Yellow journalism at work: Previously Unknown DNS Attacks

When I’ve stumbled across the headline Porn site feud spawns new DNS attack on NetworkWorld’s web site, the urge to read the article was simply irresistible. The article starts with the following paragraph (emphasis mine):

A scrap between two pornographic Web sites turned nasty when one figured out how to take down the other by exploiting a previously unknown quirk in the Internet's DNS.

The link in the paragraph points to another article documenting a completely different DNS attack. The next paragraph contradicts the first one (emphasis yet again mine):

The attack is known as DNS Amplification. It has been used sporadically since December, but it started getting talked about last month when ISPrime, a small New York ISP, started getting hit hard with what's known as a distributed denial of service (DDoS) attack.

So an attack that has been known to be used since December is previously unknown in February. Maybe the time runs backwards for some people?

But the most interesting part of the story is the attack itself: it has almost nothing to do with DNS; any UDP application where the reply is significantly longer than the request (for example, TFTP) would do. DNS just happens to be the most widespread one. Calling this a quirk in the Internet’s DNS is at least an exaggeration.

Here is how it works:

  • It helps if you have a zombie network, but even a single workstation with 100 Mbps connection to the Internet (there are plenty of them in corporate and academic networks) would do.
  • The site to which the workstation is connected as well as the ISP has to be careless enough to allow source IP address spoofing. A large percentage of ISPs still fit this criterion.
  • You start sending large number of DNS requests that generate long replies to DNS servers around the world. The source IP address of the request should be the IP address of the server you want to attack.
  • The DNS servers send their replies to the spoofed IP address, swamping the Internet connection of the attack target.

The effectiveness of this attack depends on the amplification factor: the ratio between the DNS query and DNS response sizes (including the IP and UDP header). For example, the amplification factor of the root nameserver query is more than five. Wireshark on my Linux workstation reports that the IP packet size of the DNS query is 45 bytes and the packet size of the DNS reply is 256 bytes.

4 comments:

  1. Ivan,

    thanks for dispelling the bull, as you always do. (It seems that some people do want to become the gold standard for "tabloid press" in networking.)

    I might add that the attack also requires that the relays – that is, the single attacker, or the controlled zombies – are configured to use a DNS resolver that not only allows source IP spoofing, but is also willing to accept recursive queries from anyone in the network, including the victim.

    As usual, the majority of resolvers do fit the criterion, as most administrators are too scared of BIND to configure it properly. Or, worse yet, in 2009 they are still running a single BIND instance for both the role of DNS server (to publish their own records) and the role of recursive resolver/cache (to perform full DNS resolutions for clients), so they simply must accept request from anyone.

    As usual, some of the alternatives (including djbdns) are safe by default. But then again, an organization needs software such as BIND to justify dedicated hardware and craftsmen for DNS operation… :)

    ReplyDelete
  2. Unfortunately, the attack does not require DNS servers that accept recursive queries.

    You just need a large enough set of domains (you can get them from your web log files) and mapping between the domains and authoritative name servers (you do lookup for the domain's NS record).

    Once you have this data, start sending large number of DNS queries with fake source IP addresses to the name servers. Each one of them has to reply to all queries for the domains for which it's an authority.

    ReplyDelete
  3. ---sending large number of DNS queries with fake source IP ----


    is it even possible? i thought nobody could do that... how can someone do that?

    ReplyDelete
  4. Unfortunately numerous ISPs still don't have anti-spoofing filters on their customer-facing interfaces. If everyone would implement those filters, Internet would definitely be a safer place.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.