2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 1

DNS amplification attacks

Matsuzaki Yoshinobu<maz@iij.ad.jp>

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 2

DNS amplification attacks

• Attacks using IP spoofed dns query– generating a traffic overload– bandwidth attack– similar to ‘smurf attacks’

• Components are:– IP spoofing– DNS amp

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 3

IP spoofing + DNS amp

• IP spoofing– IP spoofed dns query– to use reflections

• DNS amp– UDP (no 3way handshake)– good amplification ratio =~ 60– distributed by full/stub-resolver (dns cache)

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 4

reflection

IP spoofed packet

reflector

Sender src: victimdst: reflector

victim

reply

pac

ket

dst:src:

refle

victi

mctor

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 5

amplification

1. multiple replies

Sender

2. bigger reply

Sender

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 6

DNS amplification

ANY�?xxx.example.com

DNSSender

xxx.example.com IN TXT XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 7

DNS amplification attack

IP spoofedDNS queries

DNS replies

victim

DNSDNS

DNSDNSAttacker

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 8

attack relations

DNSDNS DNS

victim

Command&Control

DNS

DNS

stub-resolvers full-resolversroot-servers

tld-servers

example-servers

IP spoofedDNS queries

botnet

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 9

view of bot #1

bot #1

Internet

size: =~60bytessrc IP: victim(IP spoofed)dst IP: various(DNS amp)protocol: udpsrc port: variousdst port: 53QR: standard queryQNAME: (specific one)

DNS queries

DNSDNS

DNS

• performance degradation• traffic overload

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 10

view of bot #2

• a bot behind NAT box

bot #2

Internet

src IP: victim(IP spoofed)dst IP: various(DNS amp)

NAT

src IP: various(DNS amp)dst IP: NAT Router

src IP: NAT Routerdst IP: various(DNS amp)• NAT table saturation

• ICMP unreach generation

DNS query – after NAT

DNS query – before NAT

DNS replyDNS

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 11

view of stub-resolver

DNS

stub-resolver

DNS

full-resolvers

DNS queries

size: =~4000bytes(ip fragmented)

src IP: stub-resolverdst IP: victim

bot#2(NAT)QNAME: (specific one)

DNS replies

Internet• victim• bot#2(NAT)

size: =~60bytessrc IP: victim

bot#2(NAT)dst IP: stub-resolverQNAME: (specific one)

• performance degradation• traffic overload• if the stub-resolver worksas a no-cache mode, all ofthe queries are relayedto the full-resolvers.

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 12

view of full-resolver

DNS

full-resolver

DNS

• root-servers• tld-servers• example-servers

size: ~4000bytes(ip fragmented)

src IP: full-resolverdst IP: victim

bot#2(NAT)stub-resolver

QNAME: (specific one)

DNS replies

Internet

DNS queries

• victim• bot#2(NAT)• stub-resolvers

size: =~60bytessrc IP: victim

bot#2stub-resolver

dst IP: full-resolverQNAME: (specific one)

• performance degradation• traffic overload• if the TTL of the RR isshort, # of queries to the*-servers are increased.

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 13

view of victim

victim

Internet

size: =~4000bytes(ip fragmented)

src IP: full-resolversstub-resolvers

dst IP: victim

DNS replies

DNSDNS

DNS

• traffic overload

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 14

solutions

IP spoofeddns queries

Attacker

dns r

eplie

s

victim

discard recursive DNS queries from external

=Disable Open Recursive DNS

resolvers

DNS

drop IP spoofed packets=

Source Address Validation

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 15

Disable Open Recursive DNS

• There are many ‘open relay’ resolvers.– ISP cache servers– customers’ dns servers– DSL routers (dns proxy as stub-resolver)

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 16

Source Address Validation

• BCP38/RFC2827– All providers of Internet connectivity are urged

to implement filtering described in this document to prohibit attackers from using forged source addresses...

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 17

IIJ/AS2497’s case

• IIJ to Introduce Source Address Validation to all its Connectivity Services– http://www.iij.ad.jp/en/pressrelease/2006/0308.html

• IIJ is adopting uRPF and ACLs.

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 18

IIJ’s policy

peer ISP upstream ISP

customer ISP

multi homedstatic customer

single homedstatic customer

IIJ/AS2497

uRPF strict mode

uRPF loose mode

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 19

CISCO uRPF configuration

uRPF strict mode

interface GigabitEthernet0/0ip verify unicast source reachable-via rx

uRPF loose mode

interface GigabitEthernet0/0ip verify unicast source reachable-via any

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 20

Juniper uRPF configuration

uRPF strict mode

interface { ge-0/0/0 { unit 0 { family inet {rpf-check;} } } }

uRPF loose mode

interface { ge-0/0/0 { unit 0 { family inet { rpf-check { mode loose; } } } } }

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 21

reference

• AL-1999.004 – DoS attacks using the DNS– http://www.auscert.org.au/render.html?it=80

• The Continuing DoS Threat Posed by DNS Recursion– http://www.us-cert.gov/reading_room/DNS-recursion033006.pdf

• SAC008 – DNS Distributed DDoS Attacks– http://www.icann.org/committees/security/dns-ddos-advisory-

31mar06.pdf

2006/04/25 Copyright (C) 2006 Internet Initiative Japan Inc. 22