Additionally, Ciscoís 2014 Annual Security Report reveals how its threat intelligence experts found evidence of corporate networks being misused or compromised in every single case they examined during a recent project on DNS lookups.
Itís clear then that DNS-based DDoS attacks are a growing threat, and one thatís being neglected by businesses when DNS security should really be seen as a priority because of the increasing risks. But how exactly do these attacks work? And what can businesses do to protect against them?
Itís surprisingly simple to generate a DDoS attacks using an enterpriseís DNS infrastructure. Rather than using their own IP address, attackers send queries to name servers across the internet from a spoofed IP address of their target, and the name servers, in turn, then send back responses.
If these responses were around the same size as the queries themselves, this course of action in itself wouldnít be sufficient to wreak the desired havoc on the target. Whatís required is amplification of each of these queries so that they generate a very large response which, since the adoption of DNS security extensions (DNSSEC) and their inherent cryptographic keys and digital signatures, has become increasingly more common.
A query of just 44 bytes, for example, sent from a spoofed IP address to a domain that contains DNSSEC records, could return a response of over 4,000 bytes. With a 1Mbps internet connection, an attacker could send in the region of 2,840 44-byte queries per second which would result in replies to the magnitude of 93Mbps being returned to the target server. And, by using a botnet of thousands of computers, the attacker could quickly recruit 10 fellow comrades and deliver 1Gbps of replies to begin incapacitating their target.
Most name servers can be modified to recognize that theyíre repeatedly being queried for the same data from the same IP address. Open recursive servers however, of which there are estimated to be around 33 million around the world, will accept the same query from the same spoofed IP address again and again, each time sending back responses such as the DNSSEC examples mentioned above.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.