DNS Amplification Attacks

Presented at DEF CON 14 (2006), Aug. 5, 2006, 5 p.m. (50 minutes)

This paper outlines a Distributed Denial of Service (DDoS) attack which abuses open recursive Domain Name System (DNS) name servers using spoofed UDP packets. Our study is based on packet captures and logs from attacks reported to have a volume of 2.8Gbps. We study this data in order to further understand the basics of the reported recursive name server amplification attacks which are also known as DNS amplification or DNS reflector attacks. One of the networks under attack, Sharktech, indicated some attacks have reached as high as 10Gbps and used as many as 140,000 exploited name servers. In addition to the increase in the response packet size, the large UDP packets create IP protocol fragments. Several other responses also contribute to the overall effectiveness of these attacks. The risks involved with the recursive name server feature, as well as those of packet spoofing are well known, yet have been treated more as a theoretical issue. The attack under study was anticipated as early as 2002 (gnupg 2002). Earlier attacks using queries to non-authoritative servers were for a reflection attack using MX records (Mirkovic, Dietrich, Dittrich. and Reiher). To our knowledge, this is the first documentation of a new form of a recursive name server reflection attack designed to use the significantly larger data amplification available from the extended capabilities of extended DNS standards. In addition to this attack technique, recursion can be leveraged for other uses such as theft of DNS resources (CERT UNI-Stuttgart 2003).

Presenters:

• Randal Vaughn - Professor
  Randal Vaughn teaches a variety of courses in Information Systems. Vaughn is a widely quoted expert in the areas of cyber warfare, cyber defense, and internet threat metrics and reporting. He is on the Board of Advisors for MI5 Security and an Academic associate for the AntiPhishingWorkingGroup. He is a member of Educause, the Society for Information Management (SIM), and the Association for Computing Machinery (ACM). His work has been published in several mathematics publications and he has authored white papers such as "Using PowWow in the Academic Environment" for Tribal Voice. Previously, Vaughn worked at Mobil Exploration and Producing Services, Inc. as a computer analyst for seismic processing support. Prior to that, he was the lead designer for Vought Aircraft's Group Technology Support Software—a component of the U.S. Air Force's Integrated Computer Aided Manufacturing project. He also served in the U.S. Air Force as a project engineer and database administrator. Vaughn's operating system experience includes legacy mainframe operating systems, Microsoft' Windows', Linux, and Apple' Mac' OS and Mac OS X operating systems.
• Gadi Evron

Links:

• https://defcon.org/html/defcon-14/dc-14-speakers.html#Vaughn
• https://infocon.org/cons/DEF CON/DEF CON 14/DEF CON 14 video/DEF CON 14 - Vaughn and Evron - DNS Amplification attacks - Video.mp4
• https://www.youtube.com/watch?v=UDV4WgdiIb0

Similar Presentations:

• DeepSec 2018 „I like to mov &6974,%bx“ / DNS Exfiltration and Out-of-Band Attacks
• BSidesLV 2016 / DNS Hardening - Proactive Network Security Using F5 iRules and Open Source Analysis Tools
• Black Hat USA 2016 / Dark Side of the DNS Force