- open resolvers
- has a low response limit ( EDNS )
- deploys no rate limits
This way the attacker can spoof the target address against the open or even to degree a closed DNS server and have that server send it's replies to the victim network/host. This attack is a double whammy , since it floods the open/closed dns server with a bogus request on behalf of the victim ip_address that we spoof.
Here's a way to determine the dns server max limits;
dig +short rs.dns-oarc.net txt
So let's us the google public servers located at 220.127.116.11 and 18.104.22.168
sh-3.2$ dig +short rs.dns-oarc.net txt 22.214.171.124 rst.x3827.rs.dns-oarc.net. rst.x3837.x3827.rs.dns-oarc.net. rst.x3843.x3837.x3827.rs.dns-oarc.net. "x.x.x.177 DNS reply size limit is at least 3843" "Tested at 2013-04-24 21:49:25 UTC" "x.x.x.177 sent EDNS buffer size 4096"
sh-3.2$ dig +short rs.dns-oarc.net txt 126.96.36.199 rst.x3827.rs.dns-oarc.net. rst.x3837.x3827.rs.dns-oarc.net. rst.x3843.x3837.x3827.rs.dns-oarc.net. "Tested at 2013-04-24 21:49:25 UTC" "x.x.x.177 sent EDNS buffer size 4096" "x.x.x.177 DNS reply size limit is at least 3843" sh-3.2$
So if the server support EDNS, it has no 512 byte limits. So these attacks
are low overhead for the attacker.
A simple dns query of 80bytes could generate a response of 3K or more and directed to a remote victim. This is why it's crucical to close dns servers and to rate limit the dns queries for repeated request.
To identify this attack it's quite simple and obvious, you will see numerous requests for the same RR and typically a hughe record type like that of a TXT or SPF.
You can measure the size of the reply by using dig or host.
sh-3.2$ host -v -t txt iana.org
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11929
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;iana.org. IN TXT
;; ANSWER SECTION:
iana.org. 59 IN TXT "$Id: iana.org 1516 2013-04-18 19:21:42Z davids $"
Received 87 bytes from x.x.x.62#53 in 22 ms
To mitigate and protect form these attacks you should do all of the below;
- if your resolver has no rate-limiting capacity , you can typically do this at the firewall
- rate limit DNS response at the DNS server ( bind9 rate-limit )
- deploy IPS/IDS for alert on DNS floods
- limit the DNS server max reply size by limiting the size of the RR that you use ( e.g do you really need a 3K+ byte RR ? )
- deploy DNSSEC
- setup inter resolver only, and filter traffic inbound to your clients
- isolate public and enterprise DNS servers
Using common sense in monitoring your dns server, will go a long way to determine if your being abused. If you see the same request over and over and for large resources records, stop and mitigate it.
This message is approved by Ken Felix :)
Freelance Network/Security Engineer
kfelix -at- hyperfeed -----dot---- com
close open dns servers