DNS Amplification Attacks

office politics · 05-04-2006, 03:17 PM

DNS Amplification Attacks
Preliminary release
Randal Vaughn and Gadi Evron
March 17, 2006

Abstract

This paper outlines a Distributed Denial of Service (DDoS) attack which abuses open recursive
Domain Name System (DNS) name servers using spoofed UDP packets.
Our study is based on packet captures and logs from attacks reported to have a volume of 2.8Gbps. We
study this data in order to further understand the basics of the reported recursive name server
amplification attacks which are also known as DNS amplification or DNS reflector attacks. One of the
networks under attack, Sharktech, indicated some attacks have reached as high as 10Gbps and used as
many as 140,000 exploited name servers. In addition to the increase in the response packet size, the
large UDP packets create IP protocol fragments. Several other responses also contribute to the overall
effectiveness of these attacks.

The risks involved with the recursive name server feature, as well as those of packet spoofing are well
known, yet have been treated more as a theoretical issue. The attack under study was anticipated as
early as 2002 (gnupg 2002). Earlier attacks using queries to non-authoritative servers were for a
reflection attack usingMX records (Mirkovic, Dietrich, Dittrich. and Reiher). To our knowledge, this
is the first documentation of a new form of a recursive name server reflection attack designed to use
the significantly larger data amplification available from the extended capabilities of extended DNS
standards . In addition to this attack technique, recursion can be leveraged for other uses such as theft
of DNS resources (CERT UNI-Stuttgart 2003).

05-04-2006, 03:17 PM	#1 (permalink)
office politics Dope Tech Join Date: Jan 2004 Posts: 3,589	DNS Amplification Attacks DNS Amplification Attacks Preliminary release Randal Vaughn and Gadi Evron March 17, 2006 Abstract This paper outlines a Distributed Denial of Service (DDoS) attack which abuses open recursive Domain Name System (DNS) name servers using spoofed UDP packets. Our study is based on packet captures and logs from attacks reported to have a volume of 2.8Gbps. We study this data in order to further understand the basics of the reported recursive name server amplification attacks which are also known as DNS amplification or DNS reflector attacks. One of the networks under attack, Sharktech, indicated some attacks have reached as high as 10Gbps and used as many as 140,000 exploited name servers. In addition to the increase in the response packet size, the large UDP packets create IP protocol fragments. Several other responses also contribute to the overall effectiveness of these attacks. The risks involved with the recursive name server feature, as well as those of packet spoofing are well known, yet have been treated more as a theoretical issue. The attack under study was anticipated as early as 2002 (gnupg 2002). Earlier attacks using queries to non-authoritative servers were for a reflection attack usingMX records (Mirkovic, Dietrich, Dittrich. and Reiher). To our knowledge, this is the first documentation of a new form of a recursive name server reflection attack designed to use the significantly larger data amplification available from the extended capabilities of extended DNS standards . In addition to this attack technique, recursion can be leveraged for other uses such as theft of DNS resources (CERT UNI-Stuttgart 2003). __________________ Tech IMO.com \| ExtremeTech.com \| ASP Free.com \| SysOpt.com \| Tech Support Guy.org DB Forums.com \| Cyber Tech Help.com \| Lazy Forums.com \| Warrior Nation.net 'If you don't stand for somethin you'll fall for anything' - Dr. Dre Been there, done that

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode