The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.
<h2>Denial of Service Attacks using Nameservers</h2>
Updated: Monday, January 15, 2001 (changed RFC 2267 to RFC 2827/BCP 38)<br/>
Date: Friday, April 28, 2000<p>
<p>
<h3>Overview</h3>
<p>
Intruders are using nameservers to execute packet flooding denial of
service attacks.
<p>
<h3>Description</h3>
We are receiving an increasing number of reports of intruders using
nameservers to execute packet flooding denial of service attacks.
<p>
The most common method we have seen involves an intruder sending a
large number of UDP-based DNS requests to a nameserver using a spoofed
source IP address. Any nameserver response is sent back to the spoofed
IP address as the destination. In this scenario, the spoofed IP
address represents the victim of the denial of service attack. The
nameserver is an intermediate party in the attack. The true source of
the attack is difficult for an intermediate or a victim site to
determine due to the use of spoofed source addresses.
<p>
Because nameserver responses can be significantly larger than DNS
requests, there is potential for bandwidth amplification. In other
words, the responses may consume more bandwidth than the requests. We
have seen intruders utilize multiple nameservers on diverse networks
in this type of an attack to achieve a distributed denial of service
attack against victim sites.
<p>
In incidents we have seen as of the date of publication, the queries
are usually crafted to request the same valid DNS resource record from
multiple nameservers. The result is many nameservers receiving queries
for resources records in zones for which the nameserver is not
authoritative. The response of the nameserver depends on it's
configuration.
<p>
<ul>
<li>If the target nameserver allows the query and is configured to be
recursive or to provide referrals, the nameserver's response could
contain significantly more data than the original DNS request,
resulting in a higher degree of bandwidth amplification.</li><p>
<li>A target nameserver configured without restrictions on DNS query
sources may not log malicious queries at all.</li><p>
<li>If the target nameserver is configured to restrict DNS queries by
source, and the source IP address is not allowed to make queries,
the nameserver's response will be a reject message with little to
no bandwidth amplification. Also, the nameserver can log the
malicious queries. An example syslog entry looks like this:
<pre>
Apr 27 14:26:12 intermediary.example.com named[pid]: unapproved
recursive query from [10.1.2.3].udp-port for resource.example.net
</pre>
In this example, the IP address "10.1.2.3" represents the victim
of the denial of service attack. The name
"intermediary.example.com" represents an intermediary nameserver
used in the attack. The name "resource.example.net" represents the
DNS resource record being queried in the DNS request. Some reports
we have received indicate logging malicious DNS queries at a rate
as high as 5 per second during an attack.</li><p>
</p></p></p></ul>
<p>
The intermediary nameserver may receive packets back from the victim
host. In particular, ICMP port unreachable packets may be returned
from the victim to the intermediary in response to an unexpected UDP
packet sent from the intermediary nameserver to the victim host.
<p>
<h3>Impact</h3>
Sites with nameservers used as intermediaries may experience
performance degradation and a denial of DNS service as a result of an
increase in DNS query traffic. It is also possible to experience
higher bandwidth consumption and a bandwidth denial of service
attack on the intermediary nameserver's network.
<p>
Victim sites may experience a bandwidth denial of service attack due
to a high volume of DNS response packets being forwarded by one or
more intermediary nameservers.
<h3>Solutions</h3>
AusCERT published an advisory in 1999 discussing denial of service
attacks that utilize DNS and nameservers. For more information about
the attack method, and for BIND 8 configuration strategies to mitigate
the effectiveness of attacks, see
<p>
<dl>
<dd><a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos">
AL-1999.004</a>, Denial of Service (DoS) attacks using the Domain Name System (DNS)</dd>
</dl>
<p>
For information about using packet filtering to prevent denial of
service attacks based on IP source spoofing, see
<p>
<dl>
<dd><a href="ftp://ftp.isi.edu/in-notes/rfc2827.txt">
RFC2827/BCP 38</a>, Defeating Denial of Service Attacks which employ
IP Source Address Spoofing<br/></dd>
<dd><a href="http://www.cert.org/advisories/CA-96.21.tcp_syn_flooding.html">
CA-96.21</a>, TCP SYN Flooding and IP Spoofing Attacks</dd>
</dl>
<b>Author</b>: Kevin Houle<br/>
<!--#include virtual="/include/footer_nocopyright.html" -->
<p>Copyright 2000 Carnegie Mellon University.</p>
</p></p></p></p></p></p></p></p></p></p></p></p></p></p> |