A DDoS Attack Explained: DNS Amplification Attack


Up to this point, we’ve largely focused on the types of DDoS attack associated with TCP connections, but today we’d like to switch our focus over to another area: DNS amplification attacks.

A DNS amplification DDoS attack builds on the connection-less orientation of the UDP protocol. Attackers use publically accessible open DNS servers to flood a target system with DNS response traffic. The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the target’s address. When the DNS server sends the DNS record response, it is sent instead to the target. Attackers will typically submit a request for as much zone information as possible to maximize the amplification effect. The amplification factor of this type of attack is up to 54x. What this means is that for every byte of traffic that is sent from the attacker, up to 54 bytes of traffic will be sent to the destination.

In most attacks of this type observed by US-CERT, the spoofed queries sent by the attacker are of the type, “ANY,” which returns all known information about a DNS zone in a single request. Because the size of the response is considerably larger than the request, the attacker is able to increase the amount of traffic directed at the victim. By leveraging a botnet to produce a large number of spoofed DNS queries, an attacker can create an immense amount of traffic with little effort. Additionally, because the responses are legitimate data coming from valid servers, it is extremely difficult to prevent these types of attacks.

Below, we see an example of a DNS query targeting port 80 from an open DNS resolver running on IP address

[email protected]:~# dig ANY exampletest.xab @ +edns=0

; <<>> DiG 9.8.1-P1 <<>> ANY exampletest.xab @ +edns=0
;; global options: +cmd
;; Got answer:
;; ->>HEADER< ;; flags: qr rd ra; QUERY: 1, ANSWER: 39, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;exampletest.xab. IN ANY

exampletest.xab. 3599 IN TXT “553992721-5400647”
exampletest.xab. 3599 IN SOA ns1.exampletest.xab. 2015062301 28800 7200 604800 3600
exampletest.xab. 299 IN MX 10 abcmail1.exampletest.xab.
exampletest.xab. 299 IN MX 10 defmail5.exampletest.xab.
exampletest.xab. 299 IN MX 10 defmail3.exampletest.xab.
exampletest.xab. 299 IN MX 10 ghimail1.exampletest.xab.
exampletest.xab. 299 IN MX 10 abcmail2.exampletest.xab.
exampletest.xab. 21599 IN NS ns1.exampletest.xab.
exampletest.xab. 21599 IN NS ns3.exampletest.xab.
exampletest.xab. 299 IN A
exampletest.xab. 299 IN A
exampletest.xab. 3599 IN TXT “178953544-4422001”
exampletest.xab. 3599 IN TXT “228406766-4422034”
exampletest.xab. 3599 IN TXT “299762315-4422055”
exampletest.xab. 3599 IN TXT “826318936-4422046”
exampletest.xab. 3599 IN TXT “598362127-4422061”
exampletest.xab. 3599 IN TXT “227933795-4422004”
exampletest.xab. 3599 IN TXT “691244312-4422022”
exampletest.xab. 3599 IN TXT “287893658-4422013”
exampletest.xab. 3599 IN TXT “186244776-4422028”
exampletest.xab. 3599 IN TXT “353675828-4422052”
exampletest.xab. 3599 IN TXT “782919862-4417942”
exampletest.xab. 3599 IN TXT “126353328-4422040”
exampletest.xab. 3599 IN TXT “294923881-4422049”
exampletest.xab. 3599 IN TXT “667921463-4422007”
exampletest.xab. 21599 IN NS ns2.exampletest.xab.
exampletest.xab. 21599 IN NS ns1.exampletest.xab.
exampletest.xab. 3599 IN TXT “764482656-4422025”
exampletest.xab. 3599 IN TXT “757973593-4422016”
exampletest.xab. 3599 IN TXT “MS=ms66433104”
exampletest.xab. 3599 IN TXT “714321871-4421998”
exampletest.xab. 3599 IN TXT “882369757-4422010”
exampletest.xab. 3599 IN TXT “ms=ms97244866”
exampletest.xab. 3599 IN TXT “321959687-4422031”
exampletest.xab. 3599 IN TXT “754510718-4422064”
exampletest.xab. 3599 IN TXT “319997471-4422043”
exampletest.xab. 3599 IN TXT “522183251-4422019”
exampletest.xab. 3599 IN TXT “688562515-4422037”
exampletest.xab. 3599 IN TXT “133466244-4422058”

;; Query time: 254 msec
;; WHEN: Thu Jul 9 14:10:14 2015
;; MSG SIZE rcvd: 1175

In the example above, a 64 byte packet sent from a malicious source caused the open DNS resolver running on to reply with a packet with a size of 1175 bytes. In this case, it’s only amplification factor of 18, but they can get much larger depending on what domain is being queried! DNS amplification attacks were a very big deal in 2012.

