[ISN] DNS amplification attacks explained

From: InfoSec News (alerts@private)
Date: Wed Aug 09 2006 - 07:25:49 PDT


http://www.theinquirer.net/default.aspx?article=33504

By Charlie Demerjian 
Las Vegas
06 August 2006

YOU MAY HAVE heard about a class of attacks called DNS amplification 
attacks recently, they are a real nasty and subtle class of DDOS attack. 
Like ping flooding and smurfing they depend on sending large amounts of 
data across a pipe and drowning out any legit data.

You may notice he amplification part in the name, and that is the key 
here. What it does is turn a few bytes of data into a stream many times as 
large. In the case of the one discussed at Defcon, it took a 20 byte 
packet and turned it into 8.5K, with this ratio, you can take a cable 
modem and turn it into gigs a second of traffic. Toss a botnet into this, 
and you can crush the life out of any target you want.

The mechanism it works on is pretty simple. There is a DNS query of a type 
called 'any', and in the real world, it is pretty useless. If you send 
that query to an authoritative DNS server, it will return anything it has, 
which is everything. If you send it to a non-authoritative source, it 
simply returns what it has, usually little or nothing.

One other thing to note is that DNS as was originally specified has a 512 
byte maximum message size. This was later extended so that if you needed 
more, it could do that. If your server didn't like the extended size, it 
would stop using UDP and set up a TCP connection, hugely expensive in 
computational terms, to send the data.

What the amp attacks do is hack an authoritative server and put in a large 
text field on a record, not large in the MS Word sense, but a few K of 
text. One person in the audience said he scans DNS servers, and on one he 
found large chunks of the book of revelations in a record. This probably 
is not RFC compliant, but the text with the four horsemen used as a DDOS 
is more than mildly ironic.

The next stage is a little more complex, you take a list of open DNS 
servers and query them for the record you hacked. They dutifully go out 
and look it up, download a few K of text, answer the query, and cache the 
answer. It isn't hard to find a few thousand of these, so you effectively 
have a botnet.

>From that point, you take a real botnet, or at least a few machines,
and spoof a few packets. Those spoofs are a simple DNS query for the 
record that you cached earlier, and the spoofed return address is the 
victim. Repeat on a massive scale, and the victim is flooded with huge DNS 
traffic.

With the overhead of TCP sucking up CPU time, and an amplification factor 
of tens to hundreds, you can take a few meg of traffic and turn it into 
gigs. The victim is flooded into the ground, and there is squat all they 
can do other than sit it out and wait. DNS amplification attacks are quite 
effective and fairly easy to pull off, just what we all need for a safe 
and happy internet. ยต



_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Wed Aug 09 2006 - 07:46:21 PDT