DDoS DNS Amplification Attack
Number: AV09-011
Date: 12 February 2009
Purpose
The purpose of this advisory is to raise awareness and provide mitigation strategies for a recent variant of a distributed denial of service domain name system (DDoS DNS) amplification attack.
Assessment
CCIRC is aware of a new variant of a DNS amplification attack. An amplification attack is about sending small packets of information to a service which will respond with a much larger packet to a specific target. To direct the amplified traffic to the intended target, the attacker must spoof the source address in the request, resulting in all of the responses to be sent back to the victim. This works well with services using user datagram protocol (UDP). This specific variant uses a DNS query asking for the list of DNS servers to a legitimate DNS server. The response is large because it has a list of all 13 root name servers. This type of attack is not limited to recursive DNS servers since it is normal behavior for non-recursive DNS servers to send the list of root servers upon request or when an unknown domain is queried.
Please note that the queried DNS servers themselves are not under attack, but instead part of the DDoS directed towards the spoofed address.
Characteristics of this type of amplification attack are:
1. DNS over UDP, not transmission control protocol (TCP).
2. An name server (NS) query for "." (a single dot). A variant could be using a very short domain name such as "a".
3. A spoofed internet protocol (IP) address (that of the intended target).
4. Small packets sent to the DNS server.
5. Large amounts of response packets from your DNS server with the same size.
Affected products:
------------------
All DNS implementations may be affected.
Suggested action
CCIRC recommends the following mitigation strategies.
First, check to see if your DNS server is susceptible to be used as an amplifier. This test is provided by SANS at the following link. http://isc1.sans.org/dnstest.html
Solutions for Berkeley Internet Name Domain (BIND)
------------------
1. Disable recursion on authoritative name servers with the global BIND configuration option "recursion no;".
2. To prevent BIND from answering a query for a zone outside of the server's authority set the "additional-from-cache" option to "no".
3. The following article provides solutions to disable harmful queries from external or unknown hosts for several DNS setup scenarios including:
Once mitigation methods have been put in place, verify them through the DNS test provided by SANS.
References
----------
Securing DNS BIND http://www.cymru.com/Documents/secure-bind-template.html
Securing Microsoft DNS http://technet.microsoft.com/en-us/library/cc772661.aspx
http://isc.sans.org/diary.html?storyid=5713
http://isc1.sans.org/dnstest.html
http://isc.sans.org/diary.html?storyid=5773
http://www.secureworks.com/research/threats/dns-amplification/?threat=dns-amplification
http://www.pcadvisor.co.uk/news/index.cfm?newsid=110448
http://technet.microsoft.com/en-us/library/cc757965.aspx
Note to Readers
The Canadian Cyber Incident Response Centre (CCIRC) operates within Public Safety Canada, and works with partners inside and outside Canada to mitigate cyber threats to vital networks outside the federal government. These include systems that keep Canada's critical infrastructure functioning properly, such as the electrical grid and financial networks, or contain valuable commercial information that underpins our economic prosperity. CCIRC supports the owners and operators of systems of national importance, including critical infrastructure, and is responsible for coordinating the national response to any serious cyber security incident.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca