New style of DNS amplification can yield powerful DDoS attacks
DNS amplification was first widely publicized about three years ago when computer security experts Gadi Evron and Randal Vaughn published a research paper that examined a scenario in which criminals abuse recursive DNS name servers by using spoofed user datagram protocol (UDP) packets.
Since then, DNS amplification has been used in DDoS extortion attempts against pornography and gambling websites, Don Jackson, director of threat intelligence at network security provider SecureWorks, told SCMagazineUS.com on Tuesday.
The technique soon will be used against more mainstream commercial sites thanks to a new variant in which criminals do not have to rely on recursive queries, Jackson said.
“This new tactic uses a very short query, asking simply the name servers for the ‘.' domain [a single dot],” he wrote Monday in an analysis of DNS amplification. “This domain is the root server domain, so the answer is large [or long]. A list of all the root domain name servers is sent back in response."
“We are 100 percent certain that this tactic will be used in the next major DDoS attack,” Jackson said.
DDoS attacks traditionally work when attackers leverage compromised host computers -- namely, botnets -- to send an extreme amount of traffic to their targets.
But if criminals lack access to a large botnet or face a significant target, they turn to DNS amplification, Jackson said. This technique allows attackers to send a little bit of data to a name server, which, in turn, sends a lot of data to the attacker's target.
David Ulevitch, founder and CTO of OpenDNS, a DNS resolution service, said few ISPs have fixed their servers since DNS amplification first appeared on the scene, and it is unlikely they are aware of this new variant.
“The bad guys have figured out the population of people they can use as unwitting accomplices is much larger than they previously thought because all DNS servers could potentially be [used to attack] a victim,” Ulevitch told SCMagazineUS.com on Wednesday.
By spoofing the source and inserting the IP address of the target, an attacker is able to direct the amplified traffic to an intended target -- the "long" responses will be sent there, Jackson said.
“With or without recursion, the significance of this [new DNS amplification variation] is that even if your name server is configured using the best practices up until [now], it was still vulnerable to this technique,” he said.
Jackson, in his analysis of this new technique, offers solutions for DNS server operators to limit or block the threat.