Preventing DNS Amplification Attacks

Posted by / Feb 24, 2016 / Categories: DNS

What is a DNS Amplification Attack?

This type of attack is often utilised by criminals as a method of conducting Distributed Denial of Service (DDoS) attacks. In a DNS amplification attack the malicious actor executes a large number of DNS queries while spoofing the IP address of the intended target.

The open DNS resolvers are queried with the response being directed to the IP address of the target flooding the victim with unwanted data traffic. A degree of amplification is involved so that a small request can suddenly result in a huge response.

The result of this flood of data packets can be a reduction in the quality of service of the internet (slower web traffic), loss of availability of websites, or loss of network resources or services.

Check if you’re vulnerable

The easiest way is to see if the machine accepts a DNS query from an outside IP address. Do not test from the VPS itself, as it’s likely you want your DNS server to accept queries from localhost. Test from another machine.

For example, you’ll see Google’s public DNS servers (obviously) provide an output to the following:

dig @8.8.8.8 +edns=0 +ignore com ANY

But try on our test server lg-uk1.bhost.net

dig @lg-uk1.bhost.net +edns=0 +ignore com ANY

will produce no response.

Take Action to Mitigate

Please consider reconfiguring your resolver in one or more of these ways:

– To only serve your customers and not respond to outside IP addresses (in BIND, this is done by defining a limited set of hosts in “allow-query”; with a Windows DNS server, you would need to use firewall rules to block external access to UDP port 53)

– To only serve domains that it is authoritative for (in BIND, this is done by defining a limited set of hosts in “allow-query” for the server overall but setting “allow-query” to “any” for each zone)

– To rate-limit responses to individual source IP addresses (such as by using DNS Response Rate Limiting or iptables rules)

More information on this type of attack and what you can do to mitigate it can be found here: http://www.us-cert.gov/ncas/alerts/TA13-088A

Further reading:
http://www.team-cymru.org/Open-Resolver-Challenge.htmlhttps://www.us-cert.gov/ncas/alerts/TA13-088A
http://www.bcp38.info/index.php/Main_Page
https://community.infoblox.com/t5/IPv6-Center-of-Excellence/Finding-and-Fixing-Open-DNS-Resolvers/ba-p/3405
https://community.jisc.ac.uk/library/janet-services-documentation/dns-resolver-configuration

About the author
I'm George and I work in the BHost support team. I'm responsible for replying to customer support requests, as well as writing articles for our help center. If there's anything you'd like us to blog about, let us know by emailing support@BHost.net