A domain name server amplification attack is a popular form of DDoS attack that attempts to flood a target system with DNS response traffic
You can prevent a DNS amplification attack by Implementing Source IP Verification on a network device, Disabling Recursion on Authoritative Name Servers, Limiting Recursion to Authorized Clients, and Implementing Response Rate Limiting (RRL) setting on DNS Server.
Learn More: How To Prevent Cyber Attacks
Free IT Security Policies
Get a step ahead of your goals with our comprehensive templates.
What Is A DNS Amplification Attack?
A Domain Name Server (DNS) Amplification attack is a popular form of Distributed Denial of Service (DDoS), in which attackers use publically accessible open DNS servers to flood a target system with DNS response traffic.
The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the target’s address.
When the DNS server sends the DNS record response, it is sent instead to the target. Attackers will typically submit a request for as much zone information as possible to maximize the amplification effect.
In most attacks of this type observed by US-CERT, the spoofed queries sent by the attacker are of the type, “ANY,” which returns all known information about a DNS zone in a single request.
Because the size of the response is considerably larger than the request, the attacker is able to increase the amount of traffic directed at the victim.
By leveraging a botnet to produce a large number of spoofed DNS queries, an attacker can create an immense amount of traffic with little effort.
Additionally, because the responses are legitimate data coming from valid servers, it is extremely difficult to prevent these types of attacks.
Example Of A DNS Amplification Attack
The SUNBURST backdoor was discovered as part of a sophisticated supply chain attack.
The attackers compromised the SolarWinds Orion software, which is widely used for network monitoring and management.
It used Domain Generation Algorithms (DGAs) to generate a list of seemingly random domains. These domains were used for command and control (C2) communication.
By encoding system information (such as machine domain names) within DNS queries, SUNBURST made it challenging to detect its malicious activities.
How To Prevent A DNS Amplification Attack
Implementing Source IP Verification On A Network Device
This step ensures that incoming DNS queries are only accepted from legitimate sources. Configure your network devices (such as routers, firewalls, or DNS servers) to verify the source IP address of incoming DNS requests.
Reject or drop requests from IP addresses that are not part of your authorized network. This helps prevent attackers from spoofing source IP addresses and launching amplification attacks.
Disabling Recursion On Authoritative Name Servers
Recursive DNS queries can be exploited in amplification attacks. By disabling recursion on authoritative name servers, you reduce the attack surface.
In your DNS server configuration, disable recursion (recursive queries) for authoritative zones.
Ensure that your authoritative name servers only respond to queries related to their own zones. This prevents attackers from using your server for recursive queries that could be amplified.
Limiting Recursion To Authorized Clients
Restricting recursion to authorized clients ensures that only trusted entities can perform recursive queries. Configure your DNS server to allow recursion only from specific IP addresses or subnets.
Deny recursion to any other clients. This prevents unauthorized parties from abusing your DNS server for amplification attacks.
Implementing Response Rate Limiting (RRL) Setting On DNS Server
Response Rate Limiting (RRL) helps mitigate amplification attacks by limiting the rate at which a DNS server responds to identical queries. Enable RRL in your DNS server configuration.
Set appropriate thresholds for rate limiting (e.g., limit the number of responses for the same query within a specific time window). This prevents excessive responses to repeated queries, reducing the amplification effect.
Article by
Related Content
