How To Prevent A Domain Name Server (DNS) Amplification attack

Contents

A domain name server amplification attack is a popular form of DDoS attack that attempts to flood a target system with DNS response traffic

You can prevent a DNS amplification attack by Implementing Source IP Verification on a network device, Disabling Recursion on Authoritative Name Servers, Limiting Recursion to Authorized Clients, and Implementing Response Rate Limiting (RRL) setting on DNS Server.

Learn More: How To Prevent Cyber Attacks

Free Security Policy Templates

Get a step ahead of your cybersecurity goals with our comprehensive templates.

IT Security Policy Templates

What Is A DNS Amplification Attack?

A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS), in which attackers use publically accessible open DNS servers to flood a target system with DNS response traffic.

DNS amplification - cyber attacks

The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the target’s address.

When the DNS server sends the DNS record response, it is sent instead to the target. Attackers will typically submit a request for as much zone information as possible to maximize the amplification effect.

In most attacks of this type observed by US-CERT, the spoofed queries sent by the attacker are of the type, “ANY,” which returns all known information about a DNS zone in a single request.

Because the size of the response is considerably larger than the request, the attacker is able to increase the amount of traffic directed at the victim.

By leveraging a botnet to produce a large number of spoofed DNS queries, an attacker can create an immense amount of traffic with little effort.

Additionally, because the responses are legitimate data coming from valid servers, it is extremely difficult to prevent these types of attacks.

Example Of A DNS Amplification Attack

The SUNBURST backdoor was discovered as part of a sophisticated supply chain attack.

The attackers compromised the SolarWinds Orion software, which is widely used for network monitoring and management.

It used Domain Generation Algorithms (DGAs) to generate a list of seemingly random domains. These domains were used for command and control (C2) communication.

By encoding system information (such as machine domain names) within DNS queries, SUNBURST made it challenging to detect its malicious activities.

How To Prevent A DNS Amplification Attack

Implementing Source IP Verification On A Network Device

This step ensures that incoming DNS queries are only accepted from legitimate sources. Configure your network devices (such as routers, firewalls, or DNS servers) to verify the source IP address of incoming DNS requests.

Reject or drop requests from IP addresses that are not part of your authorized network. This helps prevent attackers from spoofing source IP addresses and launching amplification attacks.

Disabling Recursion On Authoritative Name Servers

Recursive DNS queries can be exploited in amplification attacks. By disabling recursion on authoritative name servers, you reduce the attack surface.

In your DNS server configuration, disable recursion (recursive queries) for authoritative zones.

Ensure that your authoritative name servers only respond to queries related to their own zones. This prevents attackers from using your server for recursive queries that could be amplified.

Limiting Recursion To Authorized Clients

Restricting recursion to authorized clients ensures that only trusted entities can perform recursive queries. Configure your DNS server to allow recursion only from specific IP addresses or subnets.

Deny recursion to any other clients. This prevents unauthorized parties from abusing your DNS server for amplification attacks.

Implementing Response Rate Limiting (RRL) Setting On DNS Server

Response Rate Limiting (RRL) helps mitigate amplification attacks by limiting the rate at which a DNS server responds to identical queries. Enable RRL in your DNS server configuration.

Set appropriate thresholds for rate limiting (e.g., limit the number of responses for the same query within a specific time window). This prevents excessive responses to repeated queries, reducing the amplification effect.

Article by

Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.

Related Content

Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.

Share This Article

Our Editorial Process

Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.

Categories

.

The Breach Report

Our team of security researchers analyze recent cyber attacks, explain the impact, and provide actionable steps to keep you ahead of the trends.