There are many types of DNS (Domain Name Server) attacks out there but a recent one is the Amplification Attack. But first let’s go over what a DNS is before we go into why an Amplification Attack is more complicated and a bigger threat. Domain Name System servers, are servers which map domain names such as “google.com” to an IP address of the host server for the particular website.
When a user of a web-browser types “lintcenter.org” into a web-browser, the browser will ask a pool of DNS servers what the IP is for that server. Only then can it ask the server for the appropriate web page. Think of the DNS servers as dictionaries, where each word (domain name) has a server’s IP as its definition. But there can also be more information in that dictionary such as backup name servers, aliases, mail servers, etc.
An attacker can take advantage of how long it takes to compile a whole zone worth of definitions. In fact DNS servers can be just as vulnerable to DoS attacks as other servers with this. A Denial of Service (DoS) attack is a set of methods that can be used to make a server unreachable. By far the most popular are Distributed DoS attacks, where multiple parties (or a single party controlling multiple vectors) attack a single victim.
One such DDOS attack targeting DNS servers is called an Amplification attack. It starts when an attacker asks multiple DNS servers for a zone full of information masquerading as the target DNS server. The intermediary servers will chug and dump a bunch of information onto the target DNS server, hence the term Amplification attack.
Those that are impacted by an Amplification attack are those who have a misconfigured DNS server. But detection isn’t as easy to find. “While it is not easy to identify authoritative name servers used in DNS reflection attacks as vulnerability is not caused by a misconfiguration, there are several freely available options for detecting open recursive resolvers. Several organizations offer free, web-based scanning tools that will search a network for vulnerable open DNS resolvers. These tools will scan entire network ranges and list the address of any identified open resolvers.”
It’s not impossible to repair a server when it’s found it’s been exploited, but it is time consuming. US-Cert has offered several open source and free options and instructions on how to prevent and fix this type of attack.
This article was originally published in the Lint Center.