Cyberattacks September(I) 2011 -DNS Distributed Denial Of Service Attacks
Observing an increase in volume of DNS Distributed Denial of Service attacks targeting DNS servers. This attack traffic will be from source port 53 towards destination port 53. The attack may consist of DNS Zone transfers, DNS recursive queries or DNS cache poisoning attempts.
Analysis & Impacts:
DNS Zone Transfers: Zone Transfer which also known as AXFR (Asynchronous Full Transfer Zone) or IXFR (Incremental Zone Transfer) is a mechanism used by administrators to replicate DNS databases across a set of DNS servers. A Zone Transfer request to a DNS server returns a complete list of hostnames and IP addresses in the domain. Ordinarily, zone transfers should only occur between authoritative DNS servers for a domain. Attackers may query DNS servers to compile a list of possible hosts to attack. Zone Transfers are usually carried out using TCP Port 53 whereas normal DNS query operations are carried out using UDP Port 53. Also, a large number of such requests from multiple compromised hosts towards a single DNS server may cause the server to overload.
DNS Recursive Queries: A recursive query is one where the DNS server will fully answer the query (or give an error). If DNS Server is configured to provide recursion, performance of server and network both will be negatively affected when processing spoofed DNS requests. The amplification effect in a recursive DNS attack is based on the fact that small queries can generate larger UDP packets in response which can be used to cause Denial of Service.
DNS Cache Poisoning: DNS Cache poisoning allows an attacker to change a DNS entry so it points to an IP address of attacker’s choice. If the server accepts the fake record, the cache is poisoned and subsequent requests for the specific address of the domain are pointed to the IP address controlled by the attacker.
- In order to secure the DNS servers from the DDOS, the following measures can be adopted:
- Ensure that the DNS servers are clustered
- Ensure that the DNS server is placed behind a firewall
- It is advisable to use the firewall to perform the DNS queries; this reduces the organizational DNS risk
- Scan the DNS machine and make sure that no other ports are listening apart from the typical DNS ports
- Remove all the other services from the DNS servers
- Restrict recursion and disable the ability to send additional delegation information; this reduces the risk of DNS based DoS and cache poisoning attacks.
- Check with the ISP on possible ways to mitigate the downstream traffic at their end in case of high volume of DNS traffic.