Most Internet-based tasks are dependent on DNS: web browsing, email, file transfers, social media posts, instant messaging, and a variety of communications and data exchange processes. It follows then, if you take down a DNS service, other networking services may also be rendered unusable.
Because these services are vital to modern-day business operations, any threat that may cause an extended disruption to these services must be considered critical. The biggest threats to the availability of DNS (and in turn, network services) are denial-of-service attacks. In this post, we talk about the different types of DNS DoS attacks and discuss the mechanisms behind each type of attack
Fundamentals of a DNS DoS attack
The concept of a DNS Denial of Service (DoS) attack is pretty simple. A concentrated attack from tens, hundreds, thousands, or even millions of machines is directed to a DNS server (or group of servers) with the intention of preventing it from providing DNS services to clients or resolvers. It’s like getting blocked from your phone’s contact list. If you can’t access your address book, you likely won’t be able to call your friends, relatives, etc.
When clients and resolvers are denied access to DNS, users and machines (in the case of B2B transactions) will be unable to carry out tasks that are dependent on DNS. There are different ways of taking down or disrupting a DNS service, here are some of the most common.
1. DNS Flood
One of the most common types of DNS DoS attacks is the DNS Flood. This attack is carried out over the UDP (User Datagram Protocol) protocol, the primary protocol (the other being TCP) over which DNS messages are transmitted.
A DNS flood attack is performed by sending out a large number of DNS requests to UDP port 53. The goal of the attack is to overwhelm the target DNS server with requests (mostly consisting of malformed or bogus packet information) and prevent legitimate requests from coming through.
2. TCP SYN Flood
Although most DNS messages are transmitted through UDP, a substantial volume of messages are also transmitted through TCP (Transmission Control Protocol). DNS responses that exceed 512 bytes in size or transmissions involved in zone transfers all use TCP. For this reason, DNS servers can be vulnerable to TCP SYN Flood attacks, a type of DoS attack that exploits the TCP three-way handshake.
In a nutshell, the TCP three-way handshake works like this:
- Client requests a connection to a server by sending a SYN message to the latter
- Server responds with a SYN-ACK message as acknowledgement
- Client responds with an ACK message as its own acknowledgement, and a connection is established
An attacker who exploits this handshake typically sends a SYN request to the victim, which in our case would be a DNS server, but the victim doesn’t receive any ACK after it responds with a SYN-ACK.
The attacker does this by either not sending back the expected ACK or by using a spoofed source IP address. When a spoofed IP address is used, the DNS server will end up sending its SYN-ACK to the owner of the spoofed IP, who won’t respond because it never sent a SYN request in the first place.
The victim then waits for the response in case the ACK was simply delayed due to poor network conditions. In the meantime, it’s forced to allocate resources for the half-open connection.
In a DNS TCP SYN Flood DoS attack, an attacker directs a large number of these bogus SYN requests to a DNS server. While the victim waits for ACK responses which will never arrive, it continues to allocate resources for the partial connections. Eventually, the server runs out of resources to allocate and additional SYN requests, including those from legitimate clients, are denied.
3. NXDOMAIN Flood
When a client or DNS resolver sends out a domain resolution request to a DNS server and the server is unable to resolve that domain into an IP address, the server responds with what is known as an NXDOMAIN response message. This response is sent when the server believes the domain doesn’t exist.
In an NXDOMAIN Flood, an attacker floods a DNS server with queries for non-existent domain names. As a result, the server wastes computing resources trying to resolve domains that don’t exist. At the same time, the server’s cache accumulates NXDOMAIN results, pushing out valid cache entries in the process. When this happens, the server’s processes slow to a crawl and/or will be unable to accept additional requests, legitimate or not.
4. DNS Reflection
In a DNS reflection attack, the attacker sends out DNS requests to one or more DNS servers. These DNS servers aren’t the main targets of the attack, but are used as conduits for conducting the attack.
The underlying trick in this attack lies in the attacker’s DNS requests, which are actually spoofed requests. More specifically, the “from” or return IP address in the requests are spoofed. When the DNS servers receive the requests, they send their responses to the spoofed IP address.
Because the spoofed recipient was not expecting those DNS responses, as it never sent the requests in the first place, it uses resources trying to make sense of those responses. A few of these responses will not affect the target DNS server. However, once those responses number in the thousands, it can eventually overwhelm the target DNS server.
There is also a variation of this attack that makes it easier for attackers to overwhelm the target DNS server. It’s known as the DNS Reflection Amplification DoS Attack.
5. DNS Reflection Amplification DoS
In the DNS Reflection Amplification DoS attack, attackers exploit a DNS characteristic wherein the response is usually larger than the request or query. In fact, there are some DNS responses (like those using ANY or DNSSEC record types) that are many times larger than the original request.
The ANY request, for instance, requests ALL information pertinent to a domain. This may include MX records, A records, and several others – practically all cached records. So, the response can be much larger or “amplified”.
In addition to using queries that result in large responses, attackers can also exploit open resolvers in order to amplify the attack even further. Basically, the attackers send the requests via open resolvers, which in turn store the spoofed return addresses in their respective caches.
Once the spoofed return addresses are already cached in a large number of open resolvers, those cache-poisoned resolvers can then be used to launch a massive DDoS attack against the target DNS server.
6. Botnet DDoS
Today’s attacks on DNS systems have gotten more disruptive. What used to be simple DoS (denial-of-service) attacks have now evolved into much larger DDoS (Distributed Denial-of-Service) attacks. These attacks are typically launched from botnets, (a network of compromised computers that receive commands from attackers.
Instead of a single machine (or a handful of machines) sending out malicious/bogus packets to a DNS system, a DDoS attack may now involve thousands of machines.
Cyber criminals have also devised methods to ensnare IoT (Internet of Things) devices and build massive botnets out of them. Due to the considerably large number of insecure IoT devices already in use, DDoS botnets can potentially consist of hundreds of thousands or even millions of compromised devices.
As a consequence, DDoS attacks are now much more disruptive than ever before. The IoT botnet DDoS attack on DNS provider Dyn last year, which had an estimated throughput of 1.2 Tbps and was said to be twice the size of the previous largest DDoS attack on record, managed to block users from practically the entire US East Coast and many parts of Europe.
Unless IoT manufacturers start taking security seriously and address the vulnerabilities that plague IoT devices, the threat of massive DDoS attacks on DNS systems will remain.
The availability of your business is now closely tied with the availability of your network, which is in turn highly dependent on the availability of DNS services. In order to prevent major disruptions to your business due to DNS denial-of-service attacks, your DNS must be an integral part of your defence strategy. Learn how.