Protect Network From Domain Name Server (DNS) Amplification Attack: A popular DDoS domain name server amplification attack is design to overrun a target system with DNS response traffic. You can prevent a DNS amplification attack by setting up Source IP Verification on a network device, disabling recursion on authoritative name servers, limiting the recursion to authorized clients, and configuring Response Rate Limiting (RRL) on the DNS server.
What Is DNS Amplification?
The Domain Name Server (DNS) Amplification attack is a common form of Distributed Denial of Service (DDoS) in which attackers overwhelm a target system with DNS response traffic using publicly accessible open DNS servers.
An attacker sends a DNS name query request to an open DNS server with the originating address spoofed to be the target’s address.
The target is the recipient of the DNS server’s DNS record response. To maximize the amplification effect, attackers will typically submit a request for as much zone data as feasible.
In most attacks observed by US-CERT, the attacker sends spoofed queries of type “ANY,” which returns all known details about a DNS zone in response to a single request.
The attacker may increase the bandwidth delivered to the victim since the response is far bigger than the request.
Using a botnet to generate many spoofed DNS queries, an attacker can cause vast traffic volumes with minimal effort. In addition, it is challenging to prevent these types of attacks because the responses are legitimate data from valid servers.
What Are the Five Major Types of DNS Attacks?
1. DNS Amplification
DNS amplification assaults employ Distributed Denial of Service (DDoS) against a specific server. It involves exploiting open, publicly accessible DNS servers to overload a target with DNS response traffic.
Typically, an attack begins with a threat actor sending a DNS lookup request to an open DNS server while impersonating the originating address to become the target address. Once the DNS server returns the DNS record response, it is forwarded to the attacker’s new target.
2. DNS Tunneling
DNS tunneling entails encrypting the data of other protocols or programs within DNS queries and responses. It typically carries data payloads that enable an adversary to take control of a DNS server and administer remote servers and applications.
DNS tunneling frequently relies on the external network connectivity of a compromised system to gain access to an internal DNS server with network access. Controlling a server and a domain, which works as an authoritative server that executes data payload executable programs and server-side tunneling, is also required.
3. DNS Flood Attack
DNS flood assaults entail executing a user datagram protocol (UDP) deluge using the DNS protocol. The threat actors deploy valid DNS request packets at a very high packet rate, generating a vast collection of source IP addresses.
Since the requests appear legitimate, the target’s DNS servers begin responding to all requests. The DNS server may then become overburdened by the overwhelming number of queries. An extensive quantity of network resources is required for a DNS attack, which exhausts the targeted DNS infrastructure until it is taken offline. Consequently, the target’s Internet access is interrupted.
4. NXDOMAIN Attack
A DNS NXDOMAIN deluge DDoS attack aims to overwhelm a DNS server with queries for invalid or nonexistent records. Most (or all) of a DNS proxy server’s resources are typically used to query the DNS authoritative server when handling these attacks. This results in both the DNS Authoritative server and the DNS proxy server spending their time processing invalid queries. Consequently, the response time for legitimate requests decelerates and eventually ceases.
5. DNS Spoofing
DNS spoofing, or DNS cache poisoning, is manipulating DNS records to redirect Internet traffic to a malicious website masquerading as the intended destination. After reaching the fraudulent destination, users are prompted to enter their accounts.
Once the information is entered, the user allows the threat actor to take access credentials and any sensitive information entered into the fraudulent login form. In addition, these malicious websites are frequently used to install viruses or malware on end users’ computers, granting the threat actor permanent access to the machine and any stored data.
How Can A DNS Amplification Attack Be Prevented?
A DNS amplification attack is a distributed denial-of-service (DDoS) attack that can cause major harm to your network or server. You can prevent a DNS amplification attack by taking the following measures:
Disable open DNS resolvers
Open DNS resolvers are DNS servers that permit queries from anyone. Attackers can use these servers to multiply their attacks. To stop them from using in an attack, disable open DNS resolvers on your network.
Implement DNS Response Policy Zones (RPZ)
DNS Response Policy Zones (RPZ) enable the blocking or rerouting DNS queries to particular domains or IP addresses. By barring malicious queries, this can prevent DNS amplification attacks.
Filter incoming network traffic
Utilize firewalls or intrusion prevention systems to filter and block dubious incoming traffic. It prevents attackers from exploiting DNS servers.
Limit DNS query rate
Limit the number of DNS queries sent from a single IP address using rate-limiting policies. It can prevent attackers from overwhelming DNS servers.
Implement DNSSEC
DNS Security Extensions (DNSSEC) add a security layer to your DNS infrastructure. They assist in preventing DNS record tampering and DNS cache poisoning attacks.
Monitor DNS traffic
Monitor your DNS traffic regularly to detect and respond to indicators of a DNS amplification attack. It can allow you to identify and defend against attacks before they cause damage rapidly.
Final Thoughts
Similar to other amplification attacks, DNS amplification is a reflection attack. In this instance, reflection forces DNS resolvers to respond to a spoofed IP address. During a DNS amplification attack, the attacker transmits a DNS query with a spoofed IP address (the victim’s) to an open DNS resolver, causing it to respond with a DNS response to the victim’s IP address. The victim’s network can quickly become inundated by the overwhelming volume of DNS responses if numerous spoofed queries are sent out and multiple DNS resolvers respond simultaneously.
We recommed to involve third parties VPN services for a prompt response quickly. Additionally, you must assess the risk of compromised critical resources by Network DoS attacks and disaster recovery plan to respond to situations.
