DDoS DNS Amplification Attack
Number: AV09-011
Date: 12 February 2009
Purpose
The purpose of this advisory is to raise awareness and provide mitigation strategies for a recent variant of a distributed denial of service domain name system (DDoS DNS) amplification attack.
Assessment
CCIRC is aware of a new variant of a DNS amplification attack. An amplification attack is about sending small packets of information to a service which will respond with a much larger packet to a specific target. To direct the amplified traffic to the intended target, the attacker must spoof the source address in the request, resulting in all of the responses to be sent back to the victim. This works well with services using user datagram protocol (UDP). This specific variant uses a DNS query asking for the list of DNS servers to a legitimate DNS server. The response is large because it has a list of all 13 root name servers. This type of attack is not limited to recursive DNS servers since it is normal behavior for non-recursive DNS servers to send the list of root servers upon request or when an unknown domain is queried.
Please note that the queried DNS servers themselves are not under attack, but instead part of the DDoS directed towards the spoofed address.
Characteristics of this type of amplification attack are:
1. DNS over UDP, not transmission control protocol (TCP).
2. An name server (NS) query for "." (a single dot). A variant could be using a very short domain name such as "a".
3. A spoofed internet protocol (IP) address (that of the intended target).
4. Small packets sent to the DNS server.
5. Large amounts of response packets from your DNS server with the same size.
Affected products:
------------------
All DNS implementations may be affected.
Suggested action
CCIRC recommends the following mitigation strategies.
First, check to see if your DNS server is susceptible to be used as an amplifier. This test is provided by SANS at the following link. http://isc1.sans.org/dnstest.html
Solutions for Berkeley Internet Name Domain (BIND)
------------------
1. Disable recursion on authoritative name servers with the global BIND configuration option "recursion no;".
2. To prevent BIND from answering a query for a zone outside of the server's authority set the "additional-from-cache" option to "no".
3. The following article provides solutions to disable harmful queries from external or unknown hosts for several DNS setup scenarios including:
Once mitigation methods have been put in place, verify them through the DNS test provided by SANS.
References
----------
Securing DNS BIND http://www.cymru.com/Documents/secure-bind-template.html
Securing Microsoft DNS http://technet.microsoft.com/en-us/library/cc772661.aspx
http://isc.sans.org/diary.html?storyid=5713
http://isc1.sans.org/dnstest.html
http://isc.sans.org/diary.html?storyid=5773
http://www.secureworks.com/research/threats/dns-amplification/?threat=dns-amplification
http://www.pcadvisor.co.uk/news/index.cfm?newsid=110448
http://technet.microsoft.com/en-us/library/cc757965.aspx
Note to Readers
The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca