CERT-SEI

Denial of Service Attacks using Nameservers

Updated: Monday, January 15, 2001 (changed RFC 2267 to RFC 2827/BCP 38)
Date: Friday, April 28, 2000

Overview

Intruders are using nameservers to execute packet flooding denial of service attacks.

Description

We are receiving an increasing number of reports of intruders using nameservers to execute packet flooding denial of service attacks.

The most common method we have seen involves an intruder sending a large number of UDP-based DNS requests to a nameserver using a spoofed source IP address. Any nameserver response is sent back to the spoofed IP address as the destination. In this scenario, the spoofed IP address represents the victim of the denial of service attack. The nameserver is an intermediate party in the attack. The true source of the attack is difficult for an intermediate or a victim site to determine due to the use of spoofed source addresses.

Because nameserver responses can be significantly larger than DNS requests, there is potential for bandwidth amplification. In other words, the responses may consume more bandwidth than the requests. We have seen intruders utilize multiple nameservers on diverse networks in this type of an attack to achieve a distributed denial of service attack against victim sites.

In incidents we have seen as of the date of publication, the queries are usually crafted to request the same valid DNS resource record from multiple nameservers. The result is many nameservers receiving queries for resources records in zones for which the nameserver is not authoritative. The response of the nameserver depends on it's configuration.

  • If the target nameserver allows the query and is configured to be recursive or to provide referrals, the nameserver's response could contain significantly more data than the original DNS request, resulting in a higher degree of bandwidth amplification.
  • A target nameserver configured without restrictions on DNS query sources may not log malicious queries at all.
  • If the target nameserver is configured to restrict DNS queries by source, and the source IP address is not allowed to make queries, the nameserver's response will be a reject message with little to no bandwidth amplification. Also, the nameserver can log the malicious queries. An example syslog entry looks like this:
        Apr 27 14:26:12 intermediary.example.com named[pid]: unapproved
        recursive query from [10.1.2.3].udp-port for resource.example.net
    
    In this example, the IP address "10.1.2.3" represents the victim of the denial of service attack. The name "intermediary.example.com" represents an intermediary nameserver used in the attack. The name "resource.example.net" represents the DNS resource record being queried in the DNS request. Some reports we have received indicate logging malicious DNS queries at a rate as high as 5 per second during an attack.

The intermediary nameserver may receive packets back from the victim host. In particular, ICMP port unreachable packets may be returned from the victim to the intermediary in response to an unexpected UDP packet sent from the intermediary nameserver to the victim host.

Impact

Sites with nameservers used as intermediaries may experience performance degradation and a denial of DNS service as a result of an increase in DNS query traffic. It is also possible to experience higher bandwidth consumption and a bandwidth denial of service attack on the intermediary nameserver's network.

Victim sites may experience a bandwidth denial of service attack due to a high volume of DNS response packets being forwarded by one or more intermediary nameservers.

Solutions

AusCERT published an advisory in 1999 discussing denial of service attacks that utilize DNS and nameservers. For more information about the attack method, and for BIND 8 configuration strategies to mitigate the effectiveness of attacks, see
AL-1999.004, Denial of Service (DoS) attacks using the Domain Name System (DNS)

For information about using packet filtering to prevent denial of service attacks based on IP source spoofing, see

RFC2827/BCP 38, Defeating Denial of Service Attacks which employ IP Source Address Spoofing
CA-96.21, TCP SYN Flooding and IP Spoofing Attacks
Author: Kevin Houle

Copyright 2000 Carnegie Mellon University.