CERT
 
Publications Catalog Historical Documents Authorized Users of "CERT" US-CERT Vulnerability Notes Database Vulnerability Disclosure Policy Courses Link to US-CERT cylab
 

CERT® Incident Note IN-2000-04

The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.

Denial of Service Attacks using Nameservers

Updated: Monday, January 15, 2001 (changed RFC 2267 to RFC 2827/BCP 38)
Date: Friday, April 28, 2000

Overview

Intruders are using nameservers to execute packet flooding denial of service attacks.

Description

We are receiving an increasing number of reports of intruders using nameservers to execute packet flooding denial of service attacks.

The most common method we have seen involves an intruder sending a large number of UDP-based DNS requests to a nameserver using a spoofed source IP address. Any nameserver response is sent back to the spoofed IP address as the destination. In this scenario, the spoofed IP address represents the victim of the denial of service attack. The nameserver is an intermediate party in the attack. The true source of the attack is difficult for an intermediate or a victim site to determine due to the use of spoofed source addresses.

Because nameserver responses can be significantly larger than DNS requests, there is potential for bandwidth amplification. In other words, the responses may consume more bandwidth than the requests. We have seen intruders utilize multiple nameservers on diverse networks in this type of an attack to achieve a distributed denial of service attack against victim sites.

In incidents we have seen as of the date of publication, the queries are usually crafted to request the same valid DNS resource record from multiple nameservers. The result is many nameservers receiving queries for resources records in zones for which the nameserver is not authoritative. The response of the nameserver depends on it's configuration.

  • If the target nameserver allows the query and is configured to be recursive or to provide referrals, the nameserver's response could contain significantly more data than the original DNS request, resulting in a higher degree of bandwidth amplification.

  • A target nameserver configured without restrictions on DNS query sources may not log malicious queries at all.

  • If the target nameserver is configured to restrict DNS queries by source, and the source IP address is not allowed to make queries, the nameserver's response will be a reject message with little to no bandwidth amplification. Also, the nameserver can log the malicious queries. An example syslog entry looks like this: 
        Apr 27 14:26:12 intermediary.example.com named[pid]: unapproved
    recursive query from [10.1.2.3].udp-port for resource.example.net
    In this example, the IP address "10.1.2.3" represents the victim of the denial of service attack. The name "intermediary.example.com" represents an intermediary nameserver used in the attack. The name "resource.example.net" represents the DNS resource record being queried in the DNS request. Some reports we have received indicate logging malicious DNS queries at a rate as high as 5 per second during an attack.

The intermediary nameserver may receive packets back from the victim host. In particular, ICMP port unreachable packets may be returned from the victim to the intermediary in response to an unexpected UDP packet sent from the intermediary nameserver to the victim host.

Impact

Sites with nameservers used as intermediaries may experience performance degradation and a denial of DNS service as a result of an increase in DNS query traffic. It is also possible to experience higher bandwidth consumption and a bandwidth denial of service attack on the intermediary nameserver's network.

Victim sites may experience a bandwidth denial of service attack due to a high volume of DNS response packets being forwarded by one or more intermediary nameservers.

Solutions

AusCERT published an advisory in 1999 discussing denial of service attacks that utilize DNS and nameservers. For more information about the attack method, and for BIND 8 configuration strategies to mitigate the effectiveness of attacks, see

AL-1999.004, Denial of Service (DoS) attacks using the Domain Name System (DNS)

For information about using packet filtering to prevent denial of service attacks based on IP source spoofing, see

RFC2827/BCP 38, Defeating Denial of Service Attacks which employ IP Source Address Spoofing
CA-96.21, TCP SYN Flooding and IP Spoofing Attacks
Author: Kevin Houle
This document is available from: http://www.cert.org/incident_notes/IN-2000-04.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Copyright 2000 Carnegie Mellon University.