DDoS DNS Amplification Attack
Date: 12 February 2009
The purpose of this advisory is to raise awareness and provide mitigation strategies for a recent variant of a distributed denial of service domain name system (DDoS DNS) amplification attack.
CCIRC is aware of a new variant of a DNS amplification attack. An amplification attack is about sending small packets of information to a service which will respond with a much larger packet to a specific target. To direct the amplified traffic to the intended target, the attacker must spoof the source address in the request, resulting in all of the responses to be sent back to the victim. This works well with services using user datagram protocol (UDP). This specific variant uses a DNS query asking for the list of DNS servers to a legitimate DNS server. The response is large because it has a list of all 13 root name servers. This type of attack is not limited to recursive DNS servers since it is normal behavior for non-recursive DNS servers to send the list of root servers upon request or when an unknown domain is queried.
Please note that the queried DNS servers themselves are not under attack, but instead part of the DDoS directed towards the spoofed address.
Characteristics of this type of amplification attack are:
- DNS over UDP, not transmission control protocol (TCP).
- An name server (NS) query for "." (a single dot). A variant could be using a very short domain name such as "a".
- A spoofed internet protocol (IP) address (that of the intended target).
- Small packets sent to the DNS server.
- Large amounts of response packets from your DNS server with the same size.
All DNS implementations may be affected.
CCIRC recommends the following mitigation strategies.
First, check to see if your DNS server is susceptible to be used as an amplifier. This test is provided by SANS at the following link. http://isc1.sans.org/dnstest.html
Solutions for Berkeley Internet Name Domain (BIND)
- Disable recursion on authoritative name servers with the global BIND configuration option "recursion no;".
- To prevent BIND from answering a query for a zone outside of the server's authority set the "additional-from-cache" option to "no".
- The following article provides solutions to disable harmful queries from external or unknown hosts for several DNS setup scenarios including:
- Nameserver is a master
- Nameserver is authoritative but is operating as a slave only
- Nameserver is both authoritative and caching
- Nameserver is caching only
Once mitigation methods have been put in place, verify them through the DNS test provided by SANS.
- Securing DNS BIND http://www.cymru.com/Documents/secure-bind-template.html
- Securing Microsoft DNS http://technet.microsoft.com/en-us/library/cc772661.aspx
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: