What is a DNS Amplification Attack?
This type of attack is often utilised by criminals as a method of conducting Distributed Denial of Service (DDoS) attacks. In a DNS amplification attack the malicious actor executes a large number of DNS queries while spoofing the IP address of the intended target.
The open DNS resolvers are queried with the response being directed to the IP address of the target flooding the victim with unwanted data traffic. A degree of amplification is involved so that a small request can suddenly result in a huge response.
The result of this flood of data packets can be a reduction in the quality of service of the internet (slower web traffic), loss of availability of websites, or loss of network resources or services.
Check if you’re vulnerable
The easiest way is to see if the machine accepts a DNS query from an outside IP address. Do not test from the VPS itself, as it’s likely you want your DNS server to accept queries from localhost. Test from another machine.
For example, you’ll see Google’s public DNS servers (obviously) provide an output to the following:
dig @22.214.171.124 +edns=0 +ignore com ANY
But try on our test server lg-uk1.bhost.net
dig @lg-uk1.bhost.net +edns=0 +ignore com ANY
will produce no response.
Take Action to Mitigate
Please consider reconfiguring your resolver in one or more of these ways:
– To only serve your customers and not respond to outside IP addresses (in BIND, this is done by defining a limited set of hosts in “allow-query”; with a Windows DNS server, you would need to use firewall rules to block external access to UDP port 53)
– To only serve domains that it is authoritative for (in BIND, this is done by defining a limited set of hosts in “allow-query” for the server overall but setting “allow-query” to “any” for each zone)
– To rate-limit responses to individual source IP addresses (such as by using DNS Response Rate Limiting or iptables rules)
More information on this type of attack and what you can do to mitigate it can be found here: http://www.us-cert.gov/ncas/alerts/TA13-088A