Page 7 - index
P. 7
generate a much larger volume of responses, resulting in congestion of the DNS server’s
upload and eventually a denial of service (DoS).
Reflection attacks use a third-party DNS server on the Internet to propagate a DoS or
DDoS attack by sending queries to the recursive server. Recursive servers will process
queries from any IP address and return responses. The attack spoofs itse DNS queries by
including the victim’s IP address as the source IP in the query, creating a loop of traffic that
can bring down the victim’s site.
Distributed reflection DoS (DrDoS) attacks combine reflection and amplification to
significantly increase the size of the response to the initial queries and the likelihood the
victim’s server will be overwhelmed. This is a particularly deadly and hard-to-counter threat.
There are about 33 million open recursive DNS servers worldwide and 28 million of them
don’t have access controls, making them usable for DrDoS attacks.
TCP/UDP/ICMP flood attacks are volumetric attacks with massive numbers of packets that
consume a network’s bandwidth and resources.
DNS-based exploits make use of software bugs in protocol parsing and processing
implementation to exploit vulnerabilities in DNS server software. By sending malformed DNS
packets to the targeted DNS server, the attacker can cause the server to stop responding or
crash.
DNS cache poisoning inserts a false address record for an Internet domain into the DNS
query. If the DNS server accepts the record, subsequent requests of the domain address are
answered with the address of a server controlled by the attacker.
Protocol anomalies send malformed DNS packets, including unexpected header and
payload values, to the targeted server, causing it to stop responding or crash by causing an
infinite loop in server threads.
Reconnaissance consists of attempts to get information on the network environment before
launching a large DDoS or other type of attack. These attacks exhibit abnormal behavior
patterns that, if identified, can provide early warning.
DNS tunneling involves tunneling another protocol through DNS port 53 for the purposes of
data exfiltration.
Know what your security solution can and can’t do. Your security solution may use one
or many approaches that fall short of truly shoring up you network, including:
Overprovisioning: Technologies like load-balancers can be made to respond to a DDoS
attack by increasing the capacity of the network and hoping the attack will stop at some
point. However, this approach can’t keep up with the rapidly increasing size of DDoS
attacks, and it can’t monitor bad or malformed DNS traffic.
Deep Packet Inspection: Next-generation firewalls and IPS devices offer some protection
against common vulnerabilities and basic layer-3 DDoS. However, they lack the ability to
detect and mitigate DNS-specific protocol abnormalities or DNS-based attacks.
7 Cyber Warnings E-Magazine – April 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
