Doing more to protect your DNS from DDoS

Cyber Chief Magazine brings you the tactics to uncover and neutralize the insider threat

According to a recent Arbor Networks report on infrastructure security, the number of DDoS attacks on enterprise DNS servers is on the rise but, despite this, many businesses aren’t taking the steps necessary to protect this vital part of their IT infrastructure. Indeed, while an increasing number of companies experienced customer-impacting DDoS attacks on their DNS servers last year, few businesses admitted to taking formal responsibility for DNS security somewhere within their organization.

Additionally, Cisco’s 2014 Annual Security Report reveals how its threat intelligence experts found evidence of corporate networks being misused or compromised in every single case they examined during a recent project on DNS lookups.

It’s clear then that DNS-based DDoS attacks are a growing threat, and one that’s being neglected by businesses when DNS security should really be seen as a priority because of the increasing risks. But how exactly do these attacks work? And what can businesses do to protect against them?

Massive attack
It’s surprisingly simple to generate a DDoS attacks using an enterprise’s DNS infrastructure. Rather than using their own IP address, attackers send queries to name servers across the internet from a spoofed IP address of their target, and the name servers, in turn, then send back responses.

If these responses were around the same size as the queries themselves, this course of action in itself wouldn’t be sufficient to wreak the desired havoc on the target. What’s required is amplification of each of these queries so that they generate a very large response which, since the adoption of DNS security extensions (DNSSEC) and their inherent cryptographic keys and digital signatures, has become increasingly more common.

A query of just 44 bytes, for example, sent from a spoofed IP address to a domain that contains DNSSEC records, could return a response of over 4,000 bytes. With a 1Mbps internet connection, an attacker could send in the region of 2,840 44-byte queries per second which would result in replies to the magnitude of 93Mbps being returned to the target server. And, by using a botnet of thousands of computers, the attacker could quickly recruit 10 fellow comrades and deliver 1Gbps of replies to begin incapacitating their target.
Most name servers can be modified to recognize that they’re repeatedly being queried for the same data from the same IP address. Open recursive servers however, of which there are estimated to be around 33 million around the world, will accept the same query from the same spoofed IP address again and again, each time sending back responses such as the DNSSEC examples mentioned above.

Recognition and prevention
So what steps can companies take to combat such attacks?

Perhaps most important is learning to recognize when an attack is taking place. Many organizations don’t know what their query load is, so aren’t even aware of when they’re under attack. By using the statistics support built into the DNS software BIND, administrators can analyze their data for query rates, socket errors and other attack indicators. Even if it’s not clear exactly what an attack looks like, monitoring DNS statistics will establish a baseline from which trends and anomalies can quickly be identified.

An organization’s internet-facing infrastructure should also be scrutinized for single points of failure not only in external authoritative name servers, but also in switch and router interactions, firewalls, and connections to the Internet. Once identified, the business should then consider whether these vulnerabilities can be effectively eliminated.

External authoritative name servers should be broadly geographically distributed wherever possible which will not only help to avoid single points of failure, but will also provide the added advantage of improving response time performance for their closest customers.

And, in the face of the huge number of responses resulting from a DDoS attack, it’s worth considering overproviding existing infrastructure, a process that is both inexpensive and easy to trial prior to an incident.
Cloud-based DNS providers run name servers of their own in data centers around the world. These can be configured as secondaries for an organization’s own, with data loaded from a master name server designated and managed in-house. It’s worth noting, though, that most of these providers bill for the number of queries received, which will of course increase significantly during a DNS attack.

Unwitting accomplices
As well as configuring their DNS infrastructures to resist DDoS attacks, organizations should also ensure they don’t become unwitting accomplices in DDoS attacks against others.

Unless the company is one of the very few that runs an open recursive name server, it can limit DNS queries to those IP addresses on its internal networks, thereby making sure that only authorized users have access to its recursive name servers.

And for those that run authoritative name servers, Response Rate Limiting (RRL), incorporated into BIND name servers, makes it difficult for attackers to amplify queries, stopping responses being sent to a single IP address at any rate higher than a pre-programmed threshold.

By understanding how DDoS attacks exploit DNS servers, and recognizing the signs, organizations can take measures to lower the threat on their own infrastructure, and avoid becoming complicit in attacks on others.