qd explaination of dns amplification
DESCRIPTION
A "quick and dirty" explaination of how DNS Amplification attacks are done and why Information Security professionals should know about them.TRANSCRIPT
Quick And Dirty Introduction to:DDOS Using DNS Amplification
By: Allen Baranov, CISSP
Quick And Dirty Introduction to:
DDOS Using DNSAmplification
By:Allen Baranov, CISSP
Quick and Dirty Introductions are something that I created at my last employer to describe in simple language a pretty complex Information Security concept.-AB
…. The orginals are naturally the intellectual property of the company but now that I am doing them in my free time, these are released under creative commons.
Quick definitions:
DDOS – distributed denial of Service
You offer a service and someone maliciously overuses the service making it impossible for genuine users to access the service. The attacker uses different routes to be more effective. There may be several attackers.
Quick definitions:
DNS– Domain Name Service
The distributed service that the Internet uses to convert Human Friendly names to computer friendly IP addresses so you don’t have to remember that
www.google.com.au may be accessed at 74.125.237.152
Critical Understanding:How DNS Actually Works.
DNS is distributed. When you look up www.example.com.au first your PC looks for “who knows about .au”? then “who knows about .com.au?” then “who knows about “example.com.au?” then “who knows about “www.example.com.au?”
Critical Understanding:How DNS Actually Works.
DNS is distributed. I need “www.example.com.au”
I know who knows “.au”
I know who knows “.com.au”
I know who knows “example.com.au”
I know who knows “www.example.com.au”
www.example.com.auis 1.2.3.4
Critical Understanding:How DNS Actually Works.
To speed things up a DNS entry can be cached so if someone asks for the same site then they don’t have to go through the whole process.
Also, to make the networking easier – you can use an “agent” server to do all of this for you so you only query one server.
Critical Understanding:How DNS Actually Works.
The important bit:
DNS is asynchronous. So although a session usually consists of a request and an answer – there is no time taken to set up the session. It would slow down the Internet too much.
DNS servers don’t know for sure who performed the query.
?
Critical Understanding:The Planning
Attacker sets up a long DNS entry – the longer, the better.
He uses a compromised DNS Server to do this.
DNS can be used for storing text messages and this is one popular method for creating huge DNS entries.
Compromised DNS Server
Huge DNS Entry
Critical Understanding:The Planning
Attacker finds a number of DNS Servers that are badly configured. They will pass on recursive DNS entries to anyone.
It is fairly simple to find these servers on the Internet.
The more the attacker can find and use – the better for the attack.
Compromised DNS Server
Huge DNS Entry
RecursiveDNS Servers
Critical Understanding:The Attack
Attacker queries the recursive DNS servers asking for the large DNS entry.
But he doesn’t use his own IP address. He uses the target IP address.
To be more effective he can enlist the help of several (willing or unwilling) accomplices.
To be effective the attacker needs to send multiple small requests.
Compromised DNS Server
Huge DNS Entry
RecursiveDNS Servers
STEP 1Attacker sends multiple small DNS queries to recursive DNS Servers
Compromised DNS Server
RecursiveDNS Servers
STEP 2The recursive DNS Servers send small queries to the compromised DNS Server. The Huge DNS entry is returned.
Recursive DNS Servers
STEP 3The recursive DNS Servers send the large DNS entry to the target System each time the attacker sends a request.
Recursive DNS Servers
STEP 3bMore attackers (distributed) means more Traffic.
Critical Understanding:Why ?
For each small DNS request that the attacker performs, a huge response is sent to the target network.
This ends up being a very effective way to block up a network with very little impact on the attacker’s own network.
The DNS servers are actualy working quit4e normally.They are receiving requests and sending responses. They don’t know that they are sending them to the wrong system.
Image License
All pictures are distributed either under Creative Commons license or “stock exchange default license” so they may be redistributed.
Image Sources:Crowdphoto by James Cridland on Flickr
http://www.sxc.hu/photo/182229http://www.sxc.hu/photo/211248
http://openiconlibrary.sourceforge.net
License
Feel free to redistribute this document and make changes but please credit me, Allen Baranov with the original.
Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0)