Updated: Monday, January 15, 2001 (changed RFC 2267 to RFC 2827/BCP 38)
Date: Friday, April 28, 2000
Intruders are using nameservers to execute packet flooding denial of service attacks.
We are receiving an increasing number of reports of intruders using nameservers to execute packet flooding denial of service attacks.
The most common method we have seen involves an intruder sending a large number of UDP-based DNS requests to a nameserver using a spoofed source IP address. Any nameserver response is sent back to the spoofed IP address as the destination. In this
scenario, the spoofed IP address represents the victim of the denial of service attack. The nameserver is an intermediate party in the attack. The true source of the attack is difficult for an intermediate or a victim site to determine due to the use of
spoofed source addresses.
Because nameserver responses can be significantly larger than DNS requests, there is potential for bandwidth amplification. In other words, the responses may consume more bandwidth than the requests. We have seen intruders utilize multiple nameservers
on diverse networks in this type of an attack to achieve a distributed denial of service attack against victim sites.
In incidents we have seen as of the date of publication, the queries are usually crafted to request the same valid DNS resource record from multiple nameservers. The result is many nameservers receiving queries for resources records in zones for which
the nameserver is not authoritative. The response of the nameserver depends on it's configuration.
The intermediary nameserver may receive packets back from the victim host. In particular, ICMP port unreachable packets may be returned from the victim to the intermediary in response to an unexpected UDP packet sent from the intermediary nameserver to
the victim host.
Sites with nameservers used as intermediaries may experience performance degradation and a denial of DNS service as a result of an increase in DNS query traffic. It is also possible to experience higher bandwidth consumption and a bandwidth denial of
service attack on the intermediary nameserver's network.
Victim sites may experience a bandwidth denial of service attack due to a high volume of DNS response packets being forwarded by one or more intermediary nameservers.
AusCERT published an advisory in 1999 discussing denial of service attacks that utilize DNS and nameservers. For more information about the attack method, and for BIND 8 configuration strategies to mitigate the effectiveness of attacks, see
- AL-1999.004, Denial of Service (DoS) attacks using the Domain Name System (DNS)
For information about using packet filtering to prevent denial of service attacks based on IP source spoofing, see
Author: Kevin Houle
- RFC2827/BCP 38, Defeating Denial of Service Attacks which employ IP Source Address Spoofing
- CA-96.21, TCP SYN Flooding and IP Spoofing Attacks
Copyright 2000 Carnegie Mellon University.