sporting event ends. Thousands of cars jamming the highway at once disrupts the normal flow of traffic.
A DNS amplification attack uses different methods to accomplish the same end goal of denial of service. Instead of thousands of cars simultaneously flooding the highway, imagine six wide trucks driving side by side on the same six-lane highway. The flow of traffic is completely disrupted – not by a sudden onslaught of thousands of cars, but by a few vehicles too large for normal traffic to pass. So, while most DDoS attacks work by overwhelming a system with a large number of medium-sized packets, a DNS amplification attack uses larger packets to achieve the same result. But no analogy is perfect, and there are a few more wrinkles to the DNS amplification story, so let's take a closer look at the details of this attack.
How does this work?
In a DNS amplification attack, an attacker sends the intended victim's altered source IP to DNS resolvers. Each request to open DNS resolvers is legitimate and trivial in nature, but they have changed the source IP address of the intended target victim. Queries to open DNS resolvers are structured to maximize response size from DNS resolvers. This results in DNS resolvers sending large responses to the intended target IP. Many such queries to a large number of open DNS resolvers can amplify the responses to the target IP address. This can be amplified many times over using a distributed botnet.
Effect of DNS amplification attack
DNS amplification attacks are an example of a volume DDoS attack. The goal of these attacks is to flood the target with enough spam traffic to consume all of the network bandwidth or any other scarce resource (computing power, etc.).
By using DNS for amplification, an attacker can outsmart the target while using a fraction of the resources they consume during their attack. Often, DDoS attacks are designed to knock a target service offline. If an attacker uses all available resources, none will be available to legitimate users, rendering the service unusable.
However, even small-scale attacks can adversely affect their targets…
Even if the service is not completely taken offline, poor performance may adversely affect its customers. In addition, all the resources consumed by the attack cost the target money and bring no profit to the business.
How to mitigate DNS amplification attack?
Mitigation options for the individual or company operating the website or service are limited. This is because while an individual's server may be the target, it is not where the main impact of a volume attack is felt. Due to the high amount of traffic generated, the infrastructure surrounding the server feels the impact. An Internet Service Provider (ISP) or other upstream infrastructure provider may not be able to handle incoming traffic without becoming overwhelmed. As a result, the ISP can blackhole all traffic to the target victim's IP address, protecting itself and taking the target's site offline. In addition to off-site protection services, exposure strategies are mainly solutions for preventing internet infrastructure.
Reduce the total number of open DNS resolvers
An important component of DNS amplification attacks is access to public DNS resolvers. With poorly configured DNS resolvers exposed to the Internet, all an attacker has to do to exploit a DNS resolver is discover it. Ideally, DNS resolvers should provide their services only to devices originating within a valid domain. In the case of reflection-based attacks, open DNS resolvers will respond to queries from anywhere on the Internet, allowing for potential exploitation. Restricting the DNS resolver to only respond to queries from trusted sources makes the server vulnerable to any amplification attack.
Source IP inspection – stop spoofed packets from leaving the network
UDP requests sent by an attacker's botnet must have a source IP address spoofed to the victim's IP address, a key component in reducing the effectiveness of UDP-based amplification attacks is that Internet service providers (ISPs) deny any internal traffic. fake IP addresses. If a packet is sent from within the network with a source address that makes it look like it originated outside the network, it is likely a spoofed packet and can be dropped. Cloudflare recommends that all ISPs implement access filtering and will sometimes contact ISPs who are unwittingly involved in DDoS attacks to help them realize their vulnerability.
The result
DNS amplification attacks pose a significant threat to network security, causing service interruptions and potential financial losses for targeted organizations. By understanding the techniques used by attackers and implementing effective mitigation strategies, organizations can strengthen their defenses against DNS amplification attacks. Proper server hardening, traffic filtering, and DNS traffic monitoring are essential components of a comprehensive defense strategy to mitigate the impact of these malicious attacks.