The reason they were so popular was because they were easy to generate due to a very large number of misconfigured open DNS resolvers. This brought upon the Open Resolver Project. This site was created, as the name implies, to help identify open DNS resolvers. Of course the downside of this was that it made it easier for people to generate large DDoS attacks, but what it did was cause people to start fixing their own DNS resolvers and contact people who had misconfigured DNS resolvers. This project spearheaded significantly reducing the capability to execute DNS amplification attacks.

A funny thing that DDoS mitigation providers and probably a lot of ISPs had happen during this time was that people who were running open DNS resolvers would get in contact with us and tell us that we are DoSing their resolver. The reason they thought that we were DoSing them was that our IP (the one that the actual attacker spoofed) was continuously querying their server, so it looked like we were DoSing them. What they didn’t realize was that the packets were spoofed, and in fact they were the ones DoSing us! This was useful because we were able to tell them how to stop their resolver from participating in DDoS attacks, which helped everyone, except for the attackers.

This sort of DNS traffic is suspect primarily for the large amount of data being “requested”- no normal application or server should ever generate a request designed to elicit this kind of response. Although DNS requests mostly happen over the UDP protocol, there is a way to force DNS over TCP. If the DNS server allows for TCP mode, then denying UDP DNS requests is a very good idea.

[email protected]~# dig test.site ;; Truncated, retrying in TCP mode.

This eliminates the connection-less properties of UDP traffic, allowing DNS traffic to flow without simply blocking or rate-limiting packets, but only over a verified and properly-initiated connection.

What is a DDoS ATTACK

DDoS is an abbreviation for distributed denial of service. Ddos is done by transmitting packets of information in a rapid manner to the extent that the machine under target can no longer bear it or respond to legal requests anymore. This is a common form of attack which is used by hackers with the intent of causing a loss of income or to cause intimidation.
A simple way to explain this is to imagine a scenario where 10 fat men are pushing their way through a small entrance at the same time. This will only prevent other persons from finding their way through to either enter or leave. It is pretty much the same with internet connections; the DDoS makes it impossible for any signal to pass through and the motive at the end of the day is to hinder your connection to the World Wide Web.
For some, DDoS is considered legal while to some others it is not. The Computer Fraud and Abuse act is the only law against DDoS that can be considered in court. It can easily be argued in court and only a few persons have been indicted in such cases.
There were only a few ways to carry out a DDoS attack in the past, either you own a botnet or you gain illegal entry to a server and upload shells which basically are webpages used to send packets of information without the knowledge of the webservers. Nowadays, shells have been substituted by purchased servers from data centers that ignore the activities of these servers. That is also what you will be using whenever you make use of an IP booter or an IP stresser.
There is absolutely no difference between an ip stresser, a DDoSer, a botnet and a booter. Whenever a person calls an ip stresser a booter, they are just concealing their shady deals.

Stop DDoS Attacks Against your Website!

This is the reality and the impacts Distributed Denial of Service (DDoS) attacks have on your websites and their associated server resources. A DoS/DDoS can happen within seconds / minutes and the impacts can be devastating. The impacts will range from less severe issues like down time, to getting banned by your host for Terms of Service (ToS) violations. This doesn’t account for the economic impacts to your business (i.e., downtime = no purchases, no availability).

Understanding a [Distributed] Denial of Service (DoS / DDoS) Attack

Denial of Service (DoS) attacks and Distributed Denial of Service (DDoS) attacks are the same thing, only thing differentiating the two is scale. When you hear someone mention a DoS attack, you can expect the attack to be marginal (Qualifier: obviously marginal is very subjective and many would disagree that any DoS is marginal). In most instances, when you hear someone say DDoS, you can think the opposite (i.e., think grand!).

Whether a DoS or DDoS attack, the attacker is making use of one or more computers. DoS attacks are on the lower end of that spectrum while DDoS attacks are on the higher end of it, very large DDoS attacks can span 100’s if not 1,000’s of systems. The proliferation of DoS/DDoS attacks are directly attributed to the proliferation of DDoS-For-Hire service market, also known as Booter Services.

An attacker that is leveraging a Denial of Service (DoS) attack method has one goal in mind, to disrupt your websites performance. They disrupt your website performance by making it slow to respond to legitimate requests or disabling the website entirely, making it impossible for legitimate users to access your website. This type of disruption, depending on your configuration, can be devastating to your business.

There are three main DDoS / DoS attack types:

Each of these attacks types are designed to consume your web server resources, in one way or another and each have the same outcome – your web server / website slow to a halt or crash.

1. Volume Based DoS Attacks

As the name implies, this type of attacks depends on volume. The attacker employs a basic tactic, more resources wins this game. If they can overload your resources, they win. For most everyday website owners, this is an easy win. Most website owners are leveraging everyday Shared hosts and those with VPS environments are often configured in the smallest tiers and configurations.

2. Protocol Based DoS Attacks

The internet is all based on protocols, it’s how things get from point A to point B. This type of attack can include things likes Ping of Death, SYN Flood, Packet modifications and number of other variations.


3. Application Layer Attacks

The basis for this attack is often targeting applications like Web Servers (i.e., Windows IIS, Apache, etc…), but more and more we’re seeing this type of attack evolve to application platforms like WordPress, Joomla and other similar applications.

Website Firewall Protects Against DDoS / DoS Attacks

There are a number of DoS / DDoS attacks that we, Sucuri, deal with on a daily basis. These are the ones that the Sucuri Website Firewall will protect your website against:

1. HTTP Flood Attack

This type of Layer 7 application attack happens when an attacker makes use of standard GET / POST requests in effort to overload your web servers response ability. This attack is also known as a volumetric attack, it doesn’t require malformed packets, spoofing or any variation of reflection techniques. This attack can occur over HTTP or HTTPS and is much easier to implement, making them the much preferred attack method, cheaper too, for a lot of booter services targeting websites. They can generate thousands of requests a second.

2. Simple Service Discovery Protocol (SSDP) DoS Attack

The Simple Service Discovery Protocol (SSDP) is often used for Plug & Play (UPnP) devices, and it was only in 2014 that we started to see DoS attacks leverage this protocol. It’s a relatively new attack vector for DoS attacks. It often targets traditional SSDP ports, (1900) and destination port 7 (echo). It’s a form of a UDP attack, which unlike SSDP is more common. The latest reports show that SSDP attacks have the ability to increase the amplification of the attack by 30 times which might explain why it’s being employed.

3. User Datagram Protocol (UDP) DoS Attack

The User Datagram Protocol (UDP) DoS attack will flood various ports on your web server, randomly, with packets – also known as Layer 3 / 4 attacks. This forces the web server to respond, in turn chewing through your web server resources forcing it to come to a halt or die completely. UDP is a connection-less protocol, meaning it doesn’t validate source IP addresses. It’s because of this that UDP attacks are often associated with Distributed Reflective Denial of Service (DRDoS) attacks.

4. Domain Name Server (DNS) Amplification DoS Attack

DNS Amplification DoS attacks are very popular today, they occur at Layers 3 / 4. They make use of publicly accessible DNS servers around the world to overwhelm your web server with DNS response traffic. Your web server is overwhelmed by the influx of responses in turn making it difficult to function as it’s resources are depleted, making it impossible to respond to legitimate DNS traffic.

Continue reading

How to Launch a 65Gbps DDoS, and How to Stop One

How to Launch a 65Gbps DDoS, and How to Stop One

Yesterday I posted a post mortem on an outage we had Saturday. The outage was caused when we applied an overly aggressive rate limit to traffic on our network while battling a determined DDoS attacker. In the process of writing it I mentioned that we’d seen a 65Gbps DDoS earlier on Saturday. I’ve received several questions since that all go something like: “65Gbps DDoS!? Who launches such an attack and how do you defend yourself against it?!” So I thought I’d give a bit more detail.

What Constitutes a Big DDoS?

A 65Gbps DDoS is a big attack, easily in the top 5% of the biggest attacks we see. The graph below shows the volume of the attack hitting our EU data centers (the green line represents inbound traffic). When an attack is 65Gbps that means every second 65 Gigabits of data is sent to our network. That’s the equivalent data volume of watching 3,400 HD TV channels all at the same time. It’s a ton of data. Most network connections are measured in 100Mbps, 1Gbps or 10Gbps so attacks like this would quickly saturate even a large Internet connection.

How to Launch a 65Gbps DDoS, and How to Stop One

Continue reading

How are amplification lists scanned?

A key question that was recently asked quite a bit is how amplification lists (which are used for UDP amplification) are scanned. The most common ones are SSDP, DNS, NTP, CHARGEN and SNMP. There are a lot of possible UDP based services that can be used for packet amplification but only a few provide a good amplification rate.

The most common method to scan for amplification lists is using a scanner. Which means sending a packet to every possible IP and save only the ones with a good amplification rate.

Another method is a honeypot method which consists on having a server with a high port speed (10Gbps), and using booters or stressers to catch the packets, ending up with a list of IPs that were used for the stress test on a specific UDP service.