Additionally, Ciscoís 2014 Annual Security Report reveals how its threat intelligence experts found evidence of corporate networks being misused or compromised in every single case they examined during a recent project on DNS lookups.
Itís clear then that DNS-based DDoS attacks are a growing threat, and one thatís being neglected by businesses when DNS security should really be seen as a priority because of the increasing risks. But how exactly do these attacks work? And what can businesses do to protect against them?
Itís surprisingly simple to generate a DDoS attacks using an enterpriseís DNS infrastructure. Rather than using their own IP address, attackers send queries to name servers across the internet from a spoofed IP address of their target, and the name servers, in turn, then send back responses.
If these responses were around the same size as the queries themselves, this course of action in itself wouldnít be sufficient to wreak the desired havoc on the target. Whatís required is amplification of each of these queries so that they generate a very large response which, since the adoption of DNS security extensions (DNSSEC) and their inherent cryptographic keys and digital signatures, has become increasingly more common.
A query of just 44 bytes, for example, sent from a spoofed IP address to a domain that contains DNSSEC records, could return a response of over 4,000 bytes. With a 1Mbps internet connection, an attacker could send in the region of 2,840 44-byte queries per second which would result in replies to the magnitude of 93Mbps being returned to the target server. And, by using a botnet of thousands of computers, the attacker could quickly recruit 10 fellow comrades and deliver 1Gbps of replies to begin incapacitating their target.
Most name servers can be modified to recognize that theyíre repeatedly being queried for the same data from the same IP address. Open recursive servers however, of which there are estimated to be around 33 million around the world, will accept the same query from the same spoofed IP address again and again, each time sending back responses such as the DNSSEC examples mentioned above.
Recognition and prevention
So what steps can companies take to combat such attacks?
Perhaps most important is learning to recognize when an attack is taking place. Many organizations donít know what their query load is, so arenít even aware of when theyíre under attack. By using the statistics support built into the DNS software BIND, administrators can analyze their data for query rates, socket errors and other attack indicators. Even if itís not clear exactly what an attack looks like, monitoring DNS statistics will establish a baseline from which trends and anomalies can quickly be identified.
An organizationís internet-facing infrastructure should also be scrutinized for single points of failure not only in external authoritative name servers, but also in switch and router interactions, firewalls, and connections to the Internet. Once identified, the business should then consider whether these vulnerabilities can be effectively eliminated.