Paul Sullivan

Paul Sullivan

GO!

This meant for a regular person with a reasonable working knowledge of TCP/IP and c who might be curious as to how this might be used against them and thus how to gaurd against it.

If you are (or could be) the target of an organised / professional attacker this is not for you.  You can't stop someone capable of multi-Gbit/s attacks, but you can stop your own infrastructure from being turned against you.

 

For a TX of 4.8Mbit/s the target received 24Mbit/s.

 

A DNS Amplification / Reflection "attack" how to

This isn't a discussion of the general theory (there are may articles available Google: "DNS Amplification Reflection Attack". 

I'm intersted in how this could be used by a normal every day human with basic TCP/IP & c knowledge, since it is statistically unlikely that I'll be the target of a sophisticated, attack by a BOT herder, or some other "1337 haxx0r" .

How to do this:-

  1. We need a way to generate the correctly crafted request. Easily 'findable' is http://www.nullsecurity.net/tools/dos/dnsdrdos.c
  2. Having a list of open recursors is necessary for a full scale attack.  Not interested in that.  However, anyone who runs their own DNS hosting has authoritative Name Servers who will respond to request from anyone.  These can be successfully used as 2nd hop sources (the sources of the main attack)..  They are mostly in high bandwidth Data Centers and usually distributed over more than 1 DC.  Many owner-operators do this and don't have the experience to ensure the servers are properly protected / rate limited etc.
  3. Need a node to execute this from that does not belong to an upstream with Egress Filtering (BCP-38).  I can confirm that any good UK DC does this, I've also checked both Zen and Eclipse ADSL connections.  No good.  For most of us, we fail here.
  4. Presuming you succeed, 2 realisations will quickly follow:-
    • UDP packets from the original source will go at near line speed.  This works well where your original source is an ADSL upstream you're not responsible for.  Not so ideal if it's connection you are.  I found a usleep of 50-150 ms between packets was enough to control the egress rate To between 1->5Mbit/s.
    • With the default (dnsdrdos.c) "A" rec request the multiplication factor is quite low, perhaps only twice the traffic you send. To achieve a better effect asking for an "ANY" record is the best I could come up with.  That gave a multiplication factor of 6X.

In my test I was able to saturate an ADSL downstream connection (@24Mbit this makes sense).  Pings to down the ADSL line showed 73% packet loss with latency of 150-200ms for the requests that were returned.

Dealing with A DNS reflection attack

  1. If you're the initial source.  Just stop it.
  2. If you're the source of the amplified traffic, i.e. the host of the recursive DNS server.  Don't host your own DNS.  If you must (say you have authoritative Nameservers) make sure that you rate limit traffic/requests.
  3. If you're the final target I beleive the only real option is to null (blackhole) route traffic destined for your IP at the upstream provider - obviously all the services that were on that IP would need to be moved!

Why are DNS Amplification / Reflection Attacks so much worse than other / previous / traditional (Distributed) Denial of Service (DDOS) attacks

  1. Other DDOS attacks require the attacker to have gained some control over the source of the bulk traffic.  This immediately limits the group of people who can launch such an attack.  DDOS by DNS Amplification doesn't require the launcher to have any control over the bulk traffic source.  The group of people as well as the magnitude of the traffic flow is more significant
  2. The use of reflected UDP obscures the original attacking IP - it is well hidden from the final target and even the intermediate hop will not know it - thus options to mitigate are reduced to null routing the target IP.
Valid XHTML 1.1 Strict Valid CSS

Originally from East London in South Africa. I recently moved to Dorking, Surrey having previously lived in the London Borough of Sutton and Cape Town