DDoS DNS Amplification Attack

Number: AV09-011
Date: 12 February 2009

Purpose

The purpose of this advisory is to raise awareness and provide mitigation strategies for a recent variant of a distributed denial of service domain name system (DDoS DNS) amplification attack.

Assessment

CCIRC is aware of a new variant of a DNS amplification attack. An amplification attack is about sending small packets of information to a service which will respond with a much larger packet to a specific target. To direct the amplified traffic to the intended target, the attacker must spoof the source address in the request, resulting in all of the responses to be sent back to the victim. This works well with services using user datagram protocol (UDP). This specific variant uses a DNS query asking for the list of DNS servers to a legitimate DNS server. The response is large because it has a list of all 13 root name servers. This type of attack is not limited to recursive DNS servers since it is normal behavior for non-recursive DNS servers to send the list of root servers upon request or when an unknown domain is queried.

Please note that the queried DNS servers themselves are not under attack, but instead part of the DDoS directed towards the spoofed address.

Characteristics of this type of amplification attack are:

  1. DNS over UDP, not transmission control protocol (TCP).
  2. An name server (NS) query for "." (a single dot). A variant could be using a very short domain name such as "a".
  3. A spoofed internet protocol (IP) address (that of the intended target).
  4. Small packets sent to the DNS server.
  5. Large amounts of response packets from your DNS server with the same size.

Affected products: 
------------------
All DNS implementations may be affected.

Suggested action

CCIRC recommends the following mitigation strategies.

First, check to see if your DNS server is susceptible to be used as an amplifier. This test is provided by SANS at the following link. http://isc1.sans.org/dnstest.html

Solutions for Berkeley Internet Name Domain (BIND)
------------------

  1. Disable recursion on authoritative name servers with the global BIND configuration option "recursion no;".
  2. To prevent BIND from answering a query for a zone outside of the server's authority set the "additional-from-cache" option to "no".
  3. The following article provides solutions to disable harmful queries from external or unknown hosts for several DNS setup scenarios including:

Once mitigation methods have been put in place, verify them through the DNS test provided by SANS.

References
----------

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: