DNS Reflection and Amplification Attacks

A DNS Reflection Attack, also known as a DNS Amplification Attack, is a form of a Distributed Denial of Service (DDoS) attack. In this attack, hackers use open DNS servers to amplify their their attack traffic by up to 100 times the original source traffic performing the attack. This form of DDOS attack can turn 100 MB’s of DNS request traffic into 10 Gb’s of DDOS traffic targeting an online resource.  Ultimately this can lead to a service outage for legitimate users of the targeted system or web property.

how can a SPOOFED IP address work?  Doesn’t TCP require a 3-way Handshake?

TCP does require a 3 way hand-shake.  This prevents most spoofed TCP attacks from working because the TCP/IP stack can efficiently send RST (reset) packets to any unexpected incoming TCP handshake requests.  However, DNS doesn’t typically use TCP to communicate due to the overhead of establishing 3-way handshakes.  DNS values efficiency and speed above all else and turns to UDP (User Datagram Packets) instead.  This is why it works in this DNS amplification attacks… because the UDP packets do not require the 3-way handshake.

So, no 3-way Hand-shake. Ok.  But how does a DNS Reflection attack work?

In a reflection attack, multiple spoofed DNS requests are sent to open DNS servers on the Internet using a spoofed Source IP of the targeted machine. The receiving DNS servers dutifully send the requested response data to the spoofed source IP return address. In this attack, attackers flood the DNS server with these altered requests, eventually overloading the targeted machine with so many UDP packets that it can no longer respond to legitimate queries.  But not always.  UDP handling is efficient.  So it takes a lot of spoofed connections.  But what if we could AMPLIFY the attack in some way?

That’s a DNS Reflection Attack… where’s the Amplification?

This is where hackers get devious.  The change the reflection attack from a small 1 answer reply from the DNS servers to requesting the entire ZONE file for a large DNS site.  This is where a request with 30 bytes of data can be amplified to force a DNS server to respond with 100 times as much data in the response packets.

What’s the overall impact?

In DNS amplification and reflection attacks, hackers controlling a small number of bot network systems, can amplify their attack traffic 100 fold to create a crushing flood of data to the targeted machine knocking it offline.

What should an SMB owner do to protect against DNS Amplification Attacks?

Wait. This may be a hard pill to swallow.  In 25 years of cybersecurity, CyberHoot has not witnessed many of these DDOS attacks against SMB’s.  It is not listed in the Top 20 attacks that Verizon outlines in their DBIR.  Just because it is possible doesn’t make it probable.  If you are under a DDOS attack like this, then you will need to immediately engage a DDOS protection vendor from the list below and implement one of their on-demand solutions.  It will be more costly to setup in an emergency, but if you’re never attacked, you won’t ever have to pay.

Distributed Denial of Service Protection Vendors

ImpervaNetScoutAkamaiCloudFlareRadware

Related Term: Bot Networks, Bot Herders, and Bot Masters, Distributed Denial of Service (DDoS) 

To learn more about DNS Reflection and Amplification Attacks, please watch this short video from Radware…

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